Improving security mappings (LDAP)


Today, the mapping between LDAP groups and organizations is in grafana toml, whereas the organizations are managed using the rest service (and stored in DB).
Moreover, the organization are reference by their id instead of full name (org path).
This causes updates to organizations to be very tricky : first, you creare org via REST service, then, you take the new orgId then you add the mapping between orgId and ldap group in the toml file, then, you restart grafana (in case of a HA grafana, the toml of all instances must be updated).

To simplify administration of Grafana, I think we lack functions (REST or CLI) to manage security mappings.
Do you know if they are in backlog ?
If not, what do you think about implementing such securtity API in a administration CLI ?

Organizations are built for multi tenant (many different companies sharing same Grafana sever). Usually LDAP auth only covers one company so mapping ldap users to different orgs is not a common scenario that requires constant changing.

We are working on user groups & dashboard folders and ACLs lists to replace Organizations as a way to structure large Grafana installs.

In a large company, one can consider divisions as distinct companies :slight_smile:

What I wanted to do is to allow people with a specific LDAP Group to become Editor of specific Grafana orgs.

I am very much in favor of either being associate ldap groups with organizations, or use group-based access control.
I am monitoring fairly large multitenant HPC clusters, and need to present data to users based on tags, where the tags include the user id and the group id (both mapped from LDAP) which are presented via a modified telegraf agent. I would very much be able to restrict users to seeing data on nodes (which are exclusively scheduled) where that user has applications running (or has had applications run in the past). In other words, I need to be able to query via user id and group id for the user currently using grafana.

Hi, any news about that ?

I have to manage 1 organization for 1 company (which ideally should be a LDAP group, with some users in), and I wouls like to have a way to map this (ideally dynamicly ; ie when one of the users of a ldap group login, it creates new organization)