-
What Grafana version and what operating system are you using?
Grafana 11.5.1 on Kubernetes -
What are you trying to achieve?
I’m trying to set up Grafana completely “as-code”, making the Grafana installation itself “ephemeral”. -
How are you trying to achieve it?
I’m using the Grafana-operator to manage datasources in Grafana, and using GrafanaDashbord resources to manage the dashboards. -
What happened?
The Dashboards and Datasources provision just fine, and when trying to edit a dashboard, Grafana correctly informs that the Dashboard is provisioned, and only allows me to copy the JSON and add it as code.
But when I go to the dashboard page and create a new Dashboard, I am still allowed to create the dashboard, and save it. -
What did you expect to happen?
I want to configure Grafana in a way such that when I create a new Dashboard, I’m allowed to get to the editor and tinker around with the Dashboard, but once I save the dashboard for the first time, I would like Grafana to give me the JSON and tell me that I must use Dashboard provisioning to manage all dashboards. -
Can you copy/paste the configuration(s) that you are having problems with?
I don’t think there’s any relevant configuration to post. -
Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
Nope -
Did you follow any online instructions? If so, what is the URL?
Nope, I did however try to search for information about disabling manual creation of dashboards, but couldn’t seem to find anything
You can use RBAC Grafana Role-based access control (RBAC) | Grafana documentation and configure/create user roles, so they won’t be able to manage dashboards (or other entities, e.g. folders, alerts,…). Only your code automation will have role with full permissions.
Will the users still be able to build the dashboard in the UI and output the JSON?
No, because UI is built on user role/permissions - there is no point in showing the “Create” button in the UI for the user when create&save fails because of insufficient user permissions.
You can test it with https://play.grafana.org/ - you have “viewer” role by default, so no create/update/delete and UI also reacts on that. But there is viewers_can_edit=true, so users can “edit” (view&modify, but not save) = explore dashboards.
IMHO it is not very smart to have full read-only access for the users. I would give them “dev” folder, where users will have RW access for UI dashboard development (again that’s possible with RBAC).
Have a 2+ environments, users build, test in dev.qa, then automate deployment to production when dashboard is ready