Limit users to access Variable values

Hi Team,

I have created a dashboard which works based on the values of Variables (templating). The values of those variables are company names. Do we have any options to limit an user to use selected values from the drop downs?

For example, Company A user can view only the data of Company A while Admin can view all the data. The templating drop down should act accordingly.

Thanks.

Grafana: v5.1.3
Datasource: Elasticsearch

1 Like

I don’t think you can do that exactly - but a work around to achieve the desired result would be to create a copy of the dashboard per Company, and restrict the query to that company only.

Then assign viewer viewer permissions to the users that need to view that company. You might even create a Team for that Company, assign viewer permissions to that team, and then just drop the user accounts that need to view that company’s dashboard into the team.

1 Like

Hi @andrewjames0304

Admin will set role for a user in a Org, not for a Dashboard.
I think You should create Orgs for every role and set users to Org per Companay.

1 Like

Thanks much @davewaters and @thachnv92. Could it be worth to add as a feature? Slicing the data based on Data-source, variable values, etc.?

Hi @andrewjames0304
I think have 2 ways.

  1. You can select exactly values of variables.
    Ex:

SHOW TAG VALUES WITH KEY = "hostname"

Result: Server1, Server2, Server3…
If You want to user limit only select Server1, You can use query:

SHOW TAG VALUES WITH KEY = "hostname" WHERE hostname='Server1'

  1. You can hide variables and user limit can’t select variables. User limit only see variables you choose.

But still, I have to create multiple dashboards for different user groups.

Yes.
I think you should create multiple dashboards for different user groups.
You can try it and reply if you have a issue.

Um, i was trying to eliminate that long process though. If that’s the case, I wouldn’t have used variables at all. Instead I could use the direct lucene query and filter the data in the panels.

But I think Variables is convinient ^^

I can understand copying a dashboard between organizations and granting each user a role to that organization will work for a few, but that seems like a difficult maintainability situation if there are quite a few organizations. Is there a fast process (or could I use something in the API) such that I could create a dashboard and have it duplicated in many organizations (say 100)? Could I use that same process if, once I’ve pushed/copied the dashboard to all organizations, I can make a change in the original and have it reflected in all organizations?

The situation I’m trying to avoid is copying a dashboard for many organizations, then needing to add something to the dashboard and have to go and update each organization’s dashboard individually. Will take a lot of time, and I’d enjoy just being able to restrict access to variables and have only a single dashboard to maintain.

Anyways, thanks for this great product!

Grafana: v8.3.4
Datasource: PSQL DB

Resurrecting this as it’s the newest post I could find along the lines of what I want.

Ideally, I’d like to be able to set a user up with certain filters for multi-value variables.

ie, data comes in with company=x,site=y,device=z. These are configured as multi-value variables ‘CompanyList’ [show tag values as key = “company”] for instance.

I’d like to be able to say for variable ‘CompanyList’ allow only “company1”

One way would be to query the companies data by passing in the currently logged in username. For example if ajames is in company A and dvader is in company dark side

the user name, if available as a global value, is passed to the company names query.
not sure if there is such a global __currently_loggedin_user value.

an example in sql server

-- @username  is of course passed in to the query 
--on grafana side that creates the companies list

select c.companyid , c.name
  from companies c 
  join companyuser cu on c.companyid = cu.companyid
join users u on u.userid = cu.userid
where u.samaccountname = @username

this is based on the following principle: access control list

It looks like that variable does exist

based on the above here is an example with sample ddl & dml

use grafana 
--this is my own ms sql server database 
--for testing things out not grafana's db

go

drop table companies

create table companies(companyid int identity(1,1), 
companyname varchar(50) )

insert into companies
select 'Acme' union
select 'Zimza'


drop table users;
create table users(username varchar(50))

insert into users
select 'ddenson'


drop table usercompanies
create table usercompanies(username varchar(50), 
companyid int)

insert into usercompanies
select u.username, c.companyid
from companies c , users u
where c.companyname = 'Acme'

here is how the companies variable is setup

here is an ms sql profiler showing that it does work when I am logged in ddenson

image

and the resulting Companies drop down (not sure why the 1 is there) but you get the drift.
as you can see ddenson only sees the company he is associated with = Acme.

image

just implement this principle to your environment and whatever backend you use