Managing team access to Grafana App and using secureJsonData inside frond-end code

I need a functionality to grant read or edit access to my Grafana App depending on teams that user belongs to.

I came up with a potential solution:
In my Grafana App in AppConfig Admin sets permissions (read/edit) for chosen teams and then when someone is launching app it checks to which group user belongs (depending on teams that user is added to). I can achieve that by using jsonData but I want to hide informations about which teams has edit access to app. I thought that secureJsonData can help there but yet I don’t know how to access in from my App (I only saw some examples related to routing and proxy). So I’m here with a question - is it achievable to use secureJsonData fields in application or do you maybe know a better ways to achieve functionality that I described above?

Thanks :slight_smile:

Hi @adamhowaniec, it sounds like what you’re trying to achieve is Role Based Access Control within your App Plugin. We have native support for this within Grafana and you can see an example App plugin that uses RBAC here grafana-plugin-examples/examples/app-with-rbac at 815d34fc4de70dc4b42227ef0047bcc053b44ca8 · grafana/grafana-plugin-examples · GitHub

The README contains documentation for how to configure and use RBAC within your plugin. If you have any issues or questions please let me know. :slight_smile:

Hi, thanks for the answer.
This solution is great :slight_smile: . I have one more problem - I need to grant permissions based on the teams not roles.
So for example if user is in teamA he should be able to access the app and otherwise not. Is this achievable in any way?

Hi @adamhowaniec,

If you’re on Grafana Enterprise or Grafana Cloud, you can configure granular permissions for Users and Teams.

For example, in this example I’m creating a new Team which by default has roles for the Performance Testing (k6) App plugin.

Great, that’s something I need! But unfortunately I don’t see “Role” section when I’m creating new team. I’ve tried to set up the flag in my docker-compose GF_FEATURE_TOGGLES_ENABLE: accessControlOnCall (I’m on Grafana enterprise 10.4.0). How can I configure grafana to be able to use Role field in teams section?

Hi @adamhowaniec, the feature should be available in 10.4 with the accessControlOnCall flag enabled. Can you please confirm you have a valid Enterprise License? If not, Grafana will be operating in OSS mode which does not have this functionality.

1 Like

You are 100% correct, my license was not valid and grafana switched to OSS.
Thanks Tom you helped me a lot!

1 Like

You’re welcome, glad I could help.