Removing permissions from a nested folder

  • What Grafana version and what operating system are you using?
# grafana-server --version
Version 11.3.1 (commit: 9225f4a1cbd1cfe8b69f1aa2d62309a9700533a5, branch: HEAD)

# lsb_release -d
Description:    Ubuntu 22.04.5 LTS
  • What are you trying to achieve?

Given the following Dashboard-folder structure:

Projects/
├── ProjectA/
│   ├── Private/
│   └── Public/
├── ProjectB/
│   ├── Private/
│   └── Public/
└── ....

ProjectA will have a team ProjectATeam assigned with Admin access to to Projects/ProjectA/ folder, which nested permissions grant down the tree.

Similar, ProjectB will have a team ProjectBTeam, but applied to Projects/ProjectB/, etc.

I would like to give every logged-in user View access to whole folder structure as well as dashboards inside each projects’ Public-folder - but disallow them all access to all projects’ Private-folder (and the dashboards herein)

  • How are you trying to achieve it?

A team has been created for each project, the relevant team has been added the Projects/* folder, and Grafana applies it down the tree.

On the Projects/-folder, Viewers + Editors has been granted View-rights and Grafana applies it down the tree.

I went to each Private-folder, and tried to remove the Viewer + Editor access rights

  • What happened?

I couldn’t, as Grafana has locked it with the message Inherited Permission

  • What did you expect to happen?

To be able to remove a nested permission from a sub-folder

  • Can you copy/paste the configuration(s) that you are having problems with?

No configuration

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.

No errors, the UI shows a lock inherited permissions preventing you from deleting the permission

  • Did you follow any online instructions? If so, what is the URL?

no


I figured out you can skip assigning Viewer + Editor access on the Projects/ folder, and only granting them on each projects Public-folder, but it lead to a mess in the UI, where you could only see Public & Private folders (timed by the amount of projects), with no indicator which project they were related to.

The breadcrumbs also just showed Projects/redacted/Public

Ideally I would want to just remove the permission from each Private folder, as it seems the “easiest”. But if you have better ideas on how to solve this problem, then I am all ears

Thanks!

Hi! Sorry if I misunderstood your problem, but can you do the opposite approach?

Instead of giving everyone permissions from the top level Folder (which trickles down), can you remove all permissions at the top level Folder, than go down to each public sub-folder and re-add the permissions so that Viewers/Editors can now View? And on the private folder add Team permissions to Admin?

Or if you want this to be strictly team based, you just need to spend more time doing:
Project A- Team A Admin, Team B-C-D Viewer
Project B- Team B Admin, Team A-C-D Viewer
etc.

I’m not sure if you already figured this out, but let me know if this works for you!