Hello. We are building out a Grafana 5.0.3 deployment and were hoping to use the new dashboard folder permissions, along with grouping users into teams, as a way to control access without having multiple organizations. Our teams would have edit access to dashboards in a folder corresponding to their team name. It was working out alright until we discovered that team members could not import dashboards (or “Save As”) unless they were an admin for the organization. It seems that the “Import” option does not even appear for the viewer or editor roles. I could not find this explicitly documented anywhere, but found out through trial and error. Are there any plans to support some sort of “team admin” concept, or will teams remain a simple collection of users? Alternatively, if we stick with multiple organizations, is there an easy way to give a user (eg. senior management) view access system wide (ie. across all organizations)? We may have 100+ organizations and don’t want to have to rely on each organization admin to enable view access to each of these read-only/management users.
Strange, import and save as should only require editor role
Just tested with the editor role and could import a dashboard and “Save as” worked too.
My apologies. I was testing with a remote user, and unable to see his screen when we were testing, so we must have gotten out of sync when switching permissions for our tests. I retested with another user, and this time had them share their screen with me. You are both correct about the organization editor role being sufficient for importing. As I mentioned above, we wanted to have a flat organization with everyone just having the viewer role, and then restrict editing ability using folders. We tried giving members of a team “admin” privileges at the folder level, but that doesn’t seem to affect/allow the ability to perform import operations. So that must be completely controlled at the organization level, is that correct?
We have an open issue which features the possibility to import to a specific folder. Ones that solved I guess you’re question are answered. Right now you must be admin/editor of organization to be able to import.
Thanks for your reply. When you say “right now you must be an admin/editor of the organization,” it sort of implies that might change, but in the open issue referenced, it just seems to do with importing into specific folders (rather than just the General folder), and honoring the folder permissions when doing so.
I’m assuming that the rights needed to perform an import in the first place are still going to be Admin/Editor at the organization level. Or might that be changing so that an organization “Viewer” could perform an import to a folder if the specific folder allows it?
For example, let’s say I am just a “Viewer” at the organization level, but I am a member of Team “Acme” and there is a folder whose permissions allow all member of the “Acme” team the “Edit” permission for that folder. Will I be able to perform an import to that folder? Or will I still be denied because of only having Viewer at the organization level?
Second/related question: Are there plans to add some sort of “Team Admin” functionality so that, for example, a Team Admin can add/remove members to/from the Team?
I guess that we need to implement it in a way so that access to import page are only possible if you’re org admin/editor or have admin/editor permission in at least one folder. Will add that to the issue description. Thanks for pointing out.
There are currently no plans of adding this. I can totally see why this is needed. However I encourage you to create a new feature request issue for this. Cannot give you any timeframe when this could be available, but if lots of people upvotes it we’ll consider implementing/merging it faster.
I should add that we have an upcoming fix for Grafana v5.1 of this issue. Basically it fixes an issue that didn’t allow a folder with admin permissions to access the folder permissions page.