Adding permissions in Grafana
Adding permissions in Grafana#
All Grafana deployments are configured via OAUTH using the Dex connector. Permissions are distributed by mapping Grafana
roles to OCP groups. This is done by updating the
role_attribute_path as described here via
the Grafana CR.
Give OCP group Grafana role#
Navigate to the Grafana CR, for the Grafana instance on the MOC environment here.
Find the attribute:
You will see something like the following:
role_attribute_path: | contains(groups[*], 'operate-first') && 'Admin' || contains(groups[*], 'data-science') && 'Viewer' || 'Deny'
Add a line before
Deny in the form of
contains(groups[*], '<YOUR_OCP_GROUP>') && '<GRAFANA_ROLE>' ||.
For example if we wanted to give the OCP group “my-team” the “Editor” Grafana role, we would update the field like so:
role_attribute_path: | contains(groups[*], 'operate-first') && 'Admin' || contains(groups[*], 'data-science') && 'Viewer' || contains(groups[*], 'my-team') && 'Editor' || 'Deny'
Alternatively, if you do not want to create your own group and simply want read-only access to grafana, you can also just add yourself to the
Submit a PR with the changes.