Adding permissions in Grafana

All Grafana deployments are configured via OAUTH using the Dex connector. Permissions are distributed by mapping Grafana roles to OCP groups. This is done by updating the role_attribute_path as described here via the Grafana CR.

Give OCP group Grafana role

Navigate to the Grafana CR, for the Grafana instance on the MOC environment here. Find the attribute: role_attribute_path under spec.config.auth.generic_oauth

You will see something like the following:

  role_attribute_path: |
    contains(groups[*], 'operate-first') && 'Admin' ||
    contains(groups[*], 'data-science') && 'Viewer' ||
    'Deny'

Add a line before Deny in the form of contains(groups[*], '<YOUR_OCP_GROUP>') && '<GRAFANA_ROLE>' ||. For example if we wanted to give the OCP group “my-team” the “Editor” Grafana role, we would update the field like so:

  role_attribute_path: |
    contains(groups[*], 'operate-first') && 'Admin' ||
    contains(groups[*], 'data-science') && 'Viewer' ||
    contains(groups[*], 'my-team') && 'Editor' ||
    'Deny'

Alternatively, if you do not want to create your own group and simply want read-only access to grafana, you can also just add yourself to the grafana-viewer group.

Submit a PR with the changes.