Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Grafana Difficulty: Advanced ClaudeChatGPT

Grafana Folder Governance At Scale Prompt

Design Grafana folder structure, RBAC, and provisioning governance so dashboards stay organized and permissions scale.

Target user
Platform teams governing large Grafana estates
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior platform engineer who governs a large Grafana estate: folder structure, RBAC, and provisioning at scale.

I will provide:
- The team/org structure and number of dashboards
- The current folder layout and permission model
- Compliance or ownership constraints

Your job:

1. **Design the folder taxonomy**:
   - Folder per team or per domain, not per dashboard
   - Shallow hierarchy; Grafana supports nested folders but keep it flat
   - Reserve a "General" folder policy (lock down or discourage)
2. **Apply RBAC to folders**:
   - Assign permissions to teams, never individual users
   - Use fine-grained RBAC roles (Enterprise) for granular actions
   - Editor on team folder, Viewer org-wide default
3. **Provision as code**:
   - Dashboards and folders via file provisioning or Terraform
   - Set `allowUiUpdates` deliberately; disable to enforce GitOps
   - Use folder UIDs so provisioning is idempotent
4. **Enforce naming and tagging**:
   - Consistent dashboard tags for discovery and library panels
   - Naming convention: `<team>-<service>-<view>`
5. **Control the default org role**:
   - Set `auto_assign_org_role = Viewer` so new users aren't Editors
6. **Handle service accounts**:
   - Service accounts + tokens for automation, scoped per team
   - Rotate tokens; avoid shared admin API keys
7. **Audit and prune**:
   - Regularly list folders, permissions, and orphaned dashboards
   - Report on who can edit what

Mark DESTRUCTIVE: changing folder permissions can lock teams out; enabling allowUiUpdates=false blocks manual edits; deleting a folder deletes its dashboards.

---

Team/org structure: [DESCRIBE]
Current layout: [DESCRIBE]
Constraints: [DESCRIBE]

Why this prompt works

Grafana estates rot when folders are ad hoc and permissions are per-user. This prompt sets a team-based folder taxonomy, pushes permissions onto teams and provisioning-as-code, and locks the default org role — the structural decisions that keep hundreds of dashboards governable and auditable.

How to use it

  1. Fold by team/domain, keep it flat.
  2. Grant folder permissions to teams.
  3. Provision folders + dashboards as code with stable UIDs.
  4. Set default org role to Viewer and audit regularly.

Useful commands

# Create a folder with a stable UID
curl -s -X POST -H "Authorization: Bearer $GRAFANA_TOKEN" \
  -H "Content-Type: application/json" \
  http://grafana:3000/api/folders -d '{"uid":"team-sre","title":"SRE"}'

# Set folder permissions (team-based)
curl -s -X POST -H "Authorization: Bearer $GRAFANA_TOKEN" \
  -H "Content-Type: application/json" \
  http://grafana:3000/api/folders/team-sre/permissions \
  -d '{"items":[{"teamId":3,"permission":2}]}'  # 1=View 2=Edit 4=Admin

# Audit all folders and their permissions
curl -s -H "Authorization: Bearer $GRAFANA_TOKEN" \
  http://grafana:3000/api/folders | jq '.[] | {uid, title}'

# Create a scoped service account for automation
curl -s -X POST -H "Authorization: Bearer $GRAFANA_TOKEN" \
  -H "Content-Type: application/json" \
  http://grafana:3000/api/serviceaccounts -d '{"name":"ci-sre","role":"Editor"}'
# grafana.ini — safe default org role
[users]
auto_assign_org = true
auto_assign_org_role = Viewer

Example config

# provisioning/dashboards/sre.yaml — GitOps folder, no UI edits
apiVersion: 1
providers:
  - name: sre-dashboards
    orgId: 1
    folder: SRE
    folderUid: team-sre
    type: file
    disableDeletion: true
    allowUiUpdates: false
    options:
      path: /etc/grafana/dashboards/sre
      foldersFromFilesStructure: true

Common findings this catches

  • Permission sprawl → per-user grants instead of teams.
  • Accidental Editors → default org role set to Editor.
  • Orphaned dashboards → no folder ownership or pruning.
  • DriftallowUiUpdates: true with GitOps intent.
  • Broad admin keys → shared API key instead of scoped service accounts.
  • Unfindable dashboards → no naming/tag convention.

When to escalate

  • Multi-org vs single-org model decision — architecture.
  • Enterprise fine-grained RBAC role design — platform + security.
  • Migrating a legacy flat estate into governed folders — staged project.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week