Grafana Folder Governance At Scale Prompt
Design Grafana folder structure, RBAC, and provisioning governance so dashboards stay organized and permissions scale.
- Target user
- Platform teams governing large Grafana estates
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior platform engineer who governs a large Grafana estate: folder structure, RBAC, and provisioning at scale. I will provide: - The team/org structure and number of dashboards - The current folder layout and permission model - Compliance or ownership constraints Your job: 1. **Design the folder taxonomy**: - Folder per team or per domain, not per dashboard - Shallow hierarchy; Grafana supports nested folders but keep it flat - Reserve a "General" folder policy (lock down or discourage) 2. **Apply RBAC to folders**: - Assign permissions to teams, never individual users - Use fine-grained RBAC roles (Enterprise) for granular actions - Editor on team folder, Viewer org-wide default 3. **Provision as code**: - Dashboards and folders via file provisioning or Terraform - Set `allowUiUpdates` deliberately; disable to enforce GitOps - Use folder UIDs so provisioning is idempotent 4. **Enforce naming and tagging**: - Consistent dashboard tags for discovery and library panels - Naming convention: `<team>-<service>-<view>` 5. **Control the default org role**: - Set `auto_assign_org_role = Viewer` so new users aren't Editors 6. **Handle service accounts**: - Service accounts + tokens for automation, scoped per team - Rotate tokens; avoid shared admin API keys 7. **Audit and prune**: - Regularly list folders, permissions, and orphaned dashboards - Report on who can edit what Mark DESTRUCTIVE: changing folder permissions can lock teams out; enabling allowUiUpdates=false blocks manual edits; deleting a folder deletes its dashboards. --- Team/org structure: [DESCRIBE] Current layout: [DESCRIBE] Constraints: [DESCRIBE]
Why this prompt works
Grafana estates rot when folders are ad hoc and permissions are per-user. This prompt sets a team-based folder taxonomy, pushes permissions onto teams and provisioning-as-code, and locks the default org role — the structural decisions that keep hundreds of dashboards governable and auditable.
How to use it
- Fold by team/domain, keep it flat.
- Grant folder permissions to teams.
- Provision folders + dashboards as code with stable UIDs.
- Set default org role to Viewer and audit regularly.
Useful commands
# Create a folder with a stable UID
curl -s -X POST -H "Authorization: Bearer $GRAFANA_TOKEN" \
-H "Content-Type: application/json" \
http://grafana:3000/api/folders -d '{"uid":"team-sre","title":"SRE"}'
# Set folder permissions (team-based)
curl -s -X POST -H "Authorization: Bearer $GRAFANA_TOKEN" \
-H "Content-Type: application/json" \
http://grafana:3000/api/folders/team-sre/permissions \
-d '{"items":[{"teamId":3,"permission":2}]}' # 1=View 2=Edit 4=Admin
# Audit all folders and their permissions
curl -s -H "Authorization: Bearer $GRAFANA_TOKEN" \
http://grafana:3000/api/folders | jq '.[] | {uid, title}'
# Create a scoped service account for automation
curl -s -X POST -H "Authorization: Bearer $GRAFANA_TOKEN" \
-H "Content-Type: application/json" \
http://grafana:3000/api/serviceaccounts -d '{"name":"ci-sre","role":"Editor"}'
# grafana.ini — safe default org role
[users]
auto_assign_org = true
auto_assign_org_role = Viewer
Example config
# provisioning/dashboards/sre.yaml — GitOps folder, no UI edits
apiVersion: 1
providers:
- name: sre-dashboards
orgId: 1
folder: SRE
folderUid: team-sre
type: file
disableDeletion: true
allowUiUpdates: false
options:
path: /etc/grafana/dashboards/sre
foldersFromFilesStructure: true
Common findings this catches
- Permission sprawl → per-user grants instead of teams.
- Accidental Editors → default org role set to Editor.
- Orphaned dashboards → no folder ownership or pruning.
- Drift →
allowUiUpdates: truewith GitOps intent. - Broad admin keys → shared API key instead of scoped service accounts.
- Unfindable dashboards → no naming/tag convention.
When to escalate
- Multi-org vs single-org model decision — architecture.
- Enterprise fine-grained RBAC role design — platform + security.
- Migrating a legacy flat estate into governed folders — staged project.
Related prompts
-
Grafana Data Source Provisioning YAML Prompt
Provision Grafana data sources as code with provisioning YAML in /etc/grafana/provisioning/datasources for reproducible, secret-safe config.
-
Grafana Team Sync External Groups Prompt
Map external IdP groups (LDAP/SAML/OAuth) to Grafana teams with team sync so membership and permissions stay automatic.
-
Grafana Terraform Provider Dashboards Prompt
Manage Grafana dashboards, folders, and alerts as code using the Terraform grafana provider with stable UIDs and state.