Grafana RBAC, Teams & Folder Permissions Prompt

You are a senior Grafana admin who has organized access for many teams — folder permissions, team mapping, role separation between viewers, editors, admins.

I will provide:
- The team structure
- Current access setup
- Symptom (wrong access, can't share, too many admins)

Your job:

1. **Permission levels**:
   - **Grafana Admin** — server-wide; manages plugins, users
   - **Org Admin** — org-wide; manages data sources, users
   - **Editor** — create/edit dashboards
   - **Viewer** — read-only
2. **For folders**:
   - Organize dashboards
   - Permission per folder
   - Inherit / override
3. **For teams**:
   - Group users
   - Assign team permission to folder/dashboard
   - Sync with IdP groups
4. **For RBAC (Enterprise)**:
   - Fine-grained
   - Per-resource permissions
   - Custom roles
5. **For multi-tenant**:
   - Organizations separate
   - Cross-org limited
6. **For folder permission design**:
   - Default deny via inherited
   - Explicit allow per team
   - Avoid "Everyone" with Editor
7. **For dashboard sharing**:
   - Public dashboards (Grafana 10+)
   - Anonymous link
   - Snapshot
8. **For service accounts**:
   - For automation
   - Role-scoped tokens

Mark DESTRUCTIVE: making dashboard public with sensitive data, broad Editor permission to "Everyone", changing folder permissions while users active.

---

Team structure: [DESCRIBE]
Current setup: [DESCRIBE]
Symptom: [DESCRIBE]

Why this prompt works

RBAC mistakes leak data or break workflows. This prompt walks design.

How to use it

1. Team per group.
2. Folder per team.
3. Default to Viewer.
4. Explicit Editor.

Useful commands

# Folders via API
curl -u admin:pass http://grafana:3000/api/folders | jq

# Folder permissions
curl -u admin:pass http://grafana:3000/api/folders/<uid>/permissions | jq

# Teams
curl -u admin:pass http://grafana:3000/api/teams/search | jq

# Update folder permissions
curl -u admin:pass -X POST http://grafana:3000/api/folders/<uid>/permissions \
    -H "Content-Type: application/json" \
    -d '{
      "items": [
        { "role": "Viewer", "permission": 1 },
        { "teamId": 5, "permission": 2 }
      ]
    }'
# Permission levels: 1=View, 2=Edit, 4=Admin

Patterns

Folder structure

Folders:
- Production (Viewer for all; Editor for SRE team)
  - Web Services
  - Database
- Staging (Editor for all engineering)
- Platform (Editor for platform team only)
- Personal (Editor for owner only)

Team mapping from IdP

# grafana.ini (with OIDC)
[auth.generic_oauth]
team_ids_attribute_path = groups
team_ids = grafana-payments:1,grafana-platform:2

Folder permission via provisioning

# /etc/grafana/provisioning/dashboards/production.yaml
apiVersion: 1
providers:
- name: 'production'
  folder: 'Production'
  type: file
  options:
    path: /var/lib/grafana/dashboards/production

# Permissions via API or UI:
# Production folder:
#   Editor → SRE team
#   Viewer → All engineers

Disable anonymous

[auth.anonymous]
enabled = false

Common findings this catches

• Everyone is Editor → default; restrict.
• Sensitive data in public dashboard → audit.
• Team mapping not syncing → check IdP groups.
• Folder permission overrides dashboard → review hierarchy.
• Org admin too broad → restrict.
• Service account never rotated → schedule.
• Folder created via UI not in provisioning → drift.

When to escalate

• Multi-org strategy — design.
• Access audit for compliance — security.
• Team sync issues — IdP team.