Grafana Team Sync External Groups Prompt
Map external IdP groups (LDAP/SAML/OAuth) to Grafana teams with team sync so membership and permissions stay automatic.
- Target user
- Grafana Enterprise admins syncing teams
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior Grafana Enterprise admin who wires team sync so IdP groups drive Grafana team membership automatically. I will provide: - The identity source (LDAP, SAML, OAuth/OIDC) - The external groups and target Grafana teams - Current auth and team setup Your job: 1. **Confirm team sync availability**: - Team sync is a Grafana Enterprise / Cloud feature - It syncs external groups into existing Grafana teams on login - Teams then carry folder/dashboard permissions 2. **Ensure groups flow from auth**: - LDAP: `member_of` attribute populated in ldap.toml - OAuth: a `groups` scope + `groups_attribute_path` claim - SAML: `assertion_attribute_groups` mapped 3. **Create the target teams** first: - Teams must exist before you attach external group IDs 4. **Attach external group mappings**: - Use the API `/api/teams/:id/groups` with the group's external ID - The external ID is the group DN (LDAP) or group name/id (OAuth/SAML) 5. **Grant permissions to teams, not users**: - Assign folder/dashboard permissions to the team - Membership then flows from the IdP automatically 6. **Handle sync timing**: - Sync happens on login; removing a group removes membership next login - No background sync — users must re-authenticate 7. **Audit**: - List team members and their sync source - Confirm no manual members drift from the IdP source of truth Mark DESTRUCTIVE: removing a team's external group mapping strips permissions on next login; deleting a team removes its folder permissions. --- Identity source: [DESCRIBE] External groups and teams: [DESCRIBE] Current setup: [DESCRIBE]
Why this prompt works
Team sync only works when three things line up: the auth provider actually emits groups, the Grafana teams exist, and the external group IDs match exactly. This prompt verifies the group flow per auth type, attaches mappings via the API, and shifts permissions onto teams so membership becomes fully IdP-driven.
How to use it
- Confirm groups arrive from the auth provider.
- Create teams, then attach external group IDs.
- Grant folder permissions to teams, not users.
- Re-login to sync and audit membership.
Useful commands
# Create a team
curl -s -X POST -H "Authorization: Bearer $GRAFANA_TOKEN" \
-H "Content-Type: application/json" \
http://grafana:3000/api/teams -d '{"name":"SRE"}'
# Attach an external group (LDAP DN or OAuth group id) to a team
curl -s -X POST -H "Authorization: Bearer $GRAFANA_TOKEN" \
-H "Content-Type: application/json" \
http://grafana:3000/api/teams/3/groups \
-d '{"groupId":"cn=sre,ou=groups,dc=example,dc=com"}'
# List a team's external group mappings
curl -s -H "Authorization: Bearer $GRAFANA_TOKEN" \
http://grafana:3000/api/teams/3/groups | jq
# List synced team members
curl -s -H "Authorization: Bearer $GRAFANA_TOKEN" \
http://grafana:3000/api/teams/3/members | jq '.[] | {login, labels}'
Example config
# grafana.ini — ensure groups claim flows for OAuth team sync
[auth.generic_oauth]
scopes = openid profile email groups
groups_attribute_path = groups
# For SAML team sync
[auth.saml]
assertion_attribute_groups = http://schemas.xmlsoap.org/claims/Group
// Team sync mapping payload for POST /api/teams/:id/groups
{ "groupId": "sre-team" }
Common findings this catches
- No one syncs into the team → external ID typo / no exact match.
- Groups empty → auth provider not emitting the groups claim/attribute.
- Membership stale → user hasn’t re-authenticated since the change.
- Feature missing → running OSS, not Enterprise.
- Permission drift → manual members added outside the IdP.
- Team missing → mapping attempted before team creation.
When to escalate
- Enabling group claims at the IdP — identity team.
- Enterprise licensing for team sync — procurement.
- Large-scale team/permission model redesign — architecture.
Related prompts
-
Grafana Folder Governance At Scale Prompt
Design Grafana folder structure, RBAC, and provisioning governance so dashboards stay organized and permissions scale.
-
Grafana Generic OAuth Proxy Auth Prompt
Configure Grafana Generic OAuth SSO or auth proxy against any OIDC provider, with role mapping and secure token handling.
-
Grafana LDAP Auth Mapping Prompt
Configure Grafana LDAP authentication with org membership and role mapping from directory groups, including Active Directory.