Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Grafana Difficulty: Advanced ClaudeChatGPT

Grafana Team Sync External Groups Prompt

Map external IdP groups (LDAP/SAML/OAuth) to Grafana teams with team sync so membership and permissions stay automatic.

Target user
Grafana Enterprise admins syncing teams
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior Grafana Enterprise admin who wires team sync so IdP groups drive Grafana team membership automatically.

I will provide:
- The identity source (LDAP, SAML, OAuth/OIDC)
- The external groups and target Grafana teams
- Current auth and team setup

Your job:

1. **Confirm team sync availability**:
   - Team sync is a Grafana Enterprise / Cloud feature
   - It syncs external groups into existing Grafana teams on login
   - Teams then carry folder/dashboard permissions
2. **Ensure groups flow from auth**:
   - LDAP: `member_of` attribute populated in ldap.toml
   - OAuth: a `groups` scope + `groups_attribute_path` claim
   - SAML: `assertion_attribute_groups` mapped
3. **Create the target teams** first:
   - Teams must exist before you attach external group IDs
4. **Attach external group mappings**:
   - Use the API `/api/teams/:id/groups` with the group's external ID
   - The external ID is the group DN (LDAP) or group name/id (OAuth/SAML)
5. **Grant permissions to teams, not users**:
   - Assign folder/dashboard permissions to the team
   - Membership then flows from the IdP automatically
6. **Handle sync timing**:
   - Sync happens on login; removing a group removes membership next login
   - No background sync — users must re-authenticate
7. **Audit**:
   - List team members and their sync source
   - Confirm no manual members drift from the IdP source of truth

Mark DESTRUCTIVE: removing a team's external group mapping strips permissions on next login; deleting a team removes its folder permissions.

---

Identity source: [DESCRIBE]
External groups and teams: [DESCRIBE]
Current setup: [DESCRIBE]

Why this prompt works

Team sync only works when three things line up: the auth provider actually emits groups, the Grafana teams exist, and the external group IDs match exactly. This prompt verifies the group flow per auth type, attaches mappings via the API, and shifts permissions onto teams so membership becomes fully IdP-driven.

How to use it

  1. Confirm groups arrive from the auth provider.
  2. Create teams, then attach external group IDs.
  3. Grant folder permissions to teams, not users.
  4. Re-login to sync and audit membership.

Useful commands

# Create a team
curl -s -X POST -H "Authorization: Bearer $GRAFANA_TOKEN" \
  -H "Content-Type: application/json" \
  http://grafana:3000/api/teams -d '{"name":"SRE"}'

# Attach an external group (LDAP DN or OAuth group id) to a team
curl -s -X POST -H "Authorization: Bearer $GRAFANA_TOKEN" \
  -H "Content-Type: application/json" \
  http://grafana:3000/api/teams/3/groups \
  -d '{"groupId":"cn=sre,ou=groups,dc=example,dc=com"}'

# List a team's external group mappings
curl -s -H "Authorization: Bearer $GRAFANA_TOKEN" \
  http://grafana:3000/api/teams/3/groups | jq

# List synced team members
curl -s -H "Authorization: Bearer $GRAFANA_TOKEN" \
  http://grafana:3000/api/teams/3/members | jq '.[] | {login, labels}'

Example config

# grafana.ini — ensure groups claim flows for OAuth team sync
[auth.generic_oauth]
scopes = openid profile email groups
groups_attribute_path = groups

# For SAML team sync
[auth.saml]
assertion_attribute_groups = http://schemas.xmlsoap.org/claims/Group
// Team sync mapping payload for POST /api/teams/:id/groups
{ "groupId": "sre-team" }

Common findings this catches

  • No one syncs into the team → external ID typo / no exact match.
  • Groups empty → auth provider not emitting the groups claim/attribute.
  • Membership stale → user hasn’t re-authenticated since the change.
  • Feature missing → running OSS, not Enterprise.
  • Permission drift → manual members added outside the IdP.
  • Team missing → mapping attempted before team creation.

When to escalate

  • Enabling group claims at the IdP — identity team.
  • Enterprise licensing for team sync — procurement.
  • Large-scale team/permission model redesign — architecture.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week