Skip to main content

Rights Management

Intro

Grafana supports permissions for dashboards and folders, these permissions can be managed from capture. Permissions can be granted to groups of users (through the user role or usertag) or seperate users.

Changes in capture

1. The Team Management module

To manage the grafana dashboard permissions, a user must have manage rights for the team management module, this can be done by: adding the user to a role with these permissions, modifying the user's role and assigning these permissions, or by overriding the userrole to assign the permissions. If a user has view rights for this module, this user will be able to view the permissions only.

2. Permissions

Permission target (group):

  • Grafana role (Editor or Viewer): All users with dashboard view/edit rights and rights for the dashboard/folder company
  • User tag: All users with specific usertag, dashboard view/edit rights and rights for the dashboard/folder company
  • User: Specific user with dashboard view/edit rights and rights for the dashboard/folder company

Permission Type:

  • Edit: Users can edit and delete dashboard or folder
  • View: Users can only view dashboard or folder

Notes

  • Folder permissions are always inherited for all dashboards in this folder. These permissions can only be modified or removed at the folder level. However, additional permissions can be added to dashboards contained in folders for groups or individual users who do not already have specific permissions at the folder level.
  • The General folder is a default folder, no permissions can be added to this folder. The dashboards in the General folder can't have any inherited permissions.
  • The default folder- and dashboard permissions are based on GrafanaRoles: Editor -> Edit and Viewer -> View

3. Manage the dashboard permissions

Navigate to the Capture dashboard app, this is where the dashboards to which the user has permission are displayed. Actions on these dashboards can be performed according to the user's permissions. To manage these permissions, the user can turn on the 'Rights management' switch at the top of the page. This page contains a list of all dashboards, including those for which the user does not have permissions. From here, permissions can be managed per dashboard or folder.

rightsManagement

4. Dashboard copies through fleet management

Duplicated dashboards and folders through fleet management will have to the extent possible the same permissions as the parent dashboard. That is, only users who have subcompany permissions, shareable tags and Grafana role permissions will be included in the dashboard copy

5. Example

5.1 Company structure

Gintecc is a fictional company with two subcompanies, Gintecc_UK and Gintecc_CHINA which in turn have two and one subcompanies respectively.

companyStructure

5.2 Users and roles

Gintecc features 2 roles:

  • GinteccService: A role only for users within Gintecc, specifically service users. This role has all manage rights.

    serviceRole

  • GinteccCustomer: A role shared with subcompanies, specifically for customers. This role allows users to view only rights-defined modules.

    customerRole

Gintecc owns two shareable usertags (Tags need to be shareable to use them for dashboard permissions in subcompanies):

  • GinteccService: A tag for service users.
  • GinteccCustomer: A tag for customers.

tags

Gintecc and subcompanies contain a total of 5 users:

UserCompanyRoleTags
GinteccAdminGinteccInstanceAdminGinteccService
GinteccServiceGinteccGinteccServiceGinteccService
Customer_UK1CustomerCompany_UK1GinteccCustomerGinteccCustomer
Customer_UK2CustomerCompany_UK2GinteccCustomerGinteccCustomer
Customer_CHINACustomerCompany_CHINAGinteccCustomerGinteccCustomer

users

5.3 Devices

All devices are located at the customer companies.

devices

5.4 Dashboards

  • servicedashboard: Dashboard with data for service users.
  • customerdashboard: Dashboard with data for customers.

Both dashboards are located within a folder Release.

Permissions Release folder

A user with the service tag will have edit permissions to all dashboards in this folder.

releaseRights

Permissions servicedashboard

No extra permissions added.

serviceDashboardRights

Permissions customerdashboard

Extra permission for all users with the customer tag (View rights)

customerDashboardRights

5.5 Fleet management

  • Machine_Type1: Fleet for devices of type 1
  • Machine_Type2: Fleet for devices of type 2

Both dashboards are added to the fleets and all devices are added to the fleet of the correct type. fleet

5.6 Results

Dashboard page from CustomerCompany_CHINA view for VinteccService:

serviceView

Dashboard page from CustomerCompany_CHINA view for Customer_CHINA:

customerView