Grafana User Management
Grafana controls what each user can see and do through a system of organisations, roles, and teams. A well-configured access structure keeps sensitive dashboards private, prevents accidental changes, and gives everyone exactly the access they need — no more, no less.
The Office Building Analogy
Think of Grafana like an office building. The building (Grafana server) is divided into floors (organisations). Each floor has rooms (dashboards and data sources). An employee badge (user account) grants access to specific floors and rooms based on the person's role (admin, editor, viewer). A security guard (server admin) manages the building's master access system.
Roles in Grafana
Every user in Grafana has one of three roles at the organisation level.
Admin
Admin users have full control within the organisation. They add and remove users, create and delete data sources, manage teams, configure notification policies, and install plugins. Every Grafana installation starts with one admin user (username: admin).
Editor
Editors create and modify dashboards, panels, and alert rules. They cannot manage users or change organisation settings. Assign this role to engineers and analysts who need to build and update dashboards.
Viewer
Viewers read dashboards only. They cannot create, edit, or delete anything. They can still interact with dashboards — change the time range, use variable dropdowns, and expand panels — but their changes are not saved. Assign this role to stakeholders and executives who need visibility without edit access.
Role Permissions Summary: ──────────────────────────────────────────────── Action Viewer Editor Admin ──────────────────────────────────────────────── View dashboards ✓ ✓ ✓ Use variables ✓ ✓ ✓ Create dashboards ✗ ✓ ✓ Edit dashboards ✗ ✓ ✓ Create alert rules ✗ ✓ ✓ Add data sources ✗ ✗ ✓ Manage users ✗ ✗ ✓ Install plugins ✗ ✗ ✓ ────────────────────────────────────────────────
Inviting Users
Go to Administration → Users → Invite. Enter the user's email address and choose their role. Grafana sends an invitation email with a link to set up their account. If email is not configured on the server, you can also manually create an account under Administration → Users → New user.
Organisations
Organisations are completely separate compartments inside one Grafana instance. Each organisation has its own dashboards, data sources, users, and settings. Data from one organisation is invisible to users in another.
When to Use Multiple Organisations
Use separate organisations when you host Grafana for different departments or customers who must not see each other's data. For example, the Sales team and the Engineering team might share one Grafana server but operate in separate organisations.
Switching Organisations
A user account can belong to multiple organisations with different roles in each. Click your user avatar (top right) → Switch organization to move between organisations. An engineer might be a Viewer in the Sales organisation but an Admin in the Engineering organisation.
Teams
Teams group users inside an organisation. You grant permissions to a team instead of to each user individually. When a new engineer joins, add them to the team — they instantly inherit all the team's dashboard and folder permissions.
Creating a Team
Go to Administration → Teams → New team. Give the team a name (for example, Database Team) and add members by searching for their usernames.
Folder Permissions
Dashboards live in folders. Folders have permission settings that override the organisation-level role for specific users or teams. This lets you create private folders that only certain teams can access, even if those users are Viewers at the organisation level.
Folder: "Finance Dashboards"
Permissions:
Finance Team → Editor (can build finance dashboards)
Executive Team → Viewer (can read but not edit)
Everyone else → No access (cannot even see this folder)
Setting Folder Permissions
Navigate to Dashboards → find the folder → click the folder's settings icon (three dots) → Manage permissions. Click Add a permission and choose whether to grant access to a specific user, a team, or a role. Select the permission level: View, Edit, or Admin.
Service Accounts
Service accounts are non-human accounts used by scripts, CI/CD pipelines, and automation tools to interact with the Grafana API. Unlike regular user accounts, service accounts do not have passwords or email addresses — they authenticate using API tokens.
Creating a Service Account
Go to Administration → Service accounts → Add service account. Give it a name (for example, deployment-pipeline) and assign a role. Then click Add service account token to generate an API key. Copy the token immediately — Grafana only shows it once.
Service account use case — deployment pipeline:
1. Create service account "ci-pipeline" with Editor role
2. Generate API token
3. Pipeline step after each deployment:
curl -X POST http://grafana:3000/api/annotations \
-H "Authorization: Bearer <token>" \
-d '{"text":"Deployed v2.5.0","tags":["deployment"]}'
4. Annotation appears automatically on all dashboards
Anonymous Access
Grafana can allow anonymous users (no login required) to view dashboards. Enable this in the Grafana configuration file:
[auth.anonymous] enabled = true org_name = Main Org. org_role = Viewer
Use anonymous access carefully. Anyone who can reach your Grafana URL will see the dashboards assigned to the anonymous role. Never enable anonymous access if dashboards contain sensitive business or security data. Reserve it for public-facing status pages or internal TV screens that show non-sensitive operational metrics.
Password Policies and Authentication
Grafana integrates with external authentication providers so users log in with existing corporate credentials instead of separate Grafana passwords.
Supported Authentication Providers
- LDAP / Active Directory – sync with your organisation's directory server
- OAuth – integrate with Google, GitHub, GitLab, Azure AD, Okta, or any OAuth 2.0 provider
- SAML (Enterprise) – integrate with enterprise SSO systems
Connecting an external auth provider means users click "Sign in with Google" (or your provider), and Grafana automatically maps them to the correct role based on their group membership in the provider's system.