# Using permissions
<a name="Grafana-permissions"></a>

What you can do in a Grafana workspace in Amazon Managed Grafana is defined by the *permissions* that are associated with your user. 

Amazon Managed Grafana uses three types of permissions:
+ Permissions granted as a Grafana admin
+ Permissions associated with your membership on a team
+ Permissions granted to a specific folder or dashboard

You can be granted permissions based on your admin status, dashboard or folder permissions assigned to your user, and data source permissions. 

## Dashboard and folder permissions overview
<a name="dashboard-and-folder-permissions-overview"></a>

 By using dashboard and folder permissions, you can remove the default role-based permissions for editors and viewers. You can then assign permissions to specific users and teams. For more information, see [Dashboard and folder permissions](dashboard-and-folder-permissions.md). 

## Data source permissions overview
<a name="data-source-permissions-overview"></a>

By default, a data source can be queried by any user. For example, a user with the `Viewer` role can issue any possible query to a data source, not just those queries that exist on dashboards to which they have access.

Using data source permissions, you can change the default permissions for data sources and restrict query permissions to specific **Users** and **Teams**. For more information, see [Data source permissions](data-source-permissions.md).

# Dashboard and folder permissions
<a name="dashboard-and-folder-permissions"></a>

For dashboards and dashboard folders, you can use the **Permissions** page to remove the default role based permissions for **Editors** and **Viewers**. On this page, you can add and assign permissions to specific **Users** and **Teams**.

Amazon Managed Grafana provides the following permission levels. The permissions vary based on the version of Grafana the workspace supports.

**For workspaces that support version 8:**
+ `Admin`: Can edit and create dashboards and edit permissions. Can also add, edit, and delete folders. 
+ `Edit`: Can edit and create dashboards. **Can't** edit folder or dashboard permissions, or add, edit, or delete folders. 
+ `View`: Can only view existing dashboards and folders.

**For workspaces that support version 9 and above:**
+ `Admin`: Can create, edit or delete a dashboard. Can add, edit, or delete folders, and create dashboards and subfolders in a folder. Administrators can also change dashboard and folder permissions.
+ `Edit`: Can create, edit, or delete a dashboard. Can edit or delete a folder, and create dashboards and subfolders in a folder. An editor **can't** change folder or dashboard permissions.
+ `View`: Can only view existing dashboards and folders.

## Granting folder permissions
<a name="grant-folder-permissions"></a>

**To grant folder permissions**

1. In the sidebar, hover over the **Dashboards** (squares) icon, and then choose **Manage**.

1. Hover over a folder, and then choose **Go to folder**.

1. On the **Permissions** tab, choose **Add Permission**.

1. In the **Add Permission For** dialog box, choose **User**, **Team**, or one of the role options. If your workspace uses Grafana version 10 or newer, choose **User, Team, Service account, or Role**.

1. In the second box, select the user, team, service account, or role to which you want to add permissions. If your workspace is using Grafana version 9 or earlier, and you selected a role option in the previous step, then skip this step.

1. In the third box, select the permission that you want to add.

1. Choose **Save**.

## Granting dashboard permissions
<a name="grant-dashboard-permissions"></a>

**To grant dashboard permissions**

1. In the top right corner of your dashboard, choose the cog icon to go to **Dashboard settings**.

1. On the **Permissions** tab, choose **Add Permission**.

1. In the **Add Permission For** dialog box, choose **User**, **Team**, or one of the role options. If your workspace uses Grafana version 10 or newer, choose **User, Team, Service account, or Role**.

1. In the second box, select the user, team, service account, or role to which you want to add permissions. If your workspace is using Grafana version 9 or earlier, and you selected a role option in the previous step, then skip this step.

1. In the third box, select the permission you that want to add.

1. Choose **Save**.

## Restricting access
<a name="restricting-access"></a>

 The highest permission always wins. 
+  You cannot override permissions for users with the `Admin` role. Admins always have access to everything. 
+  A more specific permission with a lower permission level does not have any effect if a more general rule exists with a higher permission level. You need to remove or lower the permission level of the more general rule. 

## How Amazon Managed Grafana resolves multiple permissions – examples
<a name="how-grafana-resolves-multiple-permissions---examples"></a>

The following examples show how multiple permissions are resolved.

### Example 1: `user1` has the `Editor` role
<a name="example-1-user1-has-the-editor-role"></a>

 Permissions for a dashboard: 
+  Everyone with the `Editor` role can edit. 
+  `user1` can view. 

 Result: `user1` has Edit permission because the highest permission always wins. 

### Example 2: `user1` has the Viewer role and is a member of `team1`
<a name="example-2-user1-has-the-viewer-role-and-is-a-member-of-team1"></a>

 Permissions for a dashboard: 
+  Everyone with the `Viewer` role can view. 
+  `user1` has the `Editor` role and can edit. 
+  `team1` has the `Admin` role. 

 Result: `user1` has Admin permission because the highest permission always wins. 

### Example 3: `user1` has multiple permissions at different levels
<a name="example-3"></a>

 Permissions for a dashboard: 
+  `user1` has the `Admin` role (inherited from parent folder). 
+  `user1` has the `Editor` role and can edit. 

 Result: You cannot override to a lower permission. `user1` has Admin permission because the highest permission always wins. 

## Summary
<a name="summary"></a>
+  **View**: Can only view existing dashboards or folders. 
+  A more specific permission with a lower permission level will not have any effect if a more general rule exists with higher permission level. 

# Data source permissions
<a name="data-source-permissions"></a>

By default, data sources can be queried by any user. For example, a user with the `Viewer` role can issue any possible query to a data source, not just queries that exist on dashboards to which they have access.

You can use data source permissions to restrict access for users to query a data source. For each data source, there is a permission page where you can enable or restrict query permissions to specific **Users** and **Teams**.

## Enabling data source permissions
<a name="enable-data-source-permissions"></a>

When permissions are enabled for a data source, you restrict admin and query access for that data source to Admin users by default. You can selectively add access for specific users and teams.

**To enable permissions for a data source**

1. Navigate to **Configuration**, **Data Sources**. For workspaces that support Grafana version 10, Navigate to **Connections**, **Data Sources**.

1. Select the data source for which you want to enable permissions.

1. On the **Permissions** tab, choose **Enable**.

**Warning**  
If you enable permissions for the default data source, users who are not listed in the permissions are unable to invoke queries. Panels that use the default data source will return the `Access denied to data source` error for those users.

## Allowing users and teams to query a data source
<a name="allow-users-and-teams-to-query-a-data-source"></a>

After you enable permissions for a data source, only admins have access to that data source by default. You can assign query permissions to users or teams. The query permissions will allow access to query the data source.

**To assign query permissions to users and teams**

1. Navigate to **Configuration**, **Data Sources**. For workspaces that support Grafana version 10, Navigate to **Connections**, **Data Sources**.

1. Select the data source for which you want to assign query permissions.

1. On the **Permissions** tab, choose **Add Permission**.

1. Select **Team** or **User**. For workspaces that support Grafana version 10 or newer, you can also select **Service account** or **Role**.

1. Select the team, user, service account, or role that you want to grant query access to, and then choose **Save**.

## Disabling data source permissions
<a name="disable-data-source-permissions"></a>

If you have enabled permissions for a data source and want to return data source permissions to the default, follow these steps.

**Note**  
*All* existing permissions created for the data source will be deleted.

**To disable permissions for a data source**

1. Navigate to **Configuration**, **Data Sources**. For workspaces that support Grafana version 10, Navigate to **Connections**, **Data Sources**.

1. Select the data source for which you want to disable permissions.

1. On the **Permissions** tab, choose **Disable Permissions**.