When multiple teams or departments share a Grafana instance, you need a clear strategy for organizing dashboards, controlling access, and tracking costs. Managed Service for Grafana provides three levels of resource organization -- folders and teams, organizations, and workspaces -- each with different isolation and flexibility tradeoffs.
This topic helps you choose the right workspace edition, configure authentication, and set up permissions.
Choose a resource organization approach
Before selecting an edition or configuring authentication, decide how to organize your resources. The following table compares the three approaches:
| Approach | Isolation level | Benefits | Limitations |
|---|---|---|---|
| Folders and teams (recommended) | Resource-level | Lightweight and flexible. Resources can be shared across teams with minimal configuration. Grafana is actively developing additional capabilities for this approach. For details, see Grafana documentation. | Does not provide workspace-level isolation. |
| Organizations | Organization-level | Users authenticate once and access all organizations without re-authenticating. | Resources (data sources, dashboards, folders) are isolated between organizations. Synchronizing resources requires API calls. User management is more complex because you must configure users separately per organization. |
| Workspaces | Full isolation | Databases and configuration files are completely isolated between workspaces. | Resources cannot be shared or synchronized between workspaces without API calls. |
Decision guide:
Need flexible dashboard sharing between teams? Use folders and teams.
Need resource isolation without full database separation? Use organizations.
Need complete data and configuration isolation? Use separate workspaces.
Choose a workspace edition
Managed Service for Grafana offers four editions:
| Edition | User capacity | Best for |
|---|---|---|
| Pro Edition (10 Users) | Up to 10 | Small teams or initial evaluation |
| Pro Edition (30 Users) | Up to 30 | Mid-size teams |
| Pro Edition (50 Users) | Up to 50 | Larger teams |
| Advanced Edition (100 Users) | Up to 100 | Departments that need reports and auditing |
Advanced Edition is required for the report feature and auditing feature. If you are unsure about the number of users, start with Pro Edition (10 Users) and upgrade later as needed.
When to create multiple workspaces
A single workspace is sufficient for most use cases. Create separate workspaces only when full isolation is required, such as:
Separate cost tracking: Bill Department A and Department B independently.
Distinct OAuth configurations: Each team has a unique AppID for OAuth 2.0 mapping. The Grafana OAuth2 feature allows only one AppID to be mapped to a team.
Environment-level isolation: Enforce different data security and access policies between production and test environments.
Sizing examples:
| Scenario | Recommended editions |
|---|---|
| One department, 100 users | Advanced Edition (100 Users) |
| One team, 20 users | Pro Edition (30 Users) |
| Test environment (30 users) + production environment (10 users) | Pro Edition (30 Users) + Pro Edition (10 Users) |
Configure authentication
Grafana supports multiple authentication methods. Configure one or more methods per workspace based on your access requirements.
| Type | Method | When to use |
|---|---|---|
| Server administrator | Create users and passwords | Manage all users centrally. Log on as a server administrator through the Server Admin (shield) icon to create users, set passwords, and assign permissions. Server administrators can also manage users authenticated through email, Alibaba Cloud SSO, OAuth, and LDAP.  |
| Organization administrator | Invite users by email | Delegate user management to organization-level admins. Organization administrators do not see the Server Admin (shield) icon  in the left-side navigation pane and cannot add users directly. Instead, they invite users by sending an email with an acceptance link. Permissions are assigned at the time of invitation. Organization administrators cannot view user passwords -- only server administrators have that access. Managed Service for Grafana uses default Simple Mail Transfer Protocol (SMTP) settings. To configure custom SMTP settings, see Invite users by using an SMTP-enabled email account.  |
| Alibaba Cloud SSO | Log on with Alibaba Cloud accounts | Enable seamless access for Alibaba Cloud users. Enter the ID of an Alibaba Cloud account or a RAM user in the Managed Service for Grafana console. Users already logged on to the Alibaba Cloud console are authenticated automatically. For more information, see Manage accounts. |
| OAuth | Integrate with an authentication provider | Federate identity through an external provider. Managed Service for Grafana supports Azure AD OAuth, Google OAuth, and custom OAuth integrations. For setup instructions, see Use OAuth to log on to Grafana. |
| LDAP | Integrate with an LDAP directory | Connect Grafana to your corporate directory. LDAP configuration files cannot be uploaded through the Managed Service for Grafana console. To enable LDAP authentication, join the DingTalk group chat (ID: 34785590) for technical support. |
| Anonymous access | Allow unauthenticated viewing | Share dashboards publicly without requiring log on. For example, the Grafana demo website is a demo page that allows anonymous access. For setup instructions, see Generate a link to share a Grafana dashboard. |
For a full list of supported authentication providers, see Grafana documentation.
Set up folders and teams (recommended)
Folders and teams are the recommended approach for organizing permissions. This section walks through a practical example.
Permission behavior
Before you configure folder permissions, note the following rules:
When you assign permissions to a folder, those permissions apply to all dashboards within that folder.
If a user has the Admin permission individually but belongs to a team with the View permission, the Admin permission takes precedence.
Example scenario
A company has three teams -- R&D, O&M, and Operations -- and two folders:
| Folder | Contents | Edit access | View access |
|---|---|---|---|
| Service | Dashboards generated from running applications | R&D team | Operations team |
| Infrastructure | Dashboards for monitoring Alibaba Cloud Elastic Compute Service (ECS) and ApsaraDB RDS | O&M team | R&D team |
Step 1: Create teams
Log on to the Grafana console.
In the left-side navigation pane, choose
> Configuration.On the Teams tab, create the R&D, O&M, and Operations teams, and add members to each team.
For more information, see Grafana documentation.
Step 2: Create folders
In the left-side navigation pane, choose
> + New folder.Create the Service folder and the Infrastructure folder.
For more information, see Grafana documentation.
Step 3: Assign folder permissions
Open the target folder.
On the Permissions tab, add the relevant teams and assign the appropriate permission level (View or Edit).
After permissions are assigned, only team members with the View permission can view the dashboards in that folder.
Use organizations for resource isolation
If folders and teams do not provide enough isolation, use organizations. Organizations isolate resources such as data sources, dashboards, and folders between groups. Users authenticate once and can access all organizations without re-authenticating.
Tradeoffs:
Synchronizing resources between organizations requires API calls.
You must configure users separately per organization.
Use organizations when you need resource isolation without full database separation.
Use separate workspaces for full isolation
For the strictest isolation, create separate workspaces. Databases and configuration files are completely isolated between workspaces. Resources cannot be shared or synchronized between workspaces without API calls.
Use separate workspaces when you need complete data and configuration isolation, such as separating production and test environments with different security policies.