This topic explains how to organize your Grafana instance, covering workspace selection, account authentication, and permission management.
Background information
Grafana offers several ways to organize resources and permissions. When multiple teams, departments, or customers use the same instance, you may encounter the following challenges:
How to choose the right Grafana edition for your needs.
How to assign accounts and manage permissions to prevent Department A from viewing Department B's information.
How to handle cost allocation and billing for different departments.
How to configure isolation when departments have different requirements for authentication, plugins, and other settings.
How to allow users to view public content without authentication.
Select a workspace edition
Managed Service for Grafana provides four editions: Pro Edition (10 accounts), Pro Edition (30 accounts), Pro Edition (50 accounts), and Advanced Edition (100 accounts).
Select by features
The Advanced Edition includes features like reporting and auditing that are not available in the Pro Edition. If you need these features, choose the Advanced Edition.
Select by account count
Define the smallest group of users that requires access.
In most cases, a single workspace can meet the needs of all users. However, in the following scenarios, we recommend creating separate workspaces for each department or team to ensure complete permission or data isolation:
Cost allocation: To bill Department A and Department B separately, use a separate workspace for each.
OAuth integration: If you need to integrate Grafana with your company's account system by using OAuth 2.0, and each team is assigned a unique AppID, use a separate workspace for each team. This is because a custom OAuth configuration in Grafana can only be mapped to a single AppID.
Environment isolation: If you require strict separation of data security and user permissions between production and testing environments, use multiple workspaces to isolate them.
Choose an edition that matches your user count.
For a department with 100 people, we recommend purchasing the Advanced Edition (100 accounts).
For a team of 20 people, you can choose the Pro Edition (30 accounts).
If you have 30 users in a development environment and 10 users in a production environment, you can purchase one Pro Edition (30 accounts) and one Pro Edition (10 accounts).
If you are unsure about your requirements, start with the Pro Edition (10 accounts). You can upgrade or downgrade your edition later.
Configure authentication
In addition to its built-in user management system, Grafana supports various other authentication methods for account synchronization and login. For more information, see the official Grafana documentation.
Managed Service for Grafana extends its native capabilities by integrating Alibaba Cloud's login methods. The following table lists the common authentication methods available in Managed Service for Grafana. You can use multiple methods simultaneously in a single workspace.
Type | Scenario | Description |
User management with a server administrator account | Create accounts and passwords | As a server administrator, you can access the server administrator menu in the Grafana UI to directly create accounts, set passwords, and grant permissions. You can also manage accounts that are integrated through email, Alibaba Cloud SSO, OAuth, or LDAP. |
User management with organization administrator permissions | Invite users by email | The server administrator and organization administrator roles have different permission levels. As an organization administrator, you will not see the server administrator |
Alibaba Cloud SSO | Log on with an Alibaba Cloud account | In the , you can enter the ID of an Alibaba Cloud account or a RAM user to enable login with that account. If you are logged on to the Alibaba Cloud console, you can access Grafana without logging in again. For more information, see Account management. |
OAuth | Integrate with an enterprise login system | Managed Service for Grafana supports the standard OAuth protocol. In addition to the default support for Google and Microsoft logins, Grafana allows for custom login integrations to integrate with a corporate login system. For more information, see Configure OAuth-based logon for Grafana. |
LDAP | Integrate with an enterprise login system | The console does not currently allow you to upload LDAP files. If you require this feature, please provide feedback by joining the Managed Service for Grafana DingTalk group (ID: 34785590). |
Anonymous access | Allow visitors to view without logging in | Some dashboards may need to be displayed externally, allowing users to view them directly without logging in. For example, the official Grafana Play site is a demo site that uses anonymous access. For instructions on configuring anonymous access, see Generate a link to share a Grafana dashboard. |
Manage permissions
Open-source Grafana offers a variety of permission management methods sufficient for most scenarios. Besides Grafana's recommended approach of using folders and teams, you can also use organizations or even workspaces for stricter permission control.
Comparison of approaches
Approach | Benefits | Limitations |
Folders and teams (Recommended) |
| Lacks the true isolation of a workspace. |
Organizations | You only need to configure authentication once. |
|
Workspaces | Each workspace has its own independent database and configuration files, providing true isolation. | Configuration cannot be shared. Synchronizing data sources, dashboards, folders, and other resources between workspaces requires custom code. |
Folder and team best practices
Consider an example of an online team at a company:
The company has teams for development, O&M, and operations. It uses folders to separate resources for business and infrastructure.
The business folder contains business dashboards based on data collected from running applications. These are configured by the development team and viewed by the operations team.
The infrastructure folder contains monitoring dashboards for infrastructure on Alibaba Cloud, such as ECS and RDS. These are configured by the O&M team and viewed by the development team.
Follow these steps:
In the left-side navigation pane of Grafana, choose .
On the Configuration page, click the Teams tab. Use the New Team button to create teams for development, O&M, and operations, and then add members to each team. For more information, see the official Grafana documentation.
In the left-side navigation pane of Grafana, choose to create the business and infrastructure folders. For more information, see the official Grafana documentation.
Configure folder permissions.
Navigate to a folder and go to the Permissions tab to add permissions. Configure the permission level for each team in the current folder.
Permission levels include View (view dashboards), Edit (add, edit, and delete dashboards), and Admin (manage permissions and dashboards). Select the target team and permission level, and then click Save.
After configuration, members of a team with only View permission can only view resources.
NoteIf a user has Admin permissions individually but belongs to a team that only has View permissions, the higher-level permission takes precedence. The user will still have Admin permissions.