All Products
Search

This Product

    Managed Service for Grafana:Organize resources and manage permissions in Grafana

    Document Center

    Managed Service for Grafana:Organize resources and manage permissions in Grafana

    Last Updated:Jan 06, 2025

    This topic describes how to organize resources, create workspaces, configure authentication methods, and manage permissions in Grafana.

    Background information

    Grafana provides multiple structures that you can use to organize resources and manage permissions. If you want multiple teams, departments, or customers to use Grafana, you may need to handle the following challenges:

    • Select a Grafana edition based on your business requirements.

    • Assign users and manage user permissions to isolate users in different departments. For example, you can isolate users in Department A and Department B.

    • Attribute costs to departments.

    • Isolate departments that use different authentication methods and plug-ins.

    • Enable anonymous access to allow unauthenticated users to view public content.

    This topic describes how to organize resources, create workspaces, configure authentication methods, and manage permissions in Grafana.

    Create workspaces

    Managed Service for Grafana provides four editions: Pro Edition (10 Users), Pro Edition (30 Users), Pro Edition (50 Users), and Advanced Edition (100 Users).

    Select features

    If you want to use the report feature and auditing feature, use Advanced Edition.

    Select the number of users

    1. Define the minimum collective granularity of your company.

      In most cases, one workspace can meet your business requirements. However, if you want to fully isolate permissions or data in the following scenarios, you can purchase a workspace for each department or team:

      • Separately manage the costs of Department A and Department B.

      • Map the teams of the company to Grafana and add users to the teams in Grafana by using the OAuth 2.0 protocol. Each team has a unique AppID. The OAuth2 feature of Grafana specifies that only one AppID can be mapped to a team.

      • Grant different permissions to different teams or departments in production or test environments to meet different data security and access requirements.

    2. Select an edition.

      • If a department contains 100 users, we recommend that you purchase Advanced Edition (100 Users).

      • If a team contains 20 users, we recommend that you purchase Pro Edition (30 Users).

      • If the test environment is used by 30 users and the production environment is used by 10 users, we recommend that you purchase Pro Edition (30 Users) and Pro Edition (10 Users).

    If you are not sure about the number of users, we recommend that you purchase Pro Edition (10 Users) first, and then upgrade the configuration based on your business requirements.

    Configure authentication methods

    Grafana allows a user to log on as a Grafana user or by using the account of an authentication provider. Grafana supports various authentication providers. For more information, see Grafana documentation.

    Alibaba Cloud Managed Service for Grafana also supports Alibaba Cloud authentication methods. The following table lists the methods that can be used to log on to Managed Service for Grafana. You can configure one or more methods for a workspace based on your business requirements.

    Type

    Method

    Description

    User management (server administrator)

    Create users and passwords

    Log on to Grafana as a server administrator. Move the pointer over the Server Admin (shield) icon. A shortcut menu appears. Then, you can create a user, specify a password, and grant permissions to the user. You can also manage users that are authenticated by email, Alibaba Cloud SSO, OAuth, and LDAP. Server administrator

    User management (organization administrator)

    Invite users to join an organization by email

    Server administrators and organization administrators are granted different permissions. The following figure shows the Grafana console that appears after you log on as an organization administrator. The Shield icon is not displayed in the left-side navigation pane. You cannot add a user in the organization. You can only invite a user to join the organization by sending an email to the user. The email includes a link that the user can click to accept the invitation. When you send the email, you can grant permissions to the user. Organization administrators are not granted the permissions to view the passwords of users. Only server administrators are granted the permissions to view the passwords of users. Managed Service for Grafana uses default Simple Mail Transfer Protocol (SMTP) settings. You can configure SMTP settings to invite users. For more information, see Invite users by using an email account for which SMTP is enabled. Organization administrator

    Alibaba Cloud SSO

    Log on by using Alibaba Cloud accounts

    In the Managed Service for Grafana console, enter the ID of your Alibaba Cloud account or the ID of a RAM user. If you logged on to the Alibaba Cloud console, you can log on to Managed Service for Grafana without authentication. For more information, see Account management.

    OAuth authentication

    Integrate Grafana with an authentication provider

    Managed Service for Grafana supports authentication based on the standard OAuth protocol. Grafana supports various authentication providers such as Azure AD OAuth, Google OAuth, and custom authentication integrations. The method is suitable for scenarios in which you want to integrate Grafana with an authentication provider. For information about how to integrate Grafana with an authentication provider, see Use OAuth to log on to Grafana. In the preceding topic, Alibaba Cloud is used as an example to simulate the authentication system of a company and integrate Grafana with an authentication provider.

    LDAP

    Integrate Grafana with an authentication provider

    You cannot upload an LDAP configuration file in the Managed Service for Grafana console. If you want to enable LDAP authentication, join the DingTalk group chat (ID: 34785590) to obtain technical support.

    Anonymous access

    View public content without the need of logon

    You can enable anonymous access to display dashboards to the public. Unauthenticated users can view the dashboards without the need of logon. For example, the Grafana demo website is a demo page that allows anonymous access requests. For information about how to enable anonymous access requests, see Generate a link to share a Grafana dashboard.

    Manage permissions

    Open-source Grafana provides various methods to help you manage permissions based on your business requirements. You can use folders and teams that are recommended by Grafana to manage permissions on the Grafana resources. You can also use organizations and workspaces to manage permissions. Workspaces are better for fine-grained permission management than organizations.

    Comparison

    Method

    Benefits

    Disadvantages

    Folders and teams (recommended)

    • Folders and teams are flexible and lightweight. Resources can be flexibly shared among teams.

    • A smaller number of configurations can be performed to use folders and teams.

    • Grafana is developing more features for folders and teams. For more information, see Grafana documentation.

    Folders and teams do not isolate workspaces.

    Organizations

    Users do not need to re-authenticate after the first logon.

    • Organizations isolate resources such as data sources, dashboards, and folders. To synchronize data of these resources among organizations, call the API.

    • User management is more complicated. Users in different organizations must be separately configured.

    • Organizations are less flexible than folders and less isolated than workspaces.

    Workspaces

    The databases and configuration files of different workspaces are completely isolated from each other.

    Resources such as data sources, dashboards, and folders cannot be shared and synchronized among workspaces. You must call the API to share resources.

    Best practices for folders and teams

    For example, your company contains online teams:

    • You want to create the following teams: R & D, O & M, and Operations. You also want to create the following folders: Service and Infrastructure.

    • You want to store service dashboards that are generated based on running applications in the Service folder. The folder is configured by the R & D team and viewed by the Operations team.

    • You want to store the dashboards that are used to monitor infrastructures such as Alibaba Cloud Elastic Compute Service (ECS) and ApsaraDB RDS in the Infrastructure folder. The folder is configured by the O & M team and viewed by the R & D team.

    We recommend that you perform the following steps:

    1. Log on to the Grafana console. In the left-side navigation pane, choose 未4 > Configuration.

    2. On the Teams tab of the Configuration page, create the R&D, O&M, and Operations teams, and add team members. For more information, see Grafana documentation. Create teams

    3. In the left-side navigation pane, choose 34 > + New folder, and create the Service folder and Infrastructure folder. For more information, see Grafana documentation. er

    4. Grant folder permissions.

      Go to the folder, add permissions on the Permissions tab, and then grant the permissions to the teams.

      Grant permissions

      After you grant the permissions, only the team members that are granted the View permission can view the dashboards.

      Note

      If a user is granted the Admin permission and belongs to a team that is granted the View permission, the Admin permission takes precedence.