All Products
Search
Document Center

Managed Service for Grafana:Organize Grafana resources

Last Updated:Jun 21, 2026

This topic explains how to organize your Grafana instance, covering workspace selection, account authentication, and permission management.

Background information

Grafana offers several ways to organize resources and permissions. When multiple teams, departments, or customers use the same instance, you may encounter the following challenges:

  • How to choose the right Grafana edition for your needs.

  • How to assign accounts and manage permissions to prevent Department A from viewing Department B's information.

  • How to handle cost allocation and billing for different departments.

  • How to configure isolation when departments have different requirements for authentication, plugins, and other settings.

  • How to allow users to view public content without authentication.

Select a workspace edition

Managed Service for Grafana provides four editions: Pro Edition (10 accounts), Pro Edition (30 accounts), Pro Edition (50 accounts), and Advanced Edition (100 accounts).

Select by features

The Advanced Edition includes features like reporting and auditing that are not available in the Pro Edition. If you need these features, choose the Advanced Edition.

Select by account count

  1. Define the smallest group of users that requires access.

    In most cases, a single workspace can meet the needs of all users. However, in the following scenarios, we recommend creating separate workspaces for each department or team to ensure complete permission or data isolation:

    • Cost allocation: To bill Department A and Department B separately, use a separate workspace for each.

    • OAuth integration: If you need to integrate Grafana with your company's account system by using OAuth 2.0, and each team is assigned a unique AppID, use a separate workspace for each team. This is because a custom OAuth configuration in Grafana can only be mapped to a single AppID.

    • Environment isolation: If you require strict separation of data security and user permissions between production and testing environments, use multiple workspaces to isolate them.

  2. Choose an edition that matches your user count.

    • For a department with 100 people, we recommend purchasing the Advanced Edition (100 accounts).

    • For a team of 20 people, you can choose the Pro Edition (30 accounts).

    • If you have 30 users in a development environment and 10 users in a production environment, you can purchase one Pro Edition (30 accounts) and one Pro Edition (10 accounts).

If you are unsure about your requirements, start with the Pro Edition (10 accounts). You can upgrade or downgrade your edition later.

Configure authentication

In addition to its built-in user management system, Grafana supports various other authentication methods for account synchronization and login. For more information, see the official Grafana documentation.

Managed Service for Grafana extends its native capabilities by integrating Alibaba Cloud's login methods. The following table lists the common authentication methods available in Managed Service for Grafana. You can use multiple methods simultaneously in a single workspace.

Type

Scenario

Description

User management with a server administrator account

Create accounts and passwords

As a server administrator, you can access the server administrator menu in the Grafana UI to directly create accounts, set passwords, and grant permissions. You can also manage accounts that are integrated through email, Alibaba Cloud SSO, OAuth, or LDAP.

User management with organization administrator permissions

Invite users by email

The server administrator and organization administrator roles have different permission levels. As an organization administrator, you will not see the server administrator 盾牌图标 icon in the left-side navigation pane and cannot add accounts directly. Instead, you can invite users by sending them an email with a link to create their own account. The user's permissions are set when the invitation is sent. The main difference is that an organization administrator does not know the passwords of the accounts they create. Managed Service for Grafana has a default SMTP configuration. You can also configure your own SMTP server to invite users. For more information, see Invite users by using an email account for which SMTP is enabled.

Alibaba Cloud SSO

Log on with an Alibaba Cloud account

In the , you can enter the ID of an Alibaba Cloud account or a RAM user to enable login with that account. If you are logged on to the Alibaba Cloud console, you can access Grafana without logging in again. For more information, see Account management.

OAuth

Integrate with an enterprise login system

Managed Service for Grafana supports the standard OAuth protocol. In addition to the default support for Google and Microsoft logins, Grafana allows for custom login integrations to integrate with a corporate login system. For more information, see Configure OAuth-based logon for Grafana.

LDAP

Integrate with an enterprise login system

The console does not currently allow you to upload LDAP files. If you require this feature, please provide feedback by joining the Managed Service for Grafana DingTalk group (ID: 34785590).

Anonymous access

Allow visitors to view without logging in

Some dashboards may need to be displayed externally, allowing users to view them directly without logging in. For example, the official Grafana Play site is a demo site that uses anonymous access. For instructions on configuring anonymous access, see Generate a link to share a Grafana dashboard.

Manage permissions

Open-source Grafana offers a variety of permission management methods sufficient for most scenarios. Besides Grafana's recommended approach of using folders and teams, you can also use organizations or even workspaces for stricter permission control.

Comparison of approaches

Approach

Benefits

Limitations

Folders and teams (Recommended)

  • Flexible and lightweight, allowing for easy sharing between teams.

  • Less configuration required.

  • Grafana plans to develop more features for this approach. For more information, see the official Grafana documentation.

Lacks the true isolation of a workspace.

Organizations

You only need to configure authentication once.

  • Data sources, dashboards, folders, and other resources are isolated, requiring custom code to synchronize data.

  • User management between organizations is more complex, as users need to be configured separately for each organization.

  • Lacks the flexibility of folders and the true isolation of a workspace.

Workspaces

Each workspace has its own independent database and configuration files, providing true isolation.

Configuration cannot be shared. Synchronizing data sources, dashboards, folders, and other resources between workspaces requires custom code.

Folder and team best practices

Consider an example of an online team at a company:

  • The company has teams for development, O&M, and operations. It uses folders to separate resources for business and infrastructure.

  • The business folder contains business dashboards based on data collected from running applications. These are configured by the development team and viewed by the operations team.

  • The infrastructure folder contains monitoring dashboards for infrastructure on Alibaba Cloud, such as ECS and RDS. These are configured by the O&M team and viewed by the development team.

Follow these steps:

  1. In the left-side navigation pane of Grafana, choose 未4 > Configuration.

  2. On the Configuration page, click the Teams tab. Use the New Team button to create teams for development, O&M, and operations, and then add members to each team. For more information, see the official Grafana documentation.

  3. In the left-side navigation pane of Grafana, choose 34 > + New folder to create the business and infrastructure folders. For more information, see the official Grafana documentation.

  4. Configure folder permissions.

    Navigate to a folder and go to the Permissions tab to add permissions. Configure the permission level for each team in the current folder.

    Permission levels include View (view dashboards), Edit (add, edit, and delete dashboards), and Admin (manage permissions and dashboards). Select the target team and permission level, and then click Save.

    After configuration, members of a team with only View permission can only view resources.

    Note

    If a user has Admin permissions individually but belongs to a team that only has View permissions, the higher-level permission takes precedence. The user will still have Admin permissions.