How to scale access control in Grafana Cloud
Instead of handling everything manually, AcmeCloud relies on SSO (Single Sign-On) for authentication and SCIM (System for Cross-domain Identity Management) for provisioning.
SSO handles how users logged in, while SCIM ensures the right users and groups are automatically available in Grafana Cloud. There are many options for authenticating users in Grafana Cloud, including native integrations with identity providers as well as support for generic authentication methods. To see the full list of supported methods and integrations, read more here.
As users are added, removed, or updated in the identity provider, those changes are reflected in Grafana Cloud automatically. The same concept applies to groups, which are mapped directly to Grafana teams. Groups within the identity provider typically organize users by job function, which correlate to a Grafana team in most cases, since users working in the same role typically have the same use cases and permission levels.
The result is a single source of truth for identity, with no need to manually reconcile users or worry about configuration drift.
For organizations implementing this approach, Grafana’s SSO and SCIM integrations make it possible to manage users and groups from the identity provider rather than treating Grafana as a separate identity system.
If you are new to the concept of SCIM provisioning, check out this blog to learn more.
Tip: Establish clear group naming conventions in your identity provider before enabling SCIM. It makes permission mapping significantly easier as your environment grows.
Building a layered access model with RBAC
With users now syncing into Grafana Cloud, the next step is defining what those users can actually do.
AcmeCloud opts to manage access primarily through role-based access control (RBAC).This helps to maintain scalability while providing greater flexibility and security through a combination of basic roles, team memberships, and resource-level permissions. Dive deeper on creating a RBAC strategy and configuration through the guidance in our documentation.
Basic roles in Grafana set the foundation, with assignments mapped from the identity provider:
-
Admins are assigned the Admin role
-
Internal AcmeCloud users from the SRE team receive the Editor role
-
Contractors receive no basic role at all
This allows the internal SRE team to access dashboards and data broadly. They can build dashboards and alerts, as well as query metrics, logs, and traces across all tenants. All that is missing now is the ability to configure or alter data sources.
Contractors can log in, but they’re presented with an empty Grafana experience by default. For now, there are no available actions to take in Grafana, but they need the ability to view dashboards based on data solely containing their own tenant id.
To build on the permissions provided through basic roles, teams that were provisioned through SCIM are used to layer on additional access.
Users inherit permissions from both their basic role and any teams they belong to. This is an important distinction: permissions in Grafana are additive, not restrictive. A user’s effective access is the combination of all assigned roles and team memberships.
For internal users from the SRE team, a shared team is granted additional capabilities, including the ability to configure and manage data sources. This extends their access beyond what the Editor role provides by default.
For organizations designing their own access model, a useful starting point is to assign the minimum role required and then use teams to grant additional capabilities as needed.
Tip: Avoid using highly permissive basic roles as a shortcut. Teams are often a more scalable way to manage access as responsibilities evolve.
Restricting dashboard visibility with teams and folders
Contractors are grouped into tenant-specific teams, with no additional capabilities added at that level. Instead, access is controlled through folder permissions.
Each team is given view access to a specific dashboard folder, so contractors can only see only the dashboards relevant to their tenant and nothing else.
Folder permissions provided a simple and scalable way to partition dashboard visibility without creating separate Grafana instances for every customer.
For AcmeCloud, this approach balanced operational simplicity with tenant isolation. Organizations managing multiple customers, business units, or environments often find folder permissions to be one of the simplest ways to segment dashboard access.
Tip: Design your folder structure with future growth in mind. Reorganizing hundreds of dashboards later can become a significant effort.