Security¶

Security model covering authentication, authorization, data access, and embedding for Grafana. See also: observability/grafana/index, observability/grafana/architecture, observability/grafana/operations.

Authentication Providers¶

Grafana supports multiple authentication backends, configurable in grafana.ini under the [auth.*] sections.

Built-In (Basic Auth)¶

Default user/password stored in Grafana's internal database (SQLite, MySQL, or PostgreSQL).
Passwords hashed with bcrypt. Minimum length enforced via min_password_length (default: 4).
Admin user (admin) created on first start; must be changed on first login.

OAuth2¶

Grafana supports generic OAuth2 plus pre-configured providers: Google, GitHub, GitLab, Azure AD, Okta, and Keycloak.

[auth.google]
enabled = true
client_id = <client-id>
client_secret = <client-secret>
allowed_domains = mycompany.com
allow_sign_up = true
auto_login = false
scopes = openid email profile

Key behaviors: - allow_sign_up controls whether OAuth users are auto-created on first login. - auto_login redirects unauthenticated users directly to the IdP, skipping the login page. - Team sync (team_ids claim) maps IdP groups to Grafana teams (Enterprise feature).

LDAP¶

Direct LDAP integration maps directory groups to Grafana org roles. Configuration lives in [auth.ldap] with a separate ldap.toml config file.

[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true

LDAP supports: - Group-to-role mapping (Admin, Editor, Viewer). - Team sync: LDAP groups mapped to Grafana teams. - Multiple LDAP servers with fallback. - Enhanced LDAP (Enterprise): scheduled sync, group search filter improvements.

SAML¶

SAML 2.0 available in Grafana Enterprise and Grafana Cloud. Configured in grafana.ini:

[auth.saml]
enabled = true
name = Corporate IdP
private_key_path = "/etc/grafana/saml/private_key.pem"
certificate_path = "/etc/grafana/saml/certificate.cert"
idp_metadata_url = "https://idp.YOUR_DOMAIN/saml/metadata"
assertion_attribute_name = DisplayName
assertion_attribute_login = Login
assertion_attribute_email = Email
assertion_attribute_groups = Group

SAML Cookie Requirements

SAML requires cookie_samesite = lax and cookie_secure = true in the [security] section to handle IdP redirects correctly.

Auth Proxy¶

An external reverse proxy (Nginx, Apache, Envoy, Authelia) authenticates users and passes the identity to Grafana via HTTP headers.

[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true
enable_login_token = true

# Apache example
<Proxy *>
    AuthType Basic
    AuthName GrafanaAuthProxy
    AuthBasicProvider file
    AuthUserFile /etc/apache2/grafana_htpasswd
    Require valid-user
    RewriteEngine On
    RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
    RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
</Proxy>

Auth Proxy Security

Auth proxy bypasses Grafana's built-in auth entirely. Protect the proxy endpoint with TLS and restrict network access. Set enable_login_token = true so Grafana issues its own session cookie after proxy validation.

Authorization and RBAC¶

Organization Roles¶

Grafana uses a three-tier org role model. Every user has exactly one org role per organization.

Role	Dashboard Access	Data Source Access	Admin Capabilities
Viewer	View only	Query (if permitted)	None
Editor	Create, edit, delete	Query (if permitted)	Manage own dashboards
Admin	Full org management	Full management	Users, teams, org settings

Folder and Dashboard Permissions¶

Folders serve as the primary permission boundary. Dashboard permissions inherit from their parent folder and can be overridden at the dashboard level.

Permission levels: - 1 = View: Read-only access to the dashboard. - 2 = Edit: Modify dashboard JSON, panels, and settings. - 4 = Admin: Manage permissions, delete, move the dashboard.

Permissions can be assigned to: - Individual users - Teams - Built-in roles (Viewer, Editor)

POST /api/folders/{uid}/permissions
{
  "items": [
    {"role": "Viewer", "permission": 1},
    {"role": "Editor", "permission": 2},
    {"teamId": 5, "permission": 4}
  ]
}

Admin Override

Users with the org Admin role always have full access to all folders and dashboards. Permissions cannot restrict Admin access.

Role-Based Access Control (Enterprise)¶

Grafana Enterprise and Cloud extend authorization with fine-grained RBAC:

Fixed roles: Pre-defined permission sets (fixed:datasources:reader, fixed:datasources:writer).
Custom roles: Administrators create roles with specific actions (e.g., datasources:query, dashboards:create).
Role assignments: Roles assigned to users, teams, or service accounts.
Permission caching: [rbac] permission_cache = true reduces API calls.

RBAC enables least-privilege patterns such as: - Granting a team query-only access to a specific data source. - Allowing a service account to create dashboards without granting org-wide Editor. - Restricting alert management to a specific SRE team.

Data Source Permissions (Enterprise)¶

Data source permissions restrict which users and teams can query specific data sources.

GET /api/access-control/datasources/{uid}

Returns permission entries with granular actions: - datasources:read - datasources:query - datasources:write - datasources:delete

Service Accounts and API Keys¶

Service Accounts¶

Service accounts replace API keys as the primary method for authenticating automated workloads (Terraform, CI/CD pipelines, report generators).

Key properties: - Distinct from Grafana users; scoped to a single organization. - Support multiple tokens per account. - Tokens remain active even if the creating user is deleted. - Can be assigned org roles (Viewer, Editor, Admin) and RBAC roles (Enterprise). - The None basic role (since 10.2.0) grants no permissions by default, enabling pure RBAC-driven access.

POST /api/serviceaccounts
{
  "name": "terraform-provisioner",
  "role": "Editor"
}

Legacy API Keys¶

API keys are deprecated in favor of service accounts. Existing keys continue to work but cannot leverage RBAC. Keys have: - A role (Viewer, Editor, Admin) or a service account scope. - An optional expiration date. - A single token per key (unlike service accounts).

Embedding Security¶

Iframe Embedding¶

By default, Grafana blocks iframe embedding. To enable:

[security]
allow_embedding = true

Embedding Risks

Enabling allow_embedding without cookie_samesite = none and cookie_secure = true prevents embedded sessions from working. Combine with Content-Security-Policy headers to restrict which domains can embed Grafana.

Content-Security-Policy¶

Grafana supports CSP configuration to mitigate XSS and clickjacking:

[security]
content_security_policy = true
content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline' 'nonce-$NONCE' object-src 'none'; font-src 'self'; style-src 'self' 'unsafe-inline' img-src 'self' data:;"""

The $NONCE placeholder is replaced per-request with a cryptographic nonce, allowing only Grafana-generated inline scripts.

Anonymous Access¶

Anonymous (unauthenticated) access can be enabled for public dashboards:

[auth.anonymous]
enabled = true
org_name = Main Org.
org_role = Viewer

Anonymous Access

Anonymous access grants the configured role to all unauthenticated users. Restrict to a dedicated organization and use data source permissions to control what data anonymous users can query.

[security]
cookie_secure = true          # HTTPS only
cookie_samesite = lax         # or 'none' for cross-site embedding
login_cookie_name = grafana_session
login_maximum_inactive_lifetime_days = 7
login_maximum_lifetime_days = 30

Audit Logging (Enterprise)¶

Grafana Enterprise records security-relevant events:

[auditing]
enabled = true

Logged events include: - User login/logout and failed authentication attempts. - Role and permission changes. - Dashboard, folder, and data source creation/modification/deletion. - Data source query activity (optional). - API key and service account management.

Audit logs can be forwarded to external systems (Loki, Elasticsearch, file) for long-term retention and compliance.

Grafana Assistant AI Security¶

The Grafana AI assistant (Grafana Cloud) follows a least-privilege model:

The LLM agent can only query dashboards and metrics the invoking user is authorized to see.
Permission checks happen before data is sent to the model.
Backend LLM responses are proxied through Grafana Cloud infrastructure so external vendors never access tenant data directly.
On self-hosted instances, the AI feature is disabled by default and requires explicit opt-in.

Request Security (Enterprise)¶

Request security restricts outgoing requests from the Grafana server:

Block or allowlist domains for data source connections.
Prevent SSRF attacks by restricting internal network access.
Configure per-data-source URL allowlists.

Vault Integration (Enterprise)¶

Grafana Enterprise integrates with HashiCorp Vault for secrets management:

Store database passwords, API keys, and external credentials in Vault.
Reference Vault paths in provisioning configuration.
Automatic secret rotation without Grafana restarts.

Security Architecture Diagram¶

flowchart TD
    subgraph "External"
        Browser[Browser / Client]
        IdP[Identity Provider<br/>OIDC / SAML / LDAP]
    end

    subgraph "Auth Layer"
        Proxy[Reverse Proxy<br/>Nginx / Envoy]
        GrafanaAuth[Grafana Auth Module]
    end

    subgraph "Grafana Server"
        Session[Session Manager<br/>cookie_secure + cookie_samesite]
        RBAC[RBAC Engine<br/>Org Roles + Folder Perms]
        DSPerms[Data Source Permissions]
        Audit[Audit Logger]
        AI[Grafana AI Assistant<br/>Permission-Bound]
    end

    subgraph "Backends"
        DB[(Grafana DB<br/>PostgreSQL / MySQL)]
        Vault[(HashiCorp Vault<br/>Enterprise)]
    end

    Browser --> Proxy --> GrafanaAuth
    GrafanaAuth --> IdP
    GrafanaAuth --> Session
    Session --> RBAC
    RBAC --> DSPerms
    RBAC --> AI
    DSPerms --> Audit
    GrafanaAuth --> DB
    GrafanaAuth -.-> Vault

Hardening Checklist¶

Area	Setting	Recommendation
Cookies	`cookie_secure = true`	Enforce HTTPS-only cookies
Cookies	`cookie_samesite = lax`	Prevent CSRF via cross-site cookies
CSP	`content_security_policy = true`	Block XSS and unauthorized scripts
Anonymous	`auth.anonymous.enabled`	Disable unless explicitly needed
Embedding	`allow_embedding`	Enable only if iframe integration is required
Auth Proxy	`enable_login_token = true`	Issue Grafana session tokens after proxy auth
Admin user	Default password	Change immediately on first start
TLS	`protocol = https`	Terminate TLS at proxy or Grafana directly
Audit	`[auditing] enabled = true`	Track permission and config changes (Enterprise)
Secrets	Vault integration	Externalize sensitive credentials (Enterprise)