Just wondering about granularity in the grafana/openHistorian user permissions?
We have our openHistorian tied into AD with 2 x dedicated groups for admin and viewing (generic users).
Ultimately, my goal is to have ‘generic users’ AD group being able to
View the back end database configuration, but not edit it
Create new and Edit dashboards within Grafana
At present:
The Admin AD group is allowed to all the Application Roles (ie Administrator, Editor, GrafanaAdmin, Viewer).
The ‘Generic Users’ AD group is allowed only to the ‘Viewer’ Application Role.
If I change the ‘Generic Users’ AD group to the ‘GrafanaAdmin’ role, it doesn’t allow for editing of the backend database, but also doesn’t allow for creating and editing dashboards. If I change them to the ‘Editor’ role, this gives them access to change the back end database/PMU configurations, something that I want to restrict.
Is there a way of getting more granularity in the permissions between the backend database and the grafana interface, if it is all managed by AD?
That’s correct, having read only to OH, but read/write to Grafana. I’d like users to be able to create and edit whatever dashboards they dream up with, but can’t edit the overall OH configuration.
Currently roles in Grafana are synchronized to those in openHistorian given that this Grafana instance is hosted-by and runs-behind the openHistorian web interface. This means all security for this Grafana instance is managed by openHistorian.
Without a code update to accommodate a quasi-user role like this, my quick answer would be to say this is not currently supported with the hosted instance of Grafana. However, this is a perfectly valid use case, so I will add a task to make sure this gets on our TO-DO list.
That said, Grafana is highly configurable - so you can certainly setup a standalone instance of Grafana, connect it to openHistorian, and manage security yourself. In this case a data source connection to openHistorian would be setup with a single read-only type user.
FYI - the Grafana Admin role in openHistorian is a “super user” role for access to advanced Grafana settings, e.g., managing organizations / sites, etc. Would not grant this to end users, just because they might be able to change things in the hosted Grafana instance that they should not.
Will setup a task for your request right-away, i.e., a “Grafana Editor” role that will allow read/write access within Grafana while not affecting primary openHistorian role.