diff --git a/website/docs/integrations/services/grafana/index.mdx b/website/docs/integrations/services/grafana/index.mdx index eae0227cb..ff261708e 100644 --- a/website/docs/integrations/services/grafana/index.mdx +++ b/website/docs/integrations/services/grafana/index.mdx @@ -52,8 +52,10 @@ environment: GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "https://authentik.company/application/o/token/" GF_AUTH_GENERIC_OAUTH_API_URL: "https://authentik.company/application/o/userinfo/" GF_AUTH_SIGNOUT_REDIRECT_URL: "https://authentik.company/application/o//end-session/" - # Optionally enable auto-login + # Optionally enable auto-login (bypasses Grafana login screen) GF_AUTH_OAUTH_AUTO_LOGIN: "true" + # Optionally map user groups to Grafana roles + GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer' ``` @@ -74,6 +76,22 @@ scopes = openid email profile auth_url = https://authentik.company/application/o/authorize/ token_url = https://authentik.company/application/o/token/ api_url = https://authentik.company/application/o/userinfo/ +# Optionally map user groups to Grafana roles +role_attribute_path = contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer' ``` + +### Role Mappings + +In the configuration above you can see an example of a role mapping. Upon login, this configuration looks at the groups of which the current user is a member. If any of the specified group names are found, the user will be granted the resulting role in Grafana. + +In the example shown above, one of the specified group names is "Grafana Admins". If the user is a member of this group, they will be granted the "Admin" role in Grafana. +If the user is not a member of the "Grafana Admins" group, it moves on to see if the user is a member of the "Grafana Editors" group. If they are, they are granted the "Editor" role. Finally, if the user is not found to be a member of either of these groups, it fails back to granting the "Viewer" role. + +```text +contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer' +^ attribute to search ^ group to search for ^ role to grant ^ or grant "Viewer" role. +``` + +For more information on group/role mappings, see [Grafana's docs](https://grafana.com/docs/grafana/latest/auth/generic-oauth/#role-mapping).