- Allow users to request just-in-time access to Grafana folders, dashboards, and roles from the web and Slack
- Set the right resource owners to delegate approvals to those with the most context
- Configure day-one access to Grafana resources with groups from your identity provider
- Automatically escalate and revoke privileged access based on on-call schedules, e.g., PagerDuty or Opsgenie
Supported resources
| Resource | Read | Grant and revoke access | Notes |
|---|---|---|---|
| Grafana Folders | ✔️ | ✔️ | |
| Grafana Dashboards | ✔️ | ✔️ | |
| Grafana Roles | ✔️ | ✔️ | Enterprise and Cloud only |
| Grafana Teams | ✔️ | ✔️ |
Requirements
- You must be an Opal admin.
- Your Grafana instance must be version 10 or higher.
- You must have a Grafana service account with the ability to generate service tokens, because this is how Opal authenticates with Grafana.
- Be on version 1.1143.0 or greater, if you self-host Opal.
1. Create a Grafana service account and token
In Grafana, add a service account by navigating to Administration > Users and access > Service accounts > Add service account. Give it a name (e.g.,Opal), and add the Role based on instance type.
- For OSS instances, add
Adminrole. - For Cloud and Enterprise, the service account must have the following permissions. If you prefer not to use the
Adminrole, you can create a custom role with these specific permissions.
| Permission | Type |
|---|---|
org.users:read | Required |
roles:read | Required |
users.roles:read | Required |
teams:read | Optional |
teams.permissions:read | Optional |
folders:read | Optional |
folders.permissions:read | Optional |
dashboards:read | Optional |
dashboards.permissions:read | Optional |
teams.permissions:write | Optional |
folders.permissions:write | Optional |
dashboards.permissions:write | Optional |
teams.roles:read | Optional |
users.roles:add | Optional |
users.roles:remove | Optional |
teams.roles:add | Optional |
teams.roles:remove | Optional |
Optional permissions control which resources Opal can read and manage. Missing
optional permissions will limit which resource types are available to import.
Grafana uses the
permissions:type:delegate scope for role assignment actions
by default. This means the service account can only assign permissions that
are attached to it (or a subset of them) to users or groups.2. Create a Grafana app in Opal
In Opal, go to Inventory > +App and select Grafana . Fill in the following fields and hit create.| Field | Value |
|---|---|
| App admin | The team or user that should manage the Grafana app in Opal. |
| Description | Let your end users know what they’re requesting access to. |
| Grafana instance URL | The base URL of your Grafana instance (e.g., https://grafana.mycompany.com). |
| Instance type | Select OSS, Enterprise, or Cloud based on your Grafana deployment. |
| Service token | The service account token you generated in Step 1. |
Stack ID is a required field for cloud instances. You can go to
https://grafana.com/orgs/org-name/stacks to get the value.3. Import Grafana resources
After creating the app, you can import resources from … > Import items. Users will now be able to request access to Grafana resources through Opal.User provisioning
User provisioning is only available for Enterprise and Cloud instances
with SCIM enabled. Follow the Grafana SCIM provisioning
guide
to enable it.
Enable User Sync is the required setting.