How to configure Grafana access
Zuletzt aktualisiert am
There are four ways to access your Grafana instance:
- Single Sign-On (SSO)
- Default admin user (Deprecated)
- Basic auth user
- Anonymous access (disabled by default)
For a broader conceptual understanding of how authentication works across STACKIT Observability, refer to our Authentication Overview.
Check registered users
Section titled “Check registered users”You can list all registered users directly in the Grafana UI:
- Open the left sidebar in Grafana.
- Navigate to Administration.
- Select Users and access.
- Click on Users.
In this section, you can also remove users from Grafana to free up user slots. Please note that Single Sign-On (SSO) users are automatically (re-)created upon their next login.
Access methods
Section titled “Access methods”Single Sign-On (SSO)
Section titled “Single Sign-On (SSO)”Single Sign-On (SSO) enables easy access to Grafana using your STACKIT account, without needing additional credentials. STACKIT SSO is enabled by default.
You can enable or disable STACKIT SSO in the STACKIT Portal or programmatically via the Observability API grafana-configs endpoint. Through the API, you can also configure your own SSO provider using the genericOauth attribute. Please note that to do this, you must first disable STACKIT SSO.
Permission mapping for STACKIT SSO
Project permissions from the STACKIT Portal are mapped to the corresponding Grafana roles. If you update a user’s role or permissions, they may need to log in to Grafana again for the changes to take effect.
| Project Role | Product Role | Portal Permission | Grafana Role |
|---|---|---|---|
| Owner | Observability Grafana Server Admin | argus.grafana.server-administrate | GrafanaAdmin |
| Observability Grafana Admin, Observability Admin | argus.grafana.administrate | Admin | |
| Editor | Observability Grafana Editor | argus.grafana.edit | Editor |
| Reader | Observability Grafana Viewer, Observability Reader | argus.grafana.view | Viewer |
Default admin user
Section titled “Default admin user”When ordering an Observability instance that includes Grafana, you can choose whether to create a default Grafana admin user (with Basic Authentication). For security reasons, we recommend disabling the creation of this user.
You can remove the default admin user from existing instances using the STACKIT Portal (via the corresponding button in the Grafana tab) or programmatically via the Observability API instance update endpoint.
You can still create new Basic Authentication users via the Grafana UI, as described below.
Basic auth user
Section titled “Basic auth user”To create a Basic Auth user, navigate to the Users section in the Grafana UI as described above. Here, you can add new users for the whole Grafana instance or for a specific Grafana organization. Please ensure the total number of users stays within your instance’s user limit.
Anonymous access
Section titled “Anonymous access”If you want to allow access to your Grafana instance without requiring a login, you can enable the Public read access option. Please be aware that this means that anyone with the link can view your Grafana dashboards.