Configure Grafana access
There are four ways to access your Grafana instance:
- Single Sign-On (SSO)
- Default admin user
This method is deprecated
- Basic auth user
- Anonymous access (disabled by default)
General
Section titled “General”Check registered users
Section titled “Check registered users”You can list all registered users in the Grafana UI. In the left sidebar, navigate to Administration -> Users and access -> Users.
This action requires one of the following Grafana roles: GrafanaAdmin or Admin (see table below for more information)
In this section, you can also remove users from Grafana to free up user slots. Please note that Single Sign-On (SSO) users are automatically (re-)created upon login.
Access methods
Section titled “Access methods”Single Sign-On (SSO)
Section titled “Single Sign-On (SSO)”Single Sign-On (SSO) enables easy access to Grafana using your STACKIT account, without needing additional credentials. STACKIT SSO is enabled by default.
You can enable or disable STACKIT SSO in the Portal or via the Observability API grafana-configs endpoint. Through the API, you can also configure your own SSO provider using the genericOauth attribute. Please note that to do this, you must disable STACKIT SSO.
Permission mapping for STACKIT SSO
Section titled “Permission mapping for STACKIT SSO”Project permissions from the STACKIT Portal are mapped to the corresponding Grafana roles. If you update a user’s role or permissions, they may need to log in to Grafana again for the changes to take effect.
| Project Role | Product Role | Portal Permission | Grafana Role |
|---|---|---|---|
| Owner | Observability Grafana Server Admin | argus.grafana.server-administrate | GrafanaAdmin |
| Observability Grafana Admin, Observability Admin | argus.grafana.administrate | Admin | |
| Editor | Observability Grafana Editor | argus.grafana.edit | Editor |
| Reader | Observability Grafana Viewer, Observability Reader | argus.grafana.view | Viewer |
Default admin user
Section titled “Default admin user”When ordering an Observability instance that includes Grafana, you can choose whether to create a default Grafana admin user (with basic auth). For security reasons, we recommend disabling the creation of this user.
You can also remove the default admin user from existing instances using the Observability API instance update endpoint or the corresponding button in the Grafana tab of the Portal (coming soon).
Please be aware that restoring a backup may bring back the deleted default admin user. You can verify the registered users in the Grafana UI as described above.
You can still create new basic auth users via the Grafana UI, like it is described below.
Basic auth user
Section titled “Basic auth user”To create a Basic Auth user, navigate to the Users section in the Grafana UI as described above. Here, you can add new users for the whole Grafana instance or for a specific Grafana organization. Please ensure the number of users stays within your user limit.
Anonymous access
Section titled “Anonymous access”If you want to allow access to your Grafana instance without logging in, you can enable the Public read access option. Please note that this means anyone can view your Grafana dashboards.