Menu
Grafana Cloud

Manage users and teams for Grafana OnCall

Grafana OnCall relies on the teams and user permissions configured at the organization level of your Grafana instance. Organization administrators can invite users, configure teams, and manage user permissions at Grafana.com.

User roles and permissions

Note: User roles and teams cannot be managed directly from Grafana OnCall.

User roles and permissions are assigned and managed at the Grafana organization or Cloud portal level. There are two ways to manage user roles and permissions for Grafana OnCall.

Basic role authorization

By default, authorization within Grafana OnCall relies on the basic user roles configured at the organization level. All users are assigned a basic role by the organization administrator. There are three available roles: Viewer, Editor, and Admin.

Role-based access control (RBAC)

RBAC for Grafana plugins allows for fine-grained access control so you can define custom roles and actions for users in Grafana OnCall. Use RBAC to grant specific permissions within the Grafana OnCall plugin without changing the user’s basic role at the organization level. You can fine-tune basic roles to add or remove certain Grafana OnCall RBAC roles.

For example, a user with the basic Viewer role at the organization level needs to edit on-call schedules. You can assign the Grafana OnCall RBAC role of Schedules Editor to allow the user to view everything in Grafana OnCall, as well as allow them to edit on-call schedules.

To learn more about RBAC for Grafana OnCall, refer to the following documentation:

Available Grafana OnCall RBAC roles + granted actions

Note: granting any of the following roles will also grant the user the plugins.app:access action with a scope of plugins:id:grafana-oncall-app (ie. granting the user the ability to access the plugin). Additionally, all of the following RBAC roles do not currently support scopes. To further control which Grafana OnCall objects specific groups of users can view, refer to Manage Teams in Grafana OnCall.

RoleDescriptionGranted ActionsBasic Roles Granted To
AdminRead/write access to everything in OnCallgrafana-oncall-app.alert-groups:read

grafana-oncall-app.alert-groups:write

grafana-oncall-app.alert-groups:direct-paging

grafana-oncall-app.integrations:read

grafana-oncall-app.integrations:write

grafana-oncall-app.integrations:test

grafana-oncall-app.escalation-chains:read

grafana-oncall-app.escalation-chains:write

grafana-oncall-app.schedules:read

grafana-oncall-app.schedules:write

grafana-oncall-app.schedules:export

grafana-oncall-app.chatops:read

grafana-oncall-app.chatops:write

grafana-oncall-app.chatops:update-settings

grafana-oncall-app.outgoing-webhooks:read

grafana-oncall-app.outgoing-webhooks:write

grafana-oncall-app.maintenance:read

grafana-oncall-app.maintenance:write

grafana-oncall-app.api-keys:read

grafana-oncall-app.api-keys:write

grafana-oncall-app.notifications:read

grafana-oncall-app.notification-settings:read

grafana-oncall-app.notification-settings:write

grafana-oncall-app.user-settings:read

grafana-oncall-app.user-settings:write

grafana-oncall-app.user-settings:admin

grafana-oncall-app.other-settings:read

grafana-oncall-app.other-settings:write
Grafana Admin, Admin
EditorSimilar to the Admin role, minus the abilities to: create Integrations, create Escalation Chains, create Outgoing Webhooks, update ChatOps settings, update other user’s settings, and update general OnCall setings.grafana-oncall-app.alert-groups:read

grafana-oncall-app.alert-groups:write

grafana-oncall-app.alert-groups:direct-paging

grafana-oncall-app.integrations:read

grafana-oncall-app.integrations:test

grafana-oncall-app.escalation-chains:read

grafana-oncall-app.schedules:read

grafana-oncall-app.schedules:write

grafana-oncall-app.schedules:export

grafana-oncall-app.chatops:read

grafana-oncall-app.chatops:write

grafana-oncall-app.outgoing-webhooks:read

grafana-oncall-app.maintenance:read

grafana-oncall-app.maintenance:write

grafana-oncall-app.notifications:read

grafana-oncall-app.notification-settings:read

grafana-oncall-app.notification-settings:write

grafana-oncall-app.user-settings:read

grafana-oncall-app.user-settings:write

grafana-oncall-app.other-settings:read
Editor
ReaderRead-only access to everything in OnCallgrafana-oncall-app.alert-groups:read

grafana-oncall-app.integrations:read

grafana-oncall-app.escalation-chains:read

grafana-oncall-app.schedules:read

grafana-oncall-app.chatops:read

grafana-oncall-app.outgoing-webhooks:read

grafana-oncall-app.maintenance:read

grafana-oncall-app.notification-settings:read

grafana-oncall-app.user-settings:read

grafana-oncall-app.other-settings:read
Viewer
Notifications ReceiverGrants the ability to receive OnCall alert notifications. By virtue, also grants the user the ability to edit their own OnCall settings.grafana-oncall-app.notifications:read

grafana-oncall-app.user-settings:write
N/A
OnCallerGrants read access to everything in OnCall. In addition, grants edit access to Alert Groups, Schedules and own settingsgrafana-oncall-app.alert-groups:read

grafana-oncall-app.alert-groups:write

grafana-oncall-app.alert-groups:direct-paging

grafana-oncall-app.integrations:read

grafana-oncall-app.escalation-chains:read

grafana-oncall-app.schedules:read

grafana-oncall-app.schedules:write

grafana-oncall-app.chatops:read

grafana-oncall-app.outgoing-webhooks:read

grafana-oncall-app.maintenance:read

grafana-oncall-app.notifications:read

grafana-oncall-app.notification-settings:read

grafana-oncall-app.user-settings:read

grafana-oncall-app.user-settings:write

grafana-oncall-app.other-settings:read
N/A
Alert Groups ReaderRead-only access to OnCall Alert Groupsgrafana-oncall-app.alert-groups:readN/A
Alert Groups EditorRead access to OnCall Alert Groups + ability to act on Alert Groups (ie. ack, resolve, etc)grafana-oncall-app.alert-groups:read

grafana-oncall-app.alert-groups:write
N/A
Alert Groups Direct PagingGrants the ability to be able to manually create new Alert Groups (aka Direct Paging)grafana-oncall-app.alert-groups:direct-pagingN/A
Integrations ReaderRead-only access to OnCall Integrationsgrafana-oncall-app.integrations:readN/A
Integrations EditorRead/write access to OnCall Integrationsgrafana-oncall-app.integrations:read

grafana-oncall-app.integrations:write

grafana-oncall-app.integrations:test
N/A
Escalation Chains ReaderRead-only access to OnCall Escalation Chainsgrafana-oncall-app.escalation-chains:readN/A
Escalation Chains EditorRead/write access to OnCall Escalation Chainsgrafana-oncall-app.escalation-chains:read

grafana-oncall-app.escalation-chains:write
N/A
Schedules ReaderRead-only access to OnCall Schedulesgrafana-oncall-app.schedules:readN/A
Schedules EditorRead/write access to OnCall Schedulesgrafana-oncall-app.schedules:read

grafana-oncall-app.schedules:write

grafana-oncall-app.schedules:export
N/A
ChatOps ReaderRead-only access to OnCall ChatOpsgrafana-oncall-app.chatops:readN/A
ChatOps EditorRead/write access to OnCall ChatOpsgrafana-oncall-app.chatops:read

grafana-oncall-app.chatops:write

grafana-oncall-app.chatops:update-settings
N/A
Outgoing Webhooks ReaderRead-only access to OnCall Outgoing Webhooksgrafana-oncall-app.outgoing-webhooks:readN/A
Outgoing Webhooks EditorRead/write access to OnCall Outgoing Webhooksgrafana-oncall-app.outgoing-webhooks:read

grafana-oncall-app.outgoing-webhooks:write
N/A
Maintenance ReaderRead-only access to OnCall Maintenancegrafana-oncall-app.maintenance:readN/A
Maintenance EditorRead/write access to OnCall Maintenancegrafana-oncall-app.maintenance:read

grafana-oncall-app.maintenance:write
N/A
API Keys ReaderRead-only access to OnCall API Keysgrafana-oncall-app.api-keys:readN/A
API Keys EditorRead/write access to OnCall API Keys. Also grants access to be able to consume the API.grafana-oncall-app.api-keys:read

grafana-oncall-app.api-keys:write
N/A
Notification Settings ReaderRead-only access to OnCall Notification Settingsgrafana-oncall-app.notification-settings:readN/A
Notification Settings EditorRead/write access to OnCall Notification Settingsgrafana-oncall-app.notification-settings:read

grafana-oncall-app.notification-settings:write
N/A
User Settings ReaderRead-only access to own OnCall User Settingsgrafana-oncall-app.user-settings:readN/A
User Settings EditorRead/write access to own OnCall User Settings + ability to view basic information about other OnCall usersgrafana-oncall-app.user-settings:read

grafana-oncall-app.user-settings:write
N/A
User Settings AdminRead/write access to your own, plus other’s OnCall User Settingsgrafana-oncall-app.user-settings:read

grafana-oncall-app.user-settings:write

grafana-oncall-app.user-settings:admin
N/A
Settings ReaderRead-only access to OnCall Settingsgrafana-oncall-app.other-settings:readN/A
Settings EditorRead/write access to OnCall Settingsgrafana-oncall-app.other-settings:read

grafana-oncall-app.other-settings:write
N/A

Manage Teams in Grafana OnCall

Teams in Grafana OnCall enable the configuration of visibility and filtering of resources, such as alert groups, integrations, escalation chains, and schedules. OnCall teams are automatically synced with Grafana teams created at the organization level of your Grafana instance. To modify global settings like team name or team members, navigate to Configuration > Teams. For OnCall-specific team settings, go to Alerts & IRM > OnCall > Settings > Teams and Access Settings.

This section displays a list of teams, allowing you to configure team visibility and access to team resources for all Grafana users, or only admins and team members. You can also set a default team, which is a user-specific setting; the default team will be pre-selected each time a user creates a new resource. The team list includes a No team tag, signifying that the resource has no team and is accessible to everyone.

Admins can view the list of all teams, while editors and viewers can only see teams (and their resources) they are members of or if the team setting “who can see the team name and access the team resources” is set to “all users of Grafana”.

⚠️ In the main Grafana teams section, users can set team-specific user permissions, such as Admin, Editor, or Viewer, but only for resources within that team. Currently, Grafana OnCall ignores this setting and uses global roles instead.

Teams help filter resources on their respective pages, improving organization. You can assign a resource to a team when creating it. Alert groups created via the Integration API inherit the team from the integration.

Resources from different teams can be connected with one another. For instance, you can create an integration in one team, set up multiple routes for the integration, and utilize escalation chains from other teams. Users, schedules, and outgoing webhooks from other teams can also be included in the escalation chain. If a user only has access to the first team and not others, they will be unable to view the resource, which will display as 🔒 Private resource. This feature enables the distribution of escalations across various teams.