[Feature request] Extend LDAP permissions to things like Dashboard Folders #7212

Open
mattttt opened this Issue Jan 11, 2017 · 3 comments

Projects

None yet

4 participants

@mattttt
Contributor
mattttt commented Jan 11, 2017

Ref: Issue #1611 - Group dashboards in folders

For organizations with a large user base offering Grafana as an internal service to their users, it is critical to expand the scope of the Dashboard Folder issue to respect LDAP permissions.

@torkelo and I were chatting about this just before the holidays, and while it isnt a small undertaking, it will be extremely valuable.

First version will need to expand the existing LDAP integration, which currently just uses LDAP to create the user account (similar to Google, Github and Grafana.net OAUTH methods).

An open question: Currently, once a user is created in Grafana, their account no longer retains a connection to source ACLs (all permissions happen in Grafana). That would need to change to always check/respect centralized ACLs, which probably means groups or mappings and big changes to user structure, but ill defer to @torkelo on this.

More to come on this, but creating the issue to accelerate brainstorming and development.

@mattttt mattttt changed the title from [Feature request] Extend LDAP permissions to Dashboard Folders to [Feature request] Extend LDAP permissions Jan 11, 2017
@mattttt mattttt changed the title from [Feature request] Extend LDAP permissions to [Feature request] Extend LDAP permissions to things like Dashboard Folders Jan 11, 2017
@mattttt
Contributor
mattttt commented Jan 11, 2017

This would allow for isolation of individual user to particular folders, creating a focused user experience for different groups within the company.

In smaller companies, this may be less of an issue, but for companies with several thousand employees using Grafana, the dashboard picker becomes near useless with (tens of) thousands of unorganized dashboards.

While tags can help segment the dashboards in a search, they dont go far enough. It's still overwhelming for the end user and creates a support burden for the team managing Grafana.

The preferred scenario would be to offer individual users access to the dashboard folders relevant to their task/group/scenario, as determined by observability team.

@wei-hai
wei-hai commented Jan 12, 2017

+1, it would be convenient to provide option to assign read/write/delete permission of specific dashboard to specific user/group.

@exbane
exbane commented Jan 13, 2017

+1 for this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment