Users and teams
Grafana IRM relies on the teams and user permissions configured at the organization level of your Grafana instance. This section explains how user roles, permissions, and teams work within Grafana IRM.
Note
To view and manage a team in IRM, users (including administrators) must be members of that team. If an administrator needs to manage a team they are not part of, they must first add themselves to the team, make the necessary changes, and can then remove themselves from the team.
User roles and permissions
User roles and permissions are assigned and managed at the Grafana organization or Cloud portal level. There are two ways to manage user roles and permissions for Grafana IRM.
Basic role authorization
By default, authorization within Grafana IRM relies on the basic user roles configured at the organization level. All users are assigned a basic role by the organization administrator.
There are three available roles:
- Viewer: Read-only access to Grafana IRM
- Editor: Can edit most resources but has limited administrative capabilities
- Admin: Complete access to all Grafana IRM features and settings
Role-based access control (RBAC)
RBAC for Grafana plugins allows for fine-grained access control so you can define custom roles and actions for users in Grafana IRM. Use RBAC to grant specific permissions within the Grafana IRM plugin without changing the user’s basic role at the organization level.
For example, a user with the basic Viewer role at the organization level needs to edit on-call schedules. You can assign the Grafana IRM RBAC role of Schedules Editor to allow the user to view everything in Grafana IRM, as well as allow them to edit on-call schedules.
To learn more about RBAC for Grafana IRM, refer to the following documentation:
Available RBAC roles + granted permissions
Note
Granting any of the following roles will also grant the user the ability to access the IRM plugin. Additionally, these RBAC roles do not currently support scopes.
Currently, as of June 2025, several IRM objects do not have RBAC support and still rely on Grafana basic role authorization:
- Incidents
- Tasks
- Settings > Incidents
We plan to add RBAC support for these objects soon, stay tuned!
The following table lists the main roles available in Grafana IRM:
| Role | Description | Granted Actions | Basic Roles Granted To |
|---|---|---|---|
| Admin | Read/write access to everything in IRM | grafana-irm-app.alert-groups:readgrafana-irm-app.alert-groups:writegrafana-irm-app.alert-groups:direct-paginggrafana-irm-app.integrations:readgrafana-irm-app.integrations:writegrafana-irm-app.integrations:testgrafana-irm-app.escalation-chains:readgrafana-irm-app.escalation-chains:writegrafana-irm-app.schedules:readgrafana-irm-app.schedules:writegrafana-irm-app.schedules:exportgrafana-irm-app.chatops:readgrafana-irm-app.chatops:writegrafana-irm-app.chatops:update-settingsgrafana-irm-app.outgoing-webhooks:readgrafana-irm-app.outgoing-webhooks:writegrafana-irm-app.maintenance:readgrafana-irm-app.maintenance:writegrafana-irm-app.api-keys:readgrafana-irm-app.api-keys:writegrafana-irm-app.notifications:readgrafana-irm-app.notification-settings:readgrafana-irm-app.notification-settings:writegrafana-irm-app.user-settings:readgrafana-irm-app.user-settings:writegrafana-irm-app.user-settings:admingrafana-irm-app.other-settings:readgrafana-irm-app.other-settings:writegrafana-irm-app.admin:admin | Grafana Admin, Admin |
| Editor | Similar to the Admin role, minus the abilities to: create Integrations, create Escalation Chains, create Outgoing Webhooks, update ChatOps settings, update other user’s settings, and update general IRM settings. | grafana-irm-app.alert-groups:readgrafana-irm-app.alert-groups:writegrafana-irm-app.alert-groups:direct-paginggrafana-irm-app.integrations:readgrafana-irm-app.integrations:testgrafana-irm-app.escalation-chains:readgrafana-irm-app.schedules:readgrafana-irm-app.schedules:writegrafana-irm-app.schedules:exportgrafana-irm-app.chatops:readgrafana-irm-app.chatops:writegrafana-irm-app.outgoing-webhooks:readgrafana-irm-app.maintenance:readgrafana-irm-app.maintenance:writegrafana-irm-app.notifications:readgrafana-irm-app.notification-settings:readgrafana-irm-app.notification-settings:writegrafana-irm-app.user-settings:readgrafana-irm-app.user-settings:writegrafana-irm-app.other-settings:read | Editor |
| Reader | Read-only access to everything in IRM | grafana-irm-app.alert-groups:readgrafana-irm-app.integrations:readgrafana-irm-app.escalation-chains:readgrafana-irm-app.schedules:readgrafana-irm-app.chatops:readgrafana-irm-app.outgoing-webhooks:readgrafana-irm-app.maintenance:readgrafana-irm-app.notification-settings:readgrafana-irm-app.user-settings:readgrafana-irm-app.other-settings:read | Viewer |
| Notifications Receiver | Grants the ability to receive alert notifications. By virtue, also grants the user the ability to edit their own IRM settings. | grafana-irm-app.notifications:readgrafana-irm-app.user-settings:readgrafana-irm-app.user-settings:write | N/A |
| OnCaller | Grants read access to everything in IRM. In addition, grants edit access to Alert Groups, Schedules and own settings | grafana-irm-app.alert-groups:readgrafana-irm-app.alert-groups:writegrafana-irm-app.alert-groups:direct-paginggrafana-irm-app.integrations:readgrafana-irm-app.escalation-chains:readgrafana-irm-app.schedules:readgrafana-irm-app.schedules:writegrafana-irm-app.chatops:readgrafana-irm-app.outgoing-webhooks:readgrafana-irm-app.maintenance:readgrafana-irm-app.notifications:readgrafana-irm-app.notification-settings:readgrafana-irm-app.user-settings:readgrafana-irm-app.user-settings:writegrafana-irm-app.other-settings:read | N/A |
Specialized RBAC roles
For more granular control, you can assign specialized roles focused on specific functionality:
| Role | Description | Granted Actions | Basic Roles Granted To |
|---|---|---|---|
| Alert Groups Reader | Read-only access to Alert Groups | grafana-irm-app.alert-groups:read | N/A |
| Alert Groups Editor | Read access to Alert Groups + ability to act on Alert Groups (ie. ack, resolve, etc) | grafana-irm-app.alert-groups:readgrafana-irm-app.alert-groups:write | N/A |
| Alert Groups Direct Paging | Grants the ability to be able to manually create new Alert Groups (aka Direct Paging) | grafana-irm-app.alert-groups:direct-paging | N/A |
| Role | Description | Granted Actions | Basic Roles Granted To |
|---|---|---|---|
| Integrations Reader | Read-only access to Integrations | grafana-irm-app.integrations:read | N/A |
| Integrations Editor | Read/write access to Integrations | grafana-irm-app.integrations:readgrafana-irm-app.integrations:writegrafana-irm-app.integrations:test | N/A |
| Role | Description | Granted Actions | Basic Roles Granted To |
|---|---|---|---|
| Escalation Chains Reader | Read-only access to Escalation Chains | grafana-irm-app.escalation-chains:read | N/A |
| Escalation Chains Editor | Read/write access to Escalation Chains | grafana-irm-app.escalation-chains:readgrafana-irm-app.escalation-chains:write | N/A |
| Role | Description | Granted Actions | Basic Roles Granted To |
|---|---|---|---|
| Schedules Reader | Read-only access to Schedules | grafana-irm-app.schedules:read | N/A |
| Schedules Editor | Read/write access to Schedules | grafana-irm-app.schedules:readgrafana-irm-app.schedules:writegrafana-irm-app.schedules:export | N/A |
| Role | Description | Granted Actions | Basic Roles Granted To |
|---|---|---|---|
| ChatOps Reader | Read-only access to ChatOps settings | grafana-irm-app.chatops:read | N/A |
| ChatOps Editor | Read/write access to ChatOps settings | grafana-irm-app.chatops:readgrafana-irm-app.chatops:writegrafana-irm-app.chatops:update-settings | N/A |
| Outgoing Webhooks Reader | Read-only access to Outgoing Webhooks | grafana-irm-app.outgoing-webhooks:read | N/A |
| Outgoing Webhooks Editor | Read/write access to Outgoing Webhooks | grafana-irm-app.outgoing-webhooks:readgrafana-irm-app.outgoing-webhooks:write | N/A |
| Maintenance Reader | Read-only access to Integration Maintenance | grafana-irm-app.maintenance:read | N/A |
| Maintenance Editor | Read/write access to Integration Maintenance | grafana-irm-app.maintenance:readgrafana-irm-app.maintenance:write | N/A |
| API Keys Reader | Read-only access to OnCall API Keys | grafana-irm-app.api-keys:read | N/A |
| API Keys Editor | Read/write access to OnCall API Keys. Also grants access to be able to consume the API. | grafana-irm-app.api-keys:readgrafana-irm-app.api-keys:write | N/A |
| Notification Settings Reader | Read-only access to IRM Notification Settings | grafana-irm-app.notification-settings:read | N/A |
| Notification Settings Editor | Read/write access to IRM Notification Settings | grafana-irm-app.notification-settings:readgrafana-irm-app.notification-settings:write | N/A |
| User Settings Reader | Read-only access to own IRM User Settings | grafana-irm-app.user-settings:read | N/A |
| User Settings Editor | Read/write access to own IRM User Settings + ability to view basic information about other IRM users | grafana-irm-app.user-settings:readgrafana-irm-app.user-settings:write | N/A |
| User Settings Admin | Read/write access to your own, plus other’s IRM User Settings | grafana-irm-app.user-settings:readgrafana-irm-app.user-settings:writegrafana-irm-app.user-settings:admin | N/A |
| Settings Reader | Read-only access to IRM Settings | grafana-irm-app.other-settings:read | N/A |
| Settings Editor | Read/write access to IRM Settings | grafana-irm-app.other-settings:readgrafana-irm-app.other-settings:write | N/A |
Manage teams in Grafana IRM
Teams in Grafana IRM enable the configuration of visibility and filtering of resources, such as alert groups, integrations, escalation chains, and schedules. IRM teams are automatically synced with Grafana teams created at the organization level.
Configure team settings
- To modify global team settings like team name or team members, navigate to Configuration > Teams in Grafana.
- For IRM-specific team settings, go to IRM > Settings > Team Access Management.
The Teams settings section displays a list of teams, allowing you to configure:
- Team visibility and access to team resources (all Grafana users or only admins and team members)
- Default team (user-specific setting that pre-selects a team when creating new resources)
Team visibility
Visibility of teams and their resources follows these rules:
- Administrators can view all teams and their resources
- Editors and Viewers can only see teams they are members of. Unless the team setting who can see the team name and access the team resources is set to all users of Grafana
Warning
In the main Grafana teams section, users can set team-specific user permissions (Admin, Editor, or Viewer), but only for resources within that team. Currently, Grafana IRM is not compatible with this setting and uses global roles instead.
Require team membership for updates
To control who can edit team resources, you can enable the Require team membership for updates setting in your organization’s IRM settings. This setting ensures that only team members can modify team resources (subject to resource write permissions), while still allowing others to view them.
Using teams to organize resources
Teams help filter resources on their respective pages, improving organization:
- You can assign a resource to a team when creating it
- Alert groups created via the Integration API inherit the team from the integration
- Resources from different teams can be connected with one another
Cross-team resources
You can create integrations in one team and use resources from other teams:
- Set up multiple routes for an integration
- Utilize escalation chains from other teams
- Include users, schedules, and outgoing webhooks from other teams in escalation chains
If a user only has access to one team but not others, they will be unable to view resources from other teams, which will display as 🔒 Private resource.
This feature enables the distribution of escalations across various teams.
Best practices
Consider these recommendations when configuring users and teams:
- Use RBAC for precise control: Rather than giving everyone Editor or Admin roles, use RBAC to grant specific permissions
- Create logical team divisions: Structure teams based on functional areas or incident response responsibilities
- Limit the Admin role: Reserve the Admin role for users who need to manage all aspects of the IRM system
- Review permissions regularly: Periodically audit user permissions to ensure they align with current responsibilities
Was this page helpful?
Related resources from Grafana Labs
