Table of Contents

• rbac
• RBAC
  • get_status
  • get_all_roles
  • get_role
  • create_role
  • update_role
  • delete_role
  • get_user_assigned_roles
  • get_user_assigned_permissions
  • add_user_role_assignment
  • remove_user_role_assignment
  • update_user_role_assignments
  • get_service_account_assigned_roles
  • get_service_account_assigned_permissions
  • add_service_account_role_assignment
  • remove_service_account_role_assignment
  • update_service_account_role_assignments
  • get_team_assigned_roles
  • add_team_role_assignment
  • remove_team_role_assignment
  • update_team_role_assignments
  • reset_basic_roles_to_their_default

rbac

RBAC Objects

class RBAC()

The class includes all necessary methods to access the Grafana RBAC API endpoints. Be aware that the functionality is a Grafana ENTERPRISE feature

Arguments:

• grafana_api_model APIModel - Inject a Grafana API model object that includes all necessary values and information

Attributes:

• grafana_api_model APIModel - This is where we store the grafana_api_model

get_status

def get_status() -> bool

The method includes a functionality to get the status if role-based access control is enabled or not

Required Permissions: Action: status:accesscontrol Scope: services:accesscontrol

Raises:

• Exception - Unspecified error by executing the API call

Returns:

• api_call bool - Return a flag indicating if the role-based access control is enabled or not

get_all_roles

def get_all_roles(include_hidden_roles: bool = False) -> list

The method includes a functionality gets all existing roles. The response contains all global and organization local roles, for the organization which user is signed in

Arguments:

• include_hidden_roles bool - Specify if the output contains the hidden roles or not (default False)

Required Permissions: - Action - roles:read - Scope - roles:*

Raises:

• Exception - Unspecified error by executing the API call

Returns:

• api_call list - Return all global and organization local roles

get_role

def get_role(uid: str) -> dict

The method includes a functionality get a role specified by the uid

Arguments:

• uid str - Specify the uid of the role

Required Permissions: - Action - roles:read - Scope - roles:*

Raises:

• ValueError - Missed specifying a necessary value
• Exception - Unspecified error by executing the API call

Returns:

• api_call dict - Return the corresponding role

create_role

def create_role(role_definition: CustomRole) -> dict

The method includes a functionality create a new custom role and maps given permissions to that role. Note that roles with the same prefix as Fixed roles can’t be created

Args: role_definition (CustomRole): Specify the corresponding role definition

Required Permissions: Action: roles:write Scope: permissions:type:delegate

Raises: ValueError: Missed specifying a necessary value Exception: Unspecified error by executing the API call

Returns: api_call (dict): Return the newly created role

update_role

def update_role(uid: str, role_definition: CustomRole) -> dict

The method includes a functionality to update the role with the given uid, and its permissions. The operation is idempotent and all permissions of the role will be replaced based on the request content. You need to increment the version of the role with each update, otherwise the request will fail

Args: uid (str): Specify the corresponding uid of the custom role role_definition (CustomRole): Specify the corresponding role definition

Required Permissions: Action: roles:write Scope: permissions:type:delegate

Raises: ValueError: Missed specifying a necessary value Exception: Unspecified error by executing the API call

Returns: api_call (dict): Return the updated role

delete_role

def delete_role(uid: str, force: bool = False, global_role: bool = False)

The method includes a functionality to delete a role with the given uid

Args: uid (str): Specify the corresponding uid of the custom role force (bool): Specify the corresponding if the role will be deleted with all it’s assignments or not (default False) global_role (bool): Specify the corresponding if the role is global or not. If set to false, the default org id of the authenticated user will be used from the request (default False)

Required Permissions: Action: roles:delete Scope: permissions:type:delegate

Raises: ValueError: Missed specifying a necessary value Exception: Unspecified error by executing the API call

Returns: None

get_user_assigned_roles

def get_user_assigned_roles(user_id: int,
                            include_hidden_roles: bool = False) -> list

The method includes a functionality to get the roles that have been directly assigned to a given user specified by the user id. The list does not include basic roles (Viewer, Editor, Admin or Grafana Admin), and it does not include roles that have been inherited from a team

Arguments:

• user_id int - Specify the corresponding user_id of the user
• include_hidden_roles bool - Specify if the output contains the hidden roles or not (default False)

Required Permissions: - Action - users.roles:read - Scope - users:id:

Raises:

• ValueError - Missed specifying a necessary value
• Exception - Unspecified error by executing the API call

Returns:

• api_call list - Return the corresponding user roles

get_user_assigned_permissions

def get_user_assigned_permissions(user_id: int) -> list

The method includes a functionality to get the permissions that have been directly assigned to a given user specified by the user id

Arguments:

• user_id int - Specify the corresponding user_id of the user

Required Permissions: - Action - users.permissions:read - Scope - users:id:

Raises:

• ValueError - Missed specifying a necessary value
• Exception - Unspecified error by executing the API call

Returns:

• api_call list - Return the corresponding user permissions

add_user_role_assignment

def add_user_role_assignment(user_id: int,
                             role_uid: str,
                             global_assignment: bool = False)

The method includes a functionality to assign a role to a specific user

Args: user_id (int): Specify the corresponding user_id of the user role_uid (str): Specify the corresponding uid of the role global_assignment (bool): Specify the corresponding if the assignment is global or not. If set to false, the default org id of the authenticated user will be used from the request (default False)

Required Permissions: Action: users.roles:add Scope: permissions:type:delegate

Raises: ValueError: Missed specifying a necessary value Exception: Unspecified error by executing the API call

Returns: None

remove_user_role_assignment

def remove_user_role_assignment(user_id: int, role_uid: str)

The method includes a functionality to revoke a role to a specific user

Args: user_id (int): Specify the corresponding user_id of the user role_uid (str): Specify the corresponding uid of the role

Required Permissions: Action: users.roles:remove Scope: permissions:type:delegate

Raises: ValueError: Missed specifying a necessary value Exception: Unspecified error by executing the API call

Returns: None

update_user_role_assignments

def update_user_role_assignments(user_id: int,
                                 role_uids: list,
                                 include_hidden_roles: bool = False,
                                 global_assignment: bool = False)

The method includes a functionality to update the user role assignments to match the provided set of uid's. This will remove any assigned roles that aren’t in the request and add roles that are in the set but are not already assigned to the user

Args: user_id (int): Specify the corresponding user_id of the user role_uids (list): Specify the corresponding uids of the role include_hidden_roles (bool): Specify if the output contains the hidden roles or not (default False) global_assignment (bool): Specify the corresponding if the assignment is global or not. If set to false, the default org id of the authenticated user will be used from the request (default False)

Required Permissions: Action: users.roles:add, users.roles:remove Scope: permissions:type:delegate

Raises: ValueError: Missed specifying a necessary value Exception: Unspecified error by executing the API call

Returns: None

get_service_account_assigned_roles

def get_service_account_assigned_roles(service_account_id: int,
                                       include_hidden_roles: bool = False
                                       ) -> list

The method includes a functionality to get the roles that have been directly assigned to a given service account. The list does not include basic roles (Viewer, Editor, Admin or Grafana Admin)

Arguments:

• service_account_id int - Specify the corresponding service_account_id of the service account
• include_hidden_roles bool - Specify if the output contains the hidden roles or not (default False)

Required Permissions: - Action - users.roles:read - Scope - users:id:

Raises:

• ValueError - Missed specifying a necessary value
• Exception - Unspecified error by executing the API call

Returns:

• api_call list - Return the corresponding service account roles

get_service_account_assigned_permissions

def get_service_account_assigned_permissions(service_account_id: int) -> list

The method includes a functionality to get the permissions that a given service account has

Arguments:

• service_account_id int - Specify the corresponding service_account_id of the service account

Required Permissions: - Action - users.permissions:read - Scope - users:id:

Raises:

• ValueError - Missed specifying a necessary value
• Exception - Unspecified error by executing the API call

Returns:

• api_call list - Return the corresponding service account permissions

add_service_account_role_assignment

def add_service_account_role_assignment(service_account_id: int,
                                        role_uid: str,
                                        global_assignment: bool = False)

The method includes a functionality to assign a role to a specific service account

Args: service_account_id (int): Specify the corresponding service_account_id of the service account role_uid (str): Specify the corresponding uid of the role global_assignment (bool): Specify the corresponding if the assignment is global or not. If set to false, the default org id of the authenticated user will be used from the request (default False)

Required Permissions: Action: users.roles:add Scope: permissions:type:delegate

Raises: ValueError: Missed specifying a necessary value Exception: Unspecified error by executing the API call

Returns: None

remove_service_account_role_assignment

def remove_service_account_role_assignment(service_account_id: int,
                                           role_uid: str)

The method includes a functionality to revoke a role to a specific service account

Args: service_account_id (int): Specify the corresponding service_account_id of the service account role_uid (str): Specify the corresponding uid of the role

Required Permissions: Action: users.roles:remove Scope: permissions:type:delegate

Raises: ValueError: Missed specifying a necessary value Exception: Unspecified error by executing the API call

Returns: None

update_service_account_role_assignments

def update_service_account_role_assignments(service_account_id: int,
                                            role_uids: list,
                                            include_hidden_roles: bool = False,
                                            global_assignment: bool = False)

The method includes a functionality to update the service account role assignments to match the provided set of uid's. This will remove any assigned roles that aren’t in the request and add roles that are in the set but are not already assigned to the user

Args: service_account_id (int): Specify the corresponding service_account_id of the service account role_uids (list): Specify the corresponding uids of the role include_hidden_roles (bool): Specify if the output contains the hidden roles or not (default False) global_assignment (bool): Specify the corresponding if the assignment is global or not. If set to false, the default org id of the authenticated user will be used from the request (default False)

Required Permissions: Action: users.roles:add, users.roles:remove Scope: permissions:type:delegate

Raises: ValueError: Missed specifying a necessary value Exception: Unspecified error by executing the API call

Returns: None

get_team_assigned_roles

def get_team_assigned_roles(team_id: int,
                            include_hidden_roles: bool = False) -> list

The method includes a functionality to get that have been directly assigned to a given team.

Arguments:

• team_id int - Specify the corresponding team_id of the team
• include_hidden_roles bool - Specify if the output contains the hidden roles or not (default False)

Required Permissions: - Action - teams.roles:read - Scope - teams:id:

Raises:

• ValueError - Missed specifying a necessary value
• Exception - Unspecified error by executing the API call

Returns:

• api_call list - Return the corresponding team roles

add_team_role_assignment

def add_team_role_assignment(team_id: int, role_uid: str)

The method includes a functionality to assign a role to a specific team

Args: team_id (int): Specify the corresponding team_id of the team role_uid (str): Specify the corresponding uid of the role

Required Permissions: Action: teams.roles:add Scope: permissions:type:delegate

Raises: ValueError: Missed specifying a necessary value Exception: Unspecified error by executing the API call

Returns: None

remove_team_role_assignment

def remove_team_role_assignment(team_id: int, role_uid: str)

The method includes a functionality to revoke a role to a specific team

Args: team_id (int): Specify the corresponding team_id of the team role_uid (str): Specify the corresponding uid of the role

Required Permissions: Action: teams.roles:remove Scope: permissions:type:delegate

Raises: ValueError: Missed specifying a necessary value Exception: Unspecified error by executing the API call

Returns: None

update_team_role_assignments

def update_team_role_assignments(team_id: int,
                                 role_uids: list,
                                 include_hidden_roles: bool = False)

The method includes a functionality to update the service account role assignments to match the provided set of uid's. This will remove any assigned roles that aren’t in the request and add roles that are in the set but are not already assigned to the user

Args: team_id (int): Specify the corresponding team_id of the team role_uids (list): Specify the corresponding uids of the role include_hidden_roles (bool): Specify if the output contains the hidden roles or not (default False)

Required Permissions: Action: teams.roles:add, teams.roles:remove Scope: permissions:type:delegate

Raises: ValueError: Missed specifying a necessary value Exception: Unspecified error by executing the API call

Returns: None

reset_basic_roles_to_their_default

def reset_basic_roles_to_their_default()

The method includes a functionality to reset basic roles permissions to their default

Required Permissions: Action: roles:write Scope: permissions:type:escalate

Raises: Exception: Unspecified error by executing the API call

Returns: None