Fine-grained access control in Amazon Managed Grafana using Grafana Teams
Every customer who uses Amazon Managed Grafana as part of their observability or data visualization service has multiple business units or divisions to serve. Users from these business units or divisions must access Amazon Managed Grafana and manage or view their own resources, such as data sources, dashboards, and alerts. Additionally, IT administrators must manage these users in an efficient way with less operational overhead.
The primary reasons to organize users and resources in Amazon Managed Grafana are security and easier management:
- Security: Division A shouldn’t be able to view Division B’s data sources and dashboards.
- Management: Organize and group dashboards in an orderly fashion.
Managing user access individually is time consuming and inefficient. In this post, we’ll walk you through how Amazon Managed Grafana Teams enable you to simplify user access management. The Grafana Team construct lets you manage permissions for multiple users with similar access requirements. Using Grafana Team can help you simplify user management as members of a team inherit permissions from the team.
User authentication in Amazon Managed Grafana
Users authenticate to an Amazon Managed Grafana workspace using SAML, AWS Single Sign-On (AWS SSO), or both. To use AWS SSO, you must activate AWS Organizations for the account that hosts the Amazon Managed Grafana workspace. Refer to using AWS SSO with your Amazon Managed Grafana workspace to set up AWS SSO with your Amazon Managed Grafana workspace. SAML authentication support enables you to use your existing identity provider to offer single sign-on for logging in to the Amazon Managed Grafana workspace. Amazon Managed Grafana uses just-in-time (JIT) provisioning to create the user from the initial SAML assertion and any subsequent connections authenticate with the service user directly. For more information on integrating Amazon Managed Grafana with SAML, refer to blogpost Amazon Managed Grafana supports direct SAML integration with identity providers.
Managing a group of users using Grafana Team
Amazon Managed Grafana uses Grafana Team that enables you to grant permissions to a group of users. For example, instead of assigning five users access to the same dashboard, you can create a team that consists of those users and assign dashboard permissions to the team. In addition, a user can belong to multiple teams. You can set up team sync to automatically synchronize team membership between your Grafana workspace and your identity provider. This mechanism allows Amazon Managed Grafana to remove an existing synchronized user from a team when its group membership changes. This gives you the flexibility to combine group memberships and Amazon Managed Grafana team memberships.
Users can authenticate to an Amazon Managed Grafana workspace using SAML, AWS SSO, or both. The following diagram illustrates how Grafana Teams enables you to organize users, resources, and permissions for both Okta (SAML 2.0 provider) and AWS SSO.
User roles in Amazon Managed Grafana
Amazon Managed Grafana supports three user roles for granting the right permission level to an individual user.
- Admin role – Users with this role can edit and delete data sources, users, dashboards, etc.
- Editor role – Users with this role can add and edit data sources, dashboards, and alerts to which they have access.
- Viewer role – Users with this role can view any dashboard to which they have access.
Refer to user roles for a detailed list of all of the permissions.
If you’re using AWS SSO, then you can assign the role directly from the Amazon Managed Grafana workspace. If you’re using SAML authentication, define the role in the SAML assertion mapping attributes.
Amazon Managed Grafana integrates with AWS SSO to provide identity federation for your workforce. To manage the identities in AWS SSO, please refer to Manage identities in IAM Identity Center.
Using Amazon Managed Grafana and AWS SSO, users are redirected to their existing company directory to sign in with their existing credentials. Then, they’re seamlessly signed in to their Amazon Managed Grafana workspace. This procedure ensures enforcing security settings such as password policies and two-factor authentication.
The following screenshot illustrates how you can configure users and user groups to access Amazon Managed Grafana.
Once you select Configure users and user groups, it takes you to the following screen where you can configure users and user groups’ access to Amazon Managed Grafana.
All users listed in the Users tab and all groups listed in the User groups tab are enabled for AWS SSO. However, only those users and groups with selected check boxes can use the logical Grafana server in the workspace. From the previous screenshot, you can find that only three of twelve user groups in the AWS SSO have permission to access Amazon Managed Grafana.
By default, users and user groups that are assigned access to Grafana have viewer permission. You must explicitly elevate the respective users’ and user groups’ permission to admin or editor roles.
The following screenshot illustrates how to assign the admin role to a specific user group.
Amazon Managed Grafana supports multiple identity providers that use the SAML 2.0 standard such as Azure AD, CyberArk, Okta, OneLogin, and Ping Identity. While setting up a SAML integration, you must define custom attribute statements. These statements insert into the SAML assertions shared with Amazon Managed Grafana. In the following example, we’ll show you how to define SAML attribute statements in Okta.
Define attribute statements in Okta
When integrating Amazon Managed Grafana with Okta, you must define the SAML attributes. Each SAML assertion in the attribute statements section has three elements – Name, Name format, and Value. In the following example, I’ve specified userType, division, and organization respectively. This is customizable and you can set this up based on your enterprise standards.
The following screenshot illustrates the attribute statements for the Amazon Managed Grafana application in Okta.
Edit the profile in Okta
After adding the attribute statements for SAML integration, you must update the users’ and the user groups’ profile.
Updating the User profile
In the following example, I’ve updated the profile of a single user and given custom values for Organization and Division.
The following screenshot illustrates the profile (a collection of attributes) that describe a user in Okta.
Updating the Group profile
Once you create all of the users and add them to specific groups, you must update the profile attribute of the group as well. In the following example, I’ve updated the Name and Description of a group.
The following screenshot illustrates the profile of a group (collection of users) in Okta.
You can follow the post Amazon Managed Grafana supports direct SAML integration with identity providers (section Okta) to complete the rest of the steps to integrate Okta with Amazon Managed Grafana.
Amazon Managed Grafana setup
One the Okta setup is complete, log in to AWS Management Console and navigate to Amazon Grafana workspace to complete the SAML configuration assertion mapping. Configure SAML assertion attributes to map your IdP user information to Amazon Managed Grafana workspace users, as well as assign orgs and users access to the workspace.
Now, let’s define Assertion attribute role to the IdP attribute name from which the role information will be extracted. Furthermore, define your IdP Admin role values that should be granted Grafana Administrator role permissions. You can also define your IdP Editor role values that should be granted Grafana Editor role permissions.
The following screenshot illustrates the map assertion attributes in the SAML configuration.
Note that all other user role values that aren’t defined in the Admin or Editor role value fields will be granted Grafana Viewer role permissions.
In the Additional settings, define the Assertion Attribute Organization to use as the user organization. Most importantly, define the Assertion attribute groups that will be used to map to Grafana Teams for team sync.
The following screenshot illustrates the additional settings in the SAML configuration.
Creating Teams and Team Sync in Amazon Managed Grafana
Using teams enables you to grant permissions to a group of users. With team sync, you can set up synchronization between your authorization provider’s groups and the teams in Grafana.
In the following walkthrough, I’m using Okta as the IdP that provides user authentication for Amazon Managed Grafana. Now, let’s log in to the Amazon Managed Grafana URL and navigate to Configuration – Teams to create a team and setup team sync. In the following example, I’ve created a team called ATech-NOC and setup team sync with the Okta attribute ‘ANOC’. Once the user logs in, the team sync will atomically add the user to the respective team based on the external group sync id.
The following screenshot illustrates the list of users that are members of a team.
The following screenshot illustrates the external group sync id.
Refer to managing teams for step-by-step instructions on creating a team and add users.
Data sources and Grafana Teams
Data sources are storage backends that you can query in Amazon Managed Grafana to do things like building dashboards. Each data source has a specific query editor that is customized for the features and capabilities that the particular data source exposes. By default, a data source can be queried by any user. Using teams, you can change the default permissions for data sources and restrict query permissions to specific users and group of users. Now, let’s log in to the Amazon Managed Grafana URL and navigate to Configuration – Data sources.
On the Permissions tab, choose Enable. Permissions are an access control list (ACL) model that is used to limit access to Data sources. After you enable permissions for a data source, you can assign query permissions to users and teams.
The following screenshot illustrates the permissions granted for a specific user and a team to query an Amazon CloudWatch data source.
Refer to Managing teams for step-by-step instructions on how to setup data source permissions.
Dashboard folders and Grafana Teams
Amazon Managed Grafana makes it easy to construct queries and customize the display properties to meet dashboarding needs. Dashboard folders are a way to organize and group dashboards. This feature is useful if you have many dashboards and must arrange them in an orderly fashion. You can refer to dashboard folders for step-by-step instructions on how to create Dashboard folders.
Using Grafana Team, you can remove the default role-based permissions for editors and viewers, and then assign permissions to specific users and group of users. Now, let’s log in to the Amazon Managed Grafana URL and navigate to Configuration – Dashboards. Select the dashboard folder and select the Permissions tab. Permissions are an access control list (ACL) model that limits access to Dashboard Folders.
The following screenshot illustrates the permissions granted for a specific user and a team to a Dashboard folder with viewer and editor roles respectively.
Refer to dashboard and folder permission for step-by-step instructions on granting Dashboard folder permissions.
This post demonstrated how Amazon Managed Grafana enables you to organize users, resources, and permissions. You also learned how the Grafana Team construct lets you manage permissions for multiple users with similar access requirements and how to simplify user management as members of a team inherit permissions from the team. Companies of any size can adopt this approach for fine-grained access management of Amazon Managed Grafana. You can also look at working in your Grafana workspace section to learn more about using Amazon Managed Grafana workspace. For more information and hands-on experience with Amazon Managed Grafana, check out the interactive and immersive One Observability Workshop.