Introduction

Grafana teams organize users and control access to dashboards, folders, and datasources. Team permission errors prevent users from accessing resources they should have access to, or allow unauthorized access. These issues typically stem from role assignment problems, folder permission conflicts, team synchronization failures, or permission inheritance issues.

Symptoms

  • Team members cannot access dashboards in team folders
  • Error: "Access denied" or "Permission denied"
  • Users see "Unauthorized" when opening dashboards
  • Team members cannot edit dashboards they should be able to
  • Admin users cannot modify team settings
  • Folder permissions don't apply to team members
  • Team role assignments are not reflected in user access

Common Causes

  • Team folder permissions are not configured correctly
  • User's team role conflicts with organization role
  • Permission inheritance is blocked by explicit folder permissions
  • Team is not assigned to the correct organization
  • Team synchronization from LDAP/OAuth failed
  • Dashboard permissions override folder permissions
  • Admin role was removed from the team

Step-by-Step Fix

Check Team Membership

  1. 1.Verify user is in the team:
  2. 2.```bash
  3. 3.curl -s -u admin:password http://localhost:3000/api/teams/search?query=team-name | jq '.teams[]'
  4. 4.curl -s -u admin:password http://localhost:3000/api/teams/1/members | jq '.[]'
  5. 5.`
  6. 6.Add user to team via API:
  7. 7.```bash
  8. 8.curl -X POST -u admin:password \
  9. 9.-H "Content-Type: application/json" \
  10. 10.-d '{"userId": 2}' \
  11. 11.http://localhost:3000/api/teams/1/members
  12. 12.`
  13. 13.In Grafana UI:
  14. 14.- Navigate to Configuration > Teams
  15. 15.- Click team name
  16. 16.- Click "Add member"
  17. 17.- Select user and assign role

Check Team Role Assignment

  1. 1.Verify team member roles:
  2. 2.```bash
  3. 3.curl -s -u admin:password http://localhost:3000/api/teams/1/members | jq '.[] | {userId: .userId, role: .role}'
  4. 4.`
  5. 5.Fix team member role:
  6. 6.```bash
  7. 7.curl -X PATCH -u admin:password \
  8. 8.-H "Content-Type: application/json" \
  9. 9.-d '{"role": "Editor"}' \
  10. 10.http://localhost:3000/api/teams/1/members/2
  11. 11.`
  12. 12.Available team roles:
  13. 13.- Admin - Can manage team members and team permissions
  14. 14.- Editor - Can edit dashboards in team folders
  15. 15.- Viewer - Can view dashboards in team folders

Check Folder Permissions

  1. 1.List folder permissions:
  2. 2.```bash
  3. 3.curl -s -u admin:password http://localhost:3000/api/folders | jq '.[] | {id: .id, uid: .uid, title: .title}'
  4. 4.curl -s -u admin:password http://localhost:3000/api/folders/1/permissions | jq '.[]'
  5. 5.`
  6. 6.Check team folder access:
  7. 7.```bash
  8. 8.curl -s -u admin:password http://localhost:3000/api/folders/1/permissions | jq '.[] | select(.teamId == 1)'
  9. 9.`
  10. 10.Grant team folder permission:
  11. 11.```bash
  12. 12.curl -X POST -u admin:password \
  13. 13.-H "Content-Type: application/json" \
  14. 14.-d '{"teamId": 1, "permission": 2}' \
  15. 15.http://localhost:3000/api/folders/1/permissions
  16. 16.`
  17. 17.Permission levels:
  18. 18.- 1 = View
  19. 19.- 2 = Edit
  20. 20.- 4 = Admin
  21. 21.Set team folder permission in UI:
  22. 22.- Navigate to Dashboards > Browse
  23. 23.- Click folder > Permissions
  24. 24.- Click "Add permission"
  25. 25.- Select team and permission level

Permission Inheritance Issues

  1. 1.Understand permission hierarchy:
  2. 2.- Organization role (Viewer/Editor/Admin) sets baseline access
  3. 3.- Team membership grants additional folder access
  4. 4.- Dashboard-specific permissions override folder permissions
  5. 5.- Higher role always wins (Admin > Editor > Viewer)
  6. 6.Check dashboard-level permissions:
  7. 7.```bash
  8. 8.curl -s -u admin:password http://localhost:3000/api/dashboards/uid/dashboard-uid | jq '.meta.permissions'
  9. 9.`
  10. 10.Remove conflicting dashboard permissions:
  11. 11.```bash
  12. 12.curl -X DELETE -u admin:password \
  13. 13.http://localhost:3000/api/dashboards/uid/dashboard-uid/permissions/123
  14. 14.`
  15. 15.Ensure folder permissions apply to dashboards:
  16. 16.- Folder View permission grants dashboard View
  17. 17.- Folder Edit permission grants dashboard Edit
  18. 18.- Dashboard Admin permission is separate from folder

Team Organization Issues

  1. 1.Verify team belongs to correct organization:
  2. 2.```bash
  3. 3.curl -s -u admin:password http://localhost:3000/api/teams/1 | jq '{orgId: .orgId, name: .name}'
  4. 4.`
  5. 5.Check user's organization membership:
  6. 6.```bash
  7. 7.curl -s -u admin:password http://localhost:3000/api/users/2/orgs | jq '.[]'
  8. 8.`
  9. 9.Users must belong to the organization to access its resources:
  10. 10.- Navigate to Configuration > Users
  11. 11.- Check user's organization membership
  12. 12.- Add user to organization if missing

Team Sync Issues (LDAP/OAuth)

  1. 1.Check LDAP team synchronization:
  2. 2.```bash
  3. 3.# Verify LDAP group mapping
  4. 4.cat /etc/grafana/ldap.toml | grep -A5 "group_mappings"

# Check sync status in logs journalctl -u grafana-server | grep -i "ldap.*team|ldap.*sync" ```

  1. 1.Configure LDAP team sync:
  2. 2.```toml
  3. 3.# In ldap.toml
  4. 4.[[servers.group_mappings]]
  5. 5.group_dn = "cn=grafana-editors,ou=groups,dc=example,dc=com"
  6. 6.org_role = "Editor"

[[servers]] # Enable team sync team_sync = true team_sync_attribute_groups = groups team_sync_group_dn = "cn=grafana-team,ou=groups,dc=example,dc=com" ```

  1. 1.Run manual team sync:
  2. 2.```bash
  3. 3.grafana-cli admin data-migration ldap-sync
  4. 4.`
  5. 5.For OAuth team sync:
  6. 6.```ini
  7. 7.# In grafana.ini
  8. 8.[auth.generic_oauth]
  9. 9.team_ids_attribute = groups
  10. 10.team_sync = true
  11. 11.`

Admin Role Issues

  1. 1.Verify team has Admin member:
  2. 2.```bash
  3. 3.curl -s -u admin:password http://localhost:3000/api/teams/1/members | jq '.[] | select(.role == "Admin")'
  4. 4.`
  5. 5.Add Admin role to team member:
  6. 6.```bash
  7. 7.curl -X PATCH -u admin:password \
  8. 8.-H "Content-Type: application/json" \
  9. 9.-d '{"role": "Admin"}' \
  10. 10.http://localhost:3000/api/teams/1/members/2
  11. 11.`

Verification

  1. 1.Verify team access works:
  2. 2.- Log in as team member
  3. 3.- Navigate to team folder
  4. 4.- Verify dashboards are accessible
  5. 5.- Test edit/view based on assigned role
  6. 6.Verify permission inheritance:
  7. 7.- Create new dashboard in team folder
  8. 8.- Verify team members can access it
  9. 9.- Test permission level matches folder setting
  10. 10.Check team configuration:
  11. 11.```bash
  12. 12.curl -s -u admin:password http://localhost:3000/api/teams/1 | jq .
  13. 13.curl -s -u admin:password http://localhost:3000/api/teams/1/members | jq .
  14. 14.`
  15. 15.Verify all team members have correct roles in UI:
  16. 16.- Configuration > Teams > Team Name
  17. 17.- Review member list and roles
  18. 18.- Check folder permissions for team