# Grafana ## Overview Grafana is an open-source analytics and monitoring platform used for visualizing metrics, logs, and traces from various data sources. The Veza integration for Grafana enables visibility into identity and access management by discovering users, teams, service accounts, roles, and permissions. This integration supports both **Grafana Cloud** and **self-hosted** deployments, and automatically detects whether RBAC is enabled. This integration enables: * Map access across users, teams, and service accounts * Analyze role-based access control (RBAC) with scoped permissions * Identify non-human identities (service accounts) and their API token counts * Track both basic roles and granular RBAC permissions See [Notes and supported entities](#notes-and-supported-entities) for details on discovered data. ## Prerequisites To configure the integration, you will need: * **Network connectivity**: Connection from Veza to Grafana via a [deployed Insight Point](/4yItIzMvkpAvMVFAamTf/integrations/connectivity/insight-point.md) or direct connection * A Grafana service account or API token with read access to organization data * **Connection details**: Grafana instance URL (e.g., `https://your-instance.grafana.net`) ## Configuring Grafana ### Creating the API token Create an API token in Grafana with permissions to read organization, user, team, and role data. 1. Log in to Grafana as an administrator 2. Navigate to **Administration** > **Service accounts** 3. Click **Add service account** and provide a name (e.g., "Veza Integration") 4. Assign the **Admin** role to the service account for full read access 5. Click **Add service account token** to generate an API token 6. Copy and securely store the generated token {% hint style="info" %} The service account requires Admin-level access to read users, teams, service accounts, and role assignments across the organization. Store the API token securely. {% endhint %} ## Configuring Grafana on the Veza Platform 1. In Veza, go to the **Integrations** page 2. Click **Add Integration** and search for **Grafana** 3. Click **Next** to begin configuration 4. Enter the required information (see table below) 5. Click **Create Integration** to save and start the first extraction ### Configuration options | Field | Required | Notes | | ----------------- | -------- | ----------------------------------------------------------------------------- | | **Insight Point** | Yes | Choose default data plane or deployed Insight Point | | **Name** | Yes | Friendly name to identify this integration | | **URL** | Yes | Full URL to your Grafana instance (e.g., `https://your-instance.grafana.net`) | | **Token** | Yes | Grafana API token for authentication | ## Notes and supported entities Grafana uses a combination of basic roles and RBAC (if enabled). Basic roles (Grafana Admin, Admin, Editor, Viewer) provide organization-wide permissions, while RBAC provides granular, action-based permissions with scopes. ### Discovered entities Veza discovers the following entity types: * **Users**: Grafana user accounts with login credentials and authentication methods * **Teams**: Organizational groups with membership associations and external sync status * **Service Accounts**: Non-human identities used for API access with token counts * **Roles**: RBAC roles (if enabled) or basic roles with permission associations * **Permissions**: Action-based permissions with optional scopes ### Key attributes #### User | Attribute | Description | | ---------------------- | ------------------------------------------------------------- | | `Name` | Display name of the user | | `Email` | Email address (used as identity) | | `Login` | Username used for login | | `Is Active` | Whether the user account is enabled (inverse of `isDisabled`) | | `Last Seen At` | Timestamp of last login | | `Is Provisioned` | Whether the user was provisioned automatically | | `Auth Labels` | Authentication method labels (e.g., OAuth, LDAP) | | `Is Externally Synced` | Whether the user is synced from an external source | #### Team | Attribute | Description | | ---------------- | ---------------------------------------------- | | `Name` | Team name | | `Email` | Team email address | | `External UID` | External unique identifier for synced teams | | `Is Provisioned` | Whether the team was provisioned automatically | #### Service Account | Attribute | Description | | ----------- | ------------------------------------------------ | | `Name` | Service account name | | `Login` | Service account login identifier | | `Is Active` | Whether the service account is enabled | | `Tokens` | Count of API tokens associated with this account | #### Role | Attribute | Description | | -------------- | ----------------------------------------------- | | `Name` | Role unique identifier | | `Display Name` | Human-readable role name | | `Description` | Role description | | `Is Global` | Whether the role is global across organizations | | `Is Hidden` | Whether the role is hidden from the UI | ### Permissions and effective access Grafana permissions are mapped based on the action type: | Action Suffix | Veza Effective Permissions | | ---------------------------------- | ---------------------------- | | `read` | Data Read, Metadata Read | | `write` | Data Write, Metadata Write | | `create` | Data Create, Metadata Create | | `delete` | Data Delete, Metadata Delete | | `query` | Data Read | | `list` | Data Read, Metadata Read | | `explore` | Data Read | | `send`, `apply`, `install`, `test` | Non Data | #### Permission examples * `folders:create` - Create folders * `folders:read - folders:*` - Read all folders * `dashboards:write - dashboards:uid:abc123` - Write to specific dashboard #### Basic role permissions When RBAC is disabled, basic roles provide these effective permissions: | Basic Role | Effective Permissions | | ----------------- | -------------------------------------------------------------------------------------------------------------- | | **Grafana Admin** | All (DataRead, MetadataRead, DataWrite, MetadataWrite, DataCreate, MetadataCreate, DataDelete, MetadataDelete) | | **Admin** | All (same as Grafana Admin) | | **Editor** | DataRead, MetadataRead, DataWrite, MetadataWrite, DataCreate, MetadataCreate | | **Viewer** | DataRead, MetadataRead | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/grafana.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.