Every customer who uses
Amazon Managed Grafana
as part of their observability or data visualization service has multiple business units or divisions to serve. Users from these business units or divisions must access Amazon Managed Grafana and manage or view their own resources, such as data sources, dashboards, and alerts. Additionally, IT administrators must manage these users in an efficient way with less operational overhead.
The primary reasons to organize users and resources in Amazon Managed Grafana are security and easier management:
Security: Division A shouldn’t be able to view Division B’s data sources and dashboards.
Management: Organize and group dashboards in an orderly fashion.
Managing user access individually is time consuming and inefficient. In this post, we’ll walk you through how Amazon Managed Grafana Teams enable you to simplify user access management.
The Grafana Team
construct lets you manage permissions for multiple users with similar access requirements. Using Grafana Team can help you simplify user management as members of a team inherit permissions from the team.
User authentication in Amazon Managed Grafana
Users authenticate to an Amazon Managed Grafana workspace using SAML,
AWS Single Sign-On (AWS SSO),
or both. To use AWS SSO, you must activate
AWS Organizations
for the account that hosts the Amazon Managed Grafana workspace. Refer to
using AWS SSO
with your Amazon Managed Grafana workspace to set up AWS SSO with your Amazon Managed Grafana workspace. SAML authentication support enables you to use your existing identity provider to offer single sign-on for logging in to the Amazon Managed Grafana workspace. Amazon Managed Grafana uses just-in-time (JIT) provisioning to create the user from the initial SAML assertion and any subsequent connections authenticate with the service user directly. For more information on integrating Amazon Managed Grafana with SAML, refer to blogpost
Amazon Managed Grafana supports direct SAML integration with identity providers.
Managing a group of users using Grafana Team
Amazon Managed Grafana uses
Grafana Team
that enables you to grant permissions to a group of users. For example, instead of assigning five users access to the same dashboard, you can create a team that consists of those users and assign dashboard permissions to the team. In addition, a user can belong to multiple teams. You can set up
team sync
to automatically synchronize team membership between your Grafana workspace and your identity provider. This mechanism allows Amazon Managed Grafana to remove an existing synchronized user from a team when its group membership changes. This gives you the flexibility to combine group memberships and Amazon Managed Grafana team memberships.
Users can authenticate to an Amazon Managed Grafana workspace using SAML, AWS SSO, or both. The following diagram illustrates how Grafana Teams enables you to organize users, resources, and permissions for both Okta (SAML 2.0 provider) and AWS SSO.
This diagram illustrates how Grafana Teams enables you to organize users, resources, and permissions.
User roles in Amazon Managed Grafana
Amazon Managed Grafana supports three user roles for granting the right permission level to an individual user.
Admin role
– Users with this role can edit and delete data sources, users, dashboards, etc.
Editor role
– Users with this role can add and edit data sources, dashboards, and alerts to which they have access.
Viewer role
– Users with this role can view any dashboard to which they have access.
Refer to
user roles
for a detailed list of all of the permissions.
If you’re using AWS SSO, then you can assign the role directly from the Amazon Managed Grafana workspace. If you’re using SAML authentication, define the role in the SAML assertion mapping attributes.
AWS SSO
Amazon Managed Grafana integrates with AWS SSO to provide identity federation for your workforce. To manage the identities in AWS SSO, please refer to
Manage identities in IAM Identity Center
.
Using Amazon Managed Grafana and AWS SSO, users are redirected to their existing company directory to sign in with their existing credentials. Then, they’re seamlessly signed in to their Amazon Managed Grafana workspace. This procedure ensures enforcing security settings such as password policies and two-factor authentication.
The following screenshot illustrates how you can configure users and user groups to access Amazon Managed Grafana.
Once you select
Configure users and user groups
, it takes you to the following screen where you can configure users and user groups’ access to Amazon Managed Grafana.
All users listed in the
Users
tab and all groups listed in the
User groups
tab are enabled for AWS SSO. However, only those users and groups with selected check boxes can use the logical Grafana server in the workspace. From the previous screenshot, you can find that only three of twelve user groups in the AWS SSO have permission to access Amazon Managed Grafana.
By default, users and user groups that are assigned access to Grafana have
viewer
permission. You must explicitly elevate the respective users’ and user groups’ permission to admin or editor roles.
The following screenshot illustrates how to assign the admin role to a specific user group.
SAML authentication
Amazon Managed Grafana supports multiple identity providers that use the SAML 2.0 standard such as Azure AD, CyberArk, Okta, OneLogin, and Ping Identity. While setting up a SAML integration, you must define custom attribute statements. These statements insert into the SAML assertions shared with Amazon Managed Grafana. In the following example, we’ll show you how to define SAML attribute statements in Okta.
Define attribute statements in Okta
When integrating Amazon Managed Grafana with Okta, you must define the SAML attributes. Each SAML assertion in the attribute statements section has three elements – Name, Name format, and Value. In the following example, I’ve specified userType, division, and organization respectively. This is customizable and you can set this up based on your enterprise standards.
The following screenshot illustrates the attribute statements for the Amazon Managed Grafana application in Okta.
Edit the profile in Okta
After adding the attribute statements for SAML integration, you must update the users’ and the user groups’ profile.
Updating the User profile
In the following example, I’ve updated the profile of a single user and given custom values for Organization and Division.
The following screenshot illustrates the profile (a collection of attributes) that describe a user in Okta.
Updating the Group profile
Once you create all of the users and add them to specific groups, you must update the profile attribute of the group as well. In the following example, I’ve updated the Name and Description of a group.
The following screenshot illustrates the profile of a group (collection of users) in Okta.
One the Okta setup is complete, log in to
AWS Management Console
and navigate to Amazon Grafana workspace to complete the SAML configuration assertion mapping. Configure SAML assertion attributes to map your IdP user information to Amazon Managed Grafana workspace users, as well as assign orgs and users access to the workspace.
Now, let’s define
Assertion attribute role
to the IdP attribute name from which the role information will be extracted. Furthermore, define your IdP
Admin role values
that should be granted Grafana Administrator role permissions. You can also define your IdP
Editor role values
that should be granted Grafana Editor role permissions.
The following screenshot illustrates the map assertion attributes in the SAML configuration.
Note that all other user role values that aren’t defined in the Admin or Editor role value fields will be granted Grafana Viewer role permissions.
In the
Additional settings
, define the
Assertion Attribute Organization
to use as the user organization. Most importantly, define the
Assertion attribute groups
that will be used to map to Grafana Teams for team sync.
The following screenshot illustrates the additional settings in the SAML configuration.
Creating Teams and Team Sync in Amazon Managed Grafana
Using teams enables you to grant permissions to a group of users. With team sync, you can set up synchronization between your authorization provider’s groups and the teams in Grafana.
In the following walkthrough, I’m using Okta as the IdP that provides user authentication for Amazon Managed Grafana. Now, let’s log in to the Amazon Managed Grafana URL and navigate to Configuration – Teams to create a team and setup team sync. In the following example, I’ve created a team called ATech-NOC and setup team sync with the Okta attribute ‘ANOC’. Once the user logs in, the team sync will atomically add the user to the respective team based on the external group sync id.
The following screenshot illustrates the list of users that are members of a team.
The following screenshot illustrates the external group sync id.
Refer to
managing teams
for step-by-step instructions on creating a team and add users.
Data sources and Grafana Teams
Data sources are storage backends that you can query in Amazon Managed Grafana to do things like building dashboards. Each data source has a specific query editor that is customized for the features and capabilities that the particular data source exposes. By default, a data source can be queried by any user. Using teams, you can change the default permissions for data sources and restrict query permissions to specific users and group of users. Now, let’s log in to the Amazon Managed Grafana URL and navigate to
Configuration – Data sources
.
On the Permissions tab, choose
Enable
. Permissions are an access control list (ACL) model that is used to limit access to Data sources. After you enable permissions for a data source, you can assign query permissions to users and teams.
The following screenshot illustrates the permissions granted for a specific user and a team to query an
Amazon CloudWatch
data source.
Refer to
Managing teams
for step-by-step instructions on how to setup data source permissions.
Dashboard folders and Grafana Teams
Amazon Managed Grafana makes it easy to construct queries and customize the display properties to meet dashboarding needs. Dashboard folders are a way to organize and group dashboards. This feature is useful if you have many dashboards and must arrange them in an orderly fashion. You can refer to
dashboard folders
for step-by-step instructions on how to create Dashboard folders.
Using Grafana Team, you can remove the default role-based permissions for editors and viewers, and then assign permissions to specific users and group of users. Now, let’s log in to the Amazon Managed Grafana URL and navigate to Configuration – Dashboards. Select the dashboard folder and select the Permissions tab. Permissions are an access control list (ACL) model that limits access to Dashboard Folders.
The following screenshot illustrates the permissions granted for a specific user and a team to a Dashboard folder with viewer and editor roles respectively.
This post demonstrated how Amazon Managed Grafana enables you to organize users, resources, and permissions. You also learned how the
Grafana Team
construct lets you manage permissions for multiple users with similar access requirements and how to simplify user management as members of a team inherit permissions from the team. Companies of any size can adopt this approach for fine-grained access management of Amazon Managed Grafana. You can also look at
working in your Grafana workspace
section to learn more about using Amazon Managed Grafana workspace. For more information and hands-on experience with Amazon Managed Grafana, check out the interactive and immersive
One Observability Workshop
.
About the authors
Elamaran Shanmugam
Elamaran (Ela) Shanmugam is a Sr. Container Specialist Solutions Architect with Amazon Web Services. Ela is a Container, Observability and Multi-Account Architecture SME and helps AWS customers to design and build scalable, secure and optimized container workloads on AWS. His passion is building and automating Infrastructure to allow customers to focus more on their business. He is based out of Tampa, Florida and you can reach him on Twitter @IamElaShan
Munish Dabra
Munish Dabra is a Sr. Solutions Architect at Amazon Web Services. He is a software technology leader with ~20 years of experience in building scalable and distributed software systems. His current area of interests are containers, observability, and AI/ML. He has an educational background in Computer Engineering, and M.B.A from The University of Texas. He is based out of Houston and in his spare time, he loves to play with his two kids and follows tennis and cricket.
Arun Chandapillai
Arun Chandapillai is a Sr. Cloud Infrastructure Architect who is a diversity and inclusion champion. He is passionate about helping his customers accelerate IT modernization through business-first cloud adoption strategies and successfully build, deploy, and manage applications and infrastructure in the cloud. Arun is an automotive enthusiast, an avid speaker, and a philanthropist who believes in ‘you get (back) what you give’.