Feature for making Escalation chains/Integration/Schedules editable/read-only

[PhantomPhreak]

Oncall inherit access permissions from Grafana, and we can override the global user's role and permission in the Org by teams, per-dashboard permissions and so on, it's flexible. Also, dashboards has very handy feature to set them in Read-only: This works as a safety latch, preventing dashboard from the unintentional changes.

We do plenty of users in the Org with Oncall installed with Admin Role. Their permissions can't be adjusted/overriden by the Team's permissions. Recently we had a situation, when somebody changed the escalation chain, and this slipped unnoticed. It would be nice to have a feature of setting read-only mode for the escalaton chains, schedules and so on, just to have a safety latch, same as Grafana dashboards has.

Thanks!

[greatvovan]

I support the idea, but I think there is more to do here. OnCall should have roles that allow to configure escalation chains and integrations, independently from working with alert groups. Currently the only way to allow the user to use OnCall is to give them Grafana Editor role, which allows too much.

RBAC for OnCall was allegedly in progress (as of the end of last year), but public has no visibility on the progress and the planned capabilities.

[nixikanius]

I also support the idea. My company has non-DevOps users which we want to notify with Grafana OnCall, but we don't want to open OnCall internal kitchen to them.

For example, now users even with a Viewer role can see integration settings, which should require an Admin role, I think. At the same time, users should have at least an Editor role to manage their notification settings and make a Telegram connection (the Editor role seems redundant for this).

[joeyorlando]

hi there 👋 I'm going to close this as RBAC for OnCall is now supported (note: you must be running Grafana >= 9.4 (release notes))