Documentation

Chronograf

Manage Chronograf users

On this page

Manage Chronograf users and roles

Note: Support for organizations and user roles is available in Chronograf 1.4 or later. First, OAuth 2.0 authentication must be configured (if it is, you’ll see the Chronograf Admin tab on the Admin menu). For more information, see Managing security.

Chronograf includes four organization-bound user roles and one cross-organization SuperAdmin permission. In an organization, admins (with the admin role) or users with SuperAdmin permission can create, update, and assign roles to a user or remove a role assignment.

Organization-bound users

Chronograf users are assigned one of the following organization-bound user roles, listed here in order of increasing capabilities:

Each of these roles, described in detail below, have different capabilities for the following Chronograf-owned or Chronograf-accessed resources.

InfluxDB and Kapacitor users within Chronograf

Chronograf uses InfluxDB and Kapacitor connections to manage user access control to InfluxDB and Kapacitor resources within Chronograf. The permissions of the InfluxDB and Kapacitor user specified within such a connection determine the capabilities for any Chronograf user with access (i.e., viewers, editors, and administrators) to that connection. Administrators include either an admin (admin role) or a user of any role with SuperAdmin permission.

Note: Chronograf users are entirely separate from InfluxDB and Kapacitor users. The Chronograf user and authentication system applies to the Chronograf user interface. InfluxDB and Kapacitor users and their permissions are managed separately. Chronograf connections determine which InfluxDB or Kapacitor users to use when when connecting to each service.

Chronograf-owned resources

Chronograf-owned resources include internal resources that are under the full control of Chronograf, including:

  • Kapacitor connections
  • InfluxDB connections
  • Dashboards
  • Canned layouts
  • Chronograf organizations
  • Chronograf users
  • Chronograf Status Page content for News Feeds and Getting Started

Chronograf-accessed resources

Chronograf-accessed resources include external resources that can be accessed using Chronograf, but are under limited control by Chronograf. Chronograf users with the roles of viewer, editor, and admin, or users with SuperAdmin permission, have equal access to these resources:

  • InfluxDB databases, users, queries, and time series data (if using InfluxDB Enterprise, InfluxDB roles can be accessed too)
  • Kapacitor alerts and alert rules (called tasks in Kapacitor)

Readers (role:reader)

Readers are Chronograf users who are only able to view dashboards in read-only mode. They are not able to alter or manipulate dashboard queries. Readers are not able to view tasks, alerts, admin pages, logs or any artifacts other than dashboards.

Members (role:member)

Members are Chronograf users who have been added to organizations but do not have any functional capabilities. Members cannot access any resources within an organization and thus effectively cannot use Chronograf. Instead, a member can only access Purgatory, where the user can switch into organizations based on assigned roles.

By default, new organizations have a default role of member. If the Default organization is Public, then anyone who can authenticate, would become a member, but not be able to use Chronograf until an administrator assigns a different role.

Viewers (role:viewer)

Viewers are Chronograf users with effectively read-only capabilities for Chronograf-owned resources within their current organization:

  • View canned dashboards
  • View canned layouts
  • View InfluxDB connections
  • Switch current InfluxDB connection to other available connections
  • Access InfluxDB resources through the current connection
  • View the name of the current Kapacitor connection associated with each InfluxDB connection
  • Access Kapacitor resources through the current connection
  • Switch into organizations where the user has a role

For Chronograf-accessed resources, viewers can:

  • InfluxDB
    • Read and write time series data
    • Create, view, edit, and delete databases and retention policies
    • Create, view, edit, and delete InfluxDB users
    • View and kill queries
    • InfluxDB Enterprise: Create, view, edit, and delete InfluxDB Enterprise roles
  • Kapacitor
    • View alerts
    • Create, edit, and delete alert rules

Editors (role:editor)

Editors are Chronograf users with limited capabilities for Chronograf-owned resources within their current organization:

  • Create, view, edit, and delete dashboards
  • View canned layouts
  • Create, view, edit, and delete InfluxDB connections
  • Switch current InfluxDB connection to other available connections
  • Access InfluxDB resources through the current connection
  • Create, view, edit, and delete Kapacitor connections associated with InfluxDB connections
  • Switch current Kapacitor connection to other available connections
  • Access Kapacitor resources through the current connection
  • Switch into organizations where the user has a role

For Chronograf-accessed resources, editors can:

  • InfluxDB
    • Read and write time series data
    • Create, view, edit, and delete databases and retention policies
    • Create, view, edit, and delete InfluxDB users
    • View and kill queries
    • InfluxDB Enterprise: Create, view, edit, and delete InfluxDB Enterprise roles
  • Kapacitor
    • View alerts
    • Create, edit, and delete alert rules

Admins (role:admin)

Admins are Chronograf users with all capabilities for the following Chronograf-owned resources within their current organization:

  • Create, view, update, and remove Chronograf users
  • Create, view, edit, and delete dashboards
  • View canned layouts
  • Create, view, edit, and delete InfluxDB connections
  • Switch current InfluxDB connection to other available connections
  • Access InfluxDB resources through the current connection
  • Create, view, edit, and delete Kapacitor connections associated with InfluxDB connections
  • Switch current Kapacitor connection to other available connections
  • Access Kapacitor resources through the current connection
  • Switch into organizations where the user has a role

For Chronograf-accessed resources, admins can:

  • InfluxDB
    • Read and write time series data
    • Create, view, edit, and delete databases and retention policies
    • Create, view, edit, and delete InfluxDB users
    • View and kill queries
    • InfluxDB Enterprise: Create, view, edit, and delete InfluxDB Enterprise roles
  • Kapacitor
    • View alerts
    • Create, edit, and delete alert rules

Cross-organization SuperAdmin permission

SuperAdmin permission is a Chronograf permission that allows any user, regardless of role, to perform all administrator functions both within organizations, as well as across organizations. A user with SuperAdmin permission has unlimited capabilities, including for the following Chronograf-owned resources:

  • Create, view, update, and remove organizations
  • Create, view, update, and remove users within an organization
  • Grant or revoke the SuperAdmin permission of another user
  • Switch into any organization
  • Toggle the Public setting of the Default organization
  • Toggle the global config setting for All new users are SuperAdmin

Important SuperAdmin behaviors:

  • SuperAdmin permission grants any user (whether member, viewer, editor, or admin) the full capabilities of admins and the SuperAdmin capabilities listed above.
  • When a Chronograf user with SuperAdmin permission creates a new organization or switches into an organization where that user has no role, that SuperAdmin user is automatically assigned the admin role by default.
  • SuperAdmin users cannot revoke their own SuperAdmin permission.
  • SuperAdmin users are the only ones who can change the SuperAdmin permission of other Chronograf users. Regular admins who do not have SuperAdmin permission can perform normal operations on SuperAdmin users (create that user within their organization, change roles, and remove them), but they will not see that these users have SuperAdmin permission, nor will any of their actions affect the SuperAdmin permission of these users.
  • If a user has their SuperAdmin permission revoked, that user will retain their assigned roles within their organizations.

All New Users are SuperAdmins configuration option

By default, the Config setting for “All new users are SuperAdmins” is On. Any user with SuperAdmin permission can toggle this under the Admin > Chronograf > Organizations tab. If this setting is On, any new user (who is created or who authenticates) will_ automatically have SuperAdmin permission. If this setting is Off, any new user (who is created or who authenticates) will not have SuperAdmin permission unless they are explicitly granted it later by another user with SuperAdmin permission.

Create users

Role required: admin

To create a user:

  1. Open Chronograf in your web browser and select Admin .
  2. Click the Users tab and then click Create User.
  3. Add the following user information:
    • Username: Enter the username as provided by the OAuth provider.
    • Role: Select the Chronograf role.
    • Provider: Enter the OAuth 2.0 provider to be used for authentication. Valid values are: github, google, auth0, heroku, or other names defined in the GENERIC_NAME environment variable.
    • Scheme: Displays oauth2, which is the only supported authentication scheme in this release.
  4. Click Save to finish creating the user.

Update users

Role required: admin

Only a user’s role can be updated. A user’s username, provider, and scheme cannot be updated. (Effectively, to “update” a user’s username, provider, or scheme, the user must be removed and added again with the desired values.)

To change a user’s role:

  1. Open Chronograf in your web browser and select Admin (crown icon) > Chronograf.
  2. Click the Users tab to display the list of users within the current organization.
  3. Select a new role for the user. The update is automatically persisted.

Remove users

Role required: admin

To remove a user:

  1. Open Chronograf in your web browser and select Admin .
  2. Click the Users tab to display the list of users.
  3. Hover your cursor over the user you want to remove and then click Remove and Confirm.

Chronograf is always used in the context of an organization. When a user logs in to Chronograf, that user will access only the resources owned by their current organization. The only exception to this is that users with SuperAdmin permission will also be able to manage organizations in the Chronograf Admin page.

Log in and log out

Log in from the Chronograf homepage using any configured OAuth 2.0 provider.

Log out by hovering over the User in the left navigation bar and clicking Log out.

Switch the current organization

A user’s current organization and role is highlighted in the Switch Organizations list, which can be found by hovering over the User in the left navigation bar. A user can log in from the Chronograf homepage using any configured OAuth 2.0 provider.

A user can log out by hovering over the User (person icon) in the left navigation bar and clicking Log out.

Switch the current organization

A user’s current organization and role is highlighted in the Switch Organizations list, which can be found by hovering over the User (person icon) in the left navigation bar.

When a user has a role in more than one organization, that user can switch into any other organization where they have a role by selecting the desired organization in the Switch Organizations list.

Purgatory

If at any time, a user is a member within their current organization and does not have SuperAdmin permission, that user will be redirected to a page called Purgatory. There, the user will see their current organization and role, as well as a message to contact an administrator for access.

On the same page, that user will see a list of all of their organizations and roles. The user can switch into any listed organization where their role is viewer, editor, or admin by clicking Log in next to the desired organization.

Note In the rare case that a user is granted SuperAdmin permission while in Purgatory, they will be able to switch into any listed organization, as expected.

Was this page helpful?

Thank you for your feedback!

© 2024 InfluxData, Inc.

Where are you running InfluxDB?

Select your InfluxDB Cloud region and cluster or your InfluxDB OSS URL and we’ll customize code examples for you. Identify your InfluxDB Cloud cluster.

  • InfluxDB Cloud
  • InfluxDB OSS or Enterprise
AWS

  • US West (Oregon)

GCP
Azure
Default
Custom

For more information, see InfluxDB Cloud regions or InfluxDB OSS URLs.

Thank you for your feedback!

Let us know what we can do better:

Thank you!

No thanks

The future of Flux

Flux is going into maintenance mode. You can continue using it as you currently are without any changes to your code.

Flux is going into maintenance mode and will not be supported in InfluxDB 3.0. This was a decision based on the broad demand for SQL and the continued growth and adoption of InfluxQL. We are continuing to support Flux for users in 1.x and 2.x so you can continue using it with no changes to your code. If you are interested in transitioning to InfluxDB 3.0 and want to future-proof your code, we suggest using InfluxQL.

For information about the future of Flux, see the following: