Merge pull request #286491 from maud-lv/ml-grafanalimited

Add Grafana Limited Viewer role

Author: Jill Grant

articles/managed-grafana/concept-role-based-access-control.md

@@ -25,11 +25,14 @@ The following built-in roles are available in Azure Managed Grafana, each provid
 > | --- | --- | --- |
 > | <a name='grafana-admin'></a>[Grafana Admin](../role-based-access-control/built-in-roles/monitor.md#grafana-admin) | Perform all Grafana operations, including the ability to manage data sources, create dashboards, and manage role assignments within Grafana. | 22926164-76b3-42b3-bc55-97df8dab3e41 |
 > | <a name='grafana-editor'></a>[Grafana Editor](../role-based-access-control/built-in-roles/monitor.md#grafana-editor) | View and edit a Grafana instance, including its dashboards and alerts. | a79a5197-3a5c-4973-a920-486035ffd60f |
+> | <a name='grafana-limited-viewer'></a>[Grafana Limited Viewer](../role-based-access-control/built-in-roles/monitor.md#grafana-limited-viewer) | View a Grafana home page. This role contains no permissions assigned by default and it is not available for Grafana v9 workspaces. | 41e04612-9dac-4699-a02b-c82ff2cc3fb5 |
 > | <a name='grafana-viewer'></a>[Grafana Viewer](../role-based-access-control/built-in-roles/monitor.md#grafana-viewer) | View a Grafana instance, including its dashboards and alerts. | 60921a7e-fef1-4a43-9b16-a26c52ad4769 |
 
 To access the Grafana user interface, users must possess one of these roles. 
 
-These permissions are included within the broader roles of resource group Contributor and resource group Owner roles. If you're not a resource group Contributor or resource group Owner, a User Access Administrator, you will need to ask a subscription Owner or resource group Owner to grant you one of the Grafana roles on the resource you want to access.
+These permissions are included within the broader roles of resource group Contributor and resource group Owner roles. If you're not a resource group Contributor or a resource group Owner, you will need to ask a subscription Owner or resource group Owner to grant you one of the Grafana roles on the resource you want to access.
+
+You can find more information about the Grafana roles from the [Grafana documentation](https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/#organization-roles). The Grafana Limited Viewer role in Azure maps to the "No Basic Role" in the Grafana docs.
 
 ## Adding a role assignment to an Azure Managed Grafana resource
 

articles/managed-grafana/how-to-share-grafana-workspace.md

@@ -24,18 +24,19 @@ Azure Managed Grafana enables such collaboration by allowing you to set custom p
 
 ## Supported Grafana roles
 
-Azure Managed Grafana supports the Grafana Admin, Grafana Editor, and Grafana Viewer roles:
+Azure Managed Grafana supports the following Grafana roles:
 
-- The Grafana Admin role provides full control of the instance including managing role assignments, viewing, editing, and configuring data sources.
-- The Grafana Editor role provides read-write access to the dashboards in the instance.
-- The Grafana Viewer role provides read-only access to dashboards in the instance.
+- Grafana Admin: provides full control of the instance including managing role assignments, viewing, editing, and configuring data sources.
+- Grafana Editor: provides read-write access to the dashboards in the instance.
+- Grafana Limited Viewer: provides read-only access to the Grafana home page. This role contains no permissions assigned by default and it is not available for Grafana v9 workspaces.
+- Grafana Viewer: provides read-only access to dashboards in the instance.
 
-More details on Grafana roles can be found in the [Grafana documentation](https://grafana.com/docs/grafana/latest/permissions/organization_roles/#compare-roles).
-
-Grafana user roles and assignments are fully [integrated within Microsoft Entra ID](../role-based-access-control/built-in-roles.md#grafana-admin). You can assign a Grafana role to any Microsoft Entra user, group, service principal or managed identity, and grant them access permissions associated with that role. You can manage these permissions from the Azure portal or the command line. This section explains how to assign Grafana roles to users in the Azure portal.
+Go to [Azure role-based access control within Azure Managed Grafana](./concept-role-based-access-control.md) for more information about these roles in Azure, and to [Organization roles](https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/#organization-roles) to learn about Grafana roles from the Grafana website. The Grafana Limited Viewer role in Azure maps to the "No Basic Role" in the Grafana documentation.
 
 ## Add a Grafana role assignment
 
+Grafana user roles and assignments are fully [integrated within Microsoft Entra ID](../role-based-access-control/built-in-roles.md#grafana-admin). You can assign a Grafana role to any Microsoft Entra user, group, service principal or managed identity, and grant them access permissions associated with that role. You can manage these permissions from the Azure portal or the command line. This section explains how to assign Grafana roles to users in the Azure portal.
+
 ### [Portal](#tab/azure-portal)
 
 1. Open your Azure Managed Grafana instance.
@@ -44,7 +45,7 @@ Grafana user roles and assignments are fully [integrated within Microsoft Entra
 
       :::image type="content" source="media/share/iam-page.png" alt-text="Screenshot of Add role assignment in the Azure platform.":::
 
-1. Select a Grafana role to assign among **Grafana Admin**, **Grafana Editor** or **Grafana Viewer**, then select **Next**.
+1. Select a Grafana role to assign among **Grafana Admin**, **Grafana Editor**, **Grafana Limited Viewer** or **Grafana Viewer**, then select **Next**.
 
     :::image type="content" source="media/share/role-assignment.png" alt-text="Screenshot of the Grafana roles in the Azure platform.":::
 
@@ -69,6 +70,7 @@ In the code below, replace the following placeholders:
 - `<roleNameOrId>`:
   - For Grafana Admin, enter `Grafana Admin` or `22926164-76b3-42b3-bc55-97df8dab3e41`.
    - For Grafana Editor, enter `Grafana Editor` or `a79a5197-3a5c-4973-a920-486035ffd60f`.
+   - For Grafana Limited Viewer, enter `Grafana Limited Viewer` or `41e04612-9dac-4699-a02b-c82ff2cc3fb5`.
    - For Grafana Viewer, enter `Grafana Viewer` or `60921a7e-fef1-4a43-9b16-a26c52ad4769`.
 - `<scope>`: enter the full ID of the Azure Managed Grafana instance.
 

articles/managed-grafana/media/share/role-assignment.png

@@ -395,6 +395,7 @@ The following table provides a brief description of each built-in role. Click th
 > | <a name='application-insights-snapshot-debugger'></a>[Application Insights Snapshot Debugger](./built-in-roles/monitor.md#application-insights-snapshot-debugger) | Gives user permission to view and download debug snapshots collected with the Application Insights Snapshot Debugger. Note that these permissions are not included in the [Owner](/azure/role-based-access-control/built-in-roles#owner) or [Contributor](/azure/role-based-access-control/built-in-roles#contributor) roles. When giving users the Application Insights Snapshot Debugger role, you must grant the role directly to the user. The role is not recognized when it is added to a custom role. | 08954f03-6346-4c2e-81c0-ec3a5cfae23b |
 > | <a name='grafana-admin'></a>[Grafana Admin](./built-in-roles/monitor.md#grafana-admin) | Perform all Grafana operations, including the ability to manage data sources, create dashboards, and manage role assignments within Grafana. | 22926164-76b3-42b3-bc55-97df8dab3e41 |
 > | <a name='grafana-editor'></a>[Grafana Editor](./built-in-roles/monitor.md#grafana-editor) | View and edit a Grafana instance, including its dashboards and alerts. | a79a5197-3a5c-4973-a920-486035ffd60f |
+> | <a name='grafana-limited-viewer'></a>[Grafana Limited Viewer](./built-in-roles/monitor.md#grafana-limited-viewer) | View home page. | 41e04612-9dac-4699-a02b-c82ff2cc3fb5 |
 > | <a name='grafana-viewer'></a>[Grafana Viewer](./built-in-roles/monitor.md#grafana-viewer) | View a Grafana instance, including its dashboards and alerts. | 60921a7e-fef1-4a43-9b16-a26c52ad4769 |
 > | <a name='monitoring-contributor'></a>[Monitoring Contributor](./built-in-roles/monitor.md#monitoring-contributor) | Can read all monitoring data and edit monitoring settings. See also [Get started with roles, permissions, and security with Azure Monitor](/azure/azure-monitor/roles-permissions-security#built-in-monitoring-roles). | 749f88d5-cbae-40b8-bcfc-e573ddc772fa |
 > | <a name='monitoring-metrics-publisher'></a>[Monitoring Metrics Publisher](./built-in-roles/monitor.md#monitoring-metrics-publisher) | Enables publishing metrics against Azure resources | 3913510d-42f4-4e42-8a64-420c390055eb |

articles/role-based-access-control/built-in-roles.md

@@ -136,7 +136,7 @@ Gives user permission to view and download debug snapshots collected with the Ap
 
 Perform all Grafana operations, including the ability to manage data sources, create dashboards, and manage role assignments within Grafana.
 
-[Learn more](/azure/managed-grafana/how-to-share-grafana-workspace)
+[Learn more](/azure/managed-grafana/concept-role-based-access-control)
 
 > [!div class="mx-tableFixed"]
 > | Actions | Description |
@@ -177,7 +177,7 @@ Perform all Grafana operations, including the ability to manage data sources, cr
 
 View and edit a Grafana instance, including its dashboards and alerts.
 
-[Learn more](/azure/managed-grafana/how-to-share-grafana-workspace)
+[Learn more](/azure/managed-grafana/concept-role-based-access-control)
 
 > [!div class="mx-tableFixed"]
 > | Actions | Description |
@@ -214,11 +214,51 @@ View and edit a Grafana instance, including its dashboards and alerts.
 }
 ```
 
+## Grafana Limited Viewer
+
+View a Grafana home page.
+
+[Learn more](/azure/managed-grafana/concept-role-based-access-control)
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | --- | --- |
+> | *none* |  |
+> | **NotActions** |  |
+> | *none* |  |
+> | **DataActions** |  |
+> | [Microsoft.Dashboard](../permissions/monitor.md#microsoftdashboard)/grafana/ActAsGrafanaLimitedViewer/action | Act as Grafana Limited Viewer role |
+> | **NotDataActions** |  |
+> | *none* |  |
+
+```json
+{
+    "id": "/providers/Microsoft.Authorization/roleDefinitions/41e04612-9dac-4699-a02b-c82ff2cc3fb5",
+    "properties": {
+        "roleName": "Grafana Limited Viewer",
+        "description": "View home page.",
+        "assignableScopes": [
+            "/"
+        ],
+        "permissions": [
+            {
+                "actions": [],
+                "notActions": [],
+                "dataActions": [
+                    "Microsoft.Dashboard/grafana/ActAsGrafanaLimitedViewer/action"
+                ],
+                "notDataActions": []
+            }
+        ]
+    }
+}
+```
+
 ## Grafana Viewer
 
 View a Grafana instance, including its dashboards and alerts.
 
-[Learn more](/azure/managed-grafana/how-to-share-grafana-workspace)
+[Learn more](/azure/managed-grafana/concept-role-based-access-control)
 
 > [!div class="mx-tableFixed"]
 > | Actions | Description |

articles/role-based-access-control/built-in-roles/monitor.md

@@ -89,6 +89,7 @@ Azure service: [Azure Managed Grafana](/azure/managed-grafana/)
 > | **DataAction** | **Description** |
 > | Microsoft.Dashboard/grafana/ActAsGrafanaAdmin/action | Act as Grafana Admin role |
 > | Microsoft.Dashboard/grafana/ActAsGrafanaEditor/action | Act as Grafana Editor role |
+> | Microsoft.Dashboard/grafana/ActAsGrafanaLimitedViewer/action | Act as Grafana Limited Viewer role |
 > | Microsoft.Dashboard/grafana/ActAsGrafanaViewer/action | Act as Grafana Viewer role |
 
 ## Microsoft.Insights