Grafana is usually internet-facing internally and has access to many observability data sources.
¶ Access Control and Auth
- Enforce SSO/MFA and disable anonymous access unless explicitly needed.
- Apply role-based access to folders, dashboards, and data sources.
- Restrict admin APIs and user provisioning endpoints.
¶ Datasource and Secret Security
- Store datasource credentials in encrypted secret storage.
- Limit datasource permissions to read-only where possible.
- Restrict outbound plugin/datasource access by egress policy.