Skip to content

[2.x] Enable UI Login for Read-only Users (View-only role) without Admin Capabilities #27125

New issue
New issue
Open
Open
[2.x] Enable UI Login for Read-only Users (View-only role) without Admin Capabilities#27125
Labels
area/2.xOSS 2.0 related issues and PRsarea/ui
@sanjeev-iafsm

Description

@sanjeev-iafsm
sanjeev-iafsm
opened on Jan 15, 2026

Use case

We are using InfluxDB OSS v2.8.0 and want to provide InfluxDB UI access to a user who should only be able to:

  • View dashboards
  • Use Data Explorer for queries (read-only)
  • View data from specific buckets

But the user should NOT be able to perform any admin activities like:

  • Creating or managing tokens
  • Switching organizations
  • Creating/modifying buckets
  • Changing organization settings
  • Creating tasks/alerts (optional restriction)

Currently, we can create a user and add them as an org member, and we can create a read-only token for them.
However, we cannot set a password / enable proper UI login for such read-only users in a clean way, and the UI still exposes admin sections which leads to confusion.

Why is this important (helps with prioritizing requests)?

Many organizations want to provide read-only access to non-admin stakeholders (operators, clients, analysts, auditors) directly via the InfluxDB UI.

Right now, the common workaround is:

  • Sharing admin login (not secure), or
  • Using Grafana (extra dependency), or
  • Building custom dashboards

A built-in “UI Read-only User” role would significantly improve security and usability.

Proposal

Add a built-in user role such as:

UI Viewer / Read-only UI User

with the following properties:

  • Can login to the UI using username/password (or other auth method)
  • Can access Data Explorer + Dashboards
  • Can query only the buckets they have read permission for
  • Cannot access settings pages that allow:
    • Token creation
    • Org management
    • Bucket creation/deletion
    • Secret management
    • User management

Optionally allow granular UI permissions like:

  • Allow dashboards only
  • Allow Data Explorer only
  • Allow notebooks/tasks/alerts or not

Current behaviour

  • We can create users via API/CLI and add them to the org.
  • We can generate read-only tokens for specific buckets.
  • But there is no straightforward way to provide a clean UI login + view-only access experience.
  • UI navigation still shows admin sections even if actions fail due to lack of permissions.

Desired behaviour

  • A read-only user should be able to login to InfluxDB UI and only see “read-only” relevant pages.
  • Admin and configuration pages should be hidden/blocked.
  • No ability to create tokens, switch orgs, or perform any write activity.

Alternatives considered

  • Grafana dashboards (works, but adds extra dependency and maintenance)
  • Sharing admin login (not secure)
  • Reverse proxy route blocking (hacky and not ideal)

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/2.xOSS 2.0 related issues and PRsarea/ui

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions