From 6dc458b1684b3057d65843082de4acb1207ee5cd Mon Sep 17 00:00:00 2001
From: Quang Khai Nguyen <qngkhai.nguyen@gmail.com>
Date: Sat, 18 Apr 2026 23:07:04 +0200
Subject: [PATCH] Issue:
 https://gitea.quangkhai.ch/quangkhai/deployments/issues/4

- give OAuth users default Editor role
---
 prometheus/grafana/config.monitoring | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/prometheus/grafana/config.monitoring b/prometheus/grafana/config.monitoring
index a87a6f9..1063908 100644
--- a/prometheus/grafana/config.monitoring
+++ b/prometheus/grafana/config.monitoring
@@ -22,4 +22,16 @@ GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username
 GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH=email
 
 # 4. Map the Name (optional, but good for profile)
-GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=name
\ No newline at end of file
+GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=name
+
+# Example mapping: 
+# If 'groups' contains 'admin', make them 'Admin'. 
+# If 'groups' contains 'editor', make them 'Editor'. 
+# Otherwise, default to 'Viewer'.
+#GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH="contains(groups[*], 'admins') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'"
+# Sets the default role for ALL OAuth users
+GF_AUTH_GENERIC_OAUTH_AUTO_ASSIGN_ORG_ROLE=Editor
+GF_USERS_AUTO_ASSIGN_ORG_ROLE=Editor
+# Tell Grafana NOT to try and sync roles from the OIDC claims
+GF_AUTH_GENERIC_OAUTH_SKIP_ORG_ROLE_SYNC=true
+GF_LOG_LEVEL=debug
\ No newline at end of file