The Grafana Cloud identity blueprint: balancing security and scale

Implementing a robust identity management system in Grafana Cloud is essential for balancing security and scalability as engineering organizations grow. Initially, many teams start with Grafana's default access model, which offers simplicity and rapid productivity but assumes universal account-wide access, posing governance and security challenges over time. To address these, the introduction of a layered identity model using SCIM for automated user and team provisioning is recommended. This model separates administrative control in the Grafana Cloud portal from the engineering workspace within Grafana stacks, allowing for tighter governance at the account level while maintaining a smooth and automated experience for engineers. SCIM integration with identity providers like Okta or Entra ID enables efficient management of access and deprovisioning, reducing exposure from stale accounts and offboarding gaps, and ensuring new engineers have immediate access to necessary resources. This approach mitigates the risks associated with manual access models, which can become operational and security liabilities as organizations scale.