{"resources":{"grafana":{"id":"grafana","name":"grafana","fields":{"apiKey":{"name":"apiKey","type":"\u001bgrafana.apiKey","title":"Legacy Grafana API key","desc":"Deprecated in favor of service accounts and tokens, which should be used for new integrations. Examine a single legacy API key: numeric ID and parent org ID, key name, granted role (Admin / Editor / Viewer), expiration timestamp (zero when none is set) plus `hasExpiration` and `isExpired` predicates, and the service-account ID this key was migrated to (zero when not migrated).","provider":"go.mondoo.com/mql/v13/providers/grafana","is_implicit_resource":true,"maturity":"deprecated"},"apiKeys":{"name":"apiKeys","type":"\u0019\u001bgrafana.apiKey","title":"Legacy API keys (distinct from service account tokens)","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"contactPoint":{"name":"contactPoint","type":"\u001bgrafana.contactPoint","title":"Grafana alerting contact point","desc":"Examine a single alerting contact point: UID, name, type (email, slack, webhook, pagerduty, …), the `disableResolveMessage` flag, the (non-secret) settings dict, the URL configured on the contact point (when applicable), and derived posture predicates — `isHttps`, `tlsSkipVerify`, `hasHttpAuth` — used to flag contact points that route alerts over plaintext or with unverified TLS.","provider":"go.mondoo.com/mql/v13/providers/grafana","is_implicit_resource":true},"contactPoints":{"name":"contactPoints","type":"\u0019\u001bgrafana.contactPoint","title":"Alerting contact points","provider":"go.mondoo.com/mql/v13/providers/grafana"},"datasource":{"name":"datasource","type":"\u001bgrafana.datasource","title":"Grafana datasource","desc":"Examine a configured datasource: identity (numeric ID, UID, org ID, name, type — prometheus, loki, mysql, …), access mode and URL, the default-datasource and read-only flags, basic-auth status with the inline username, the database name and DB user, predicates for inline plaintext passwords (`hasPassword`, `hasBasicAuthPassword`) — both legacy / insecure indicators — the `withCredentials` cookie-forwarding flag, the names of secret fields stored encrypted, the non-secret JSON config dict, and the derived TLS posture (`isHttps`, `tlsSkipVerify`, `tlsClientAuth`, `oauthPassThru`).","provider":"go.mondoo.com/mql/v13/providers/grafana","is_implicit_resource":true},"datasources":{"name":"datasources","type":"\u0019\u001bgrafana.datasource","title":"Datasources configured in the organization","provider":"go.mondoo.com/mql/v13/providers/grafana"},"notificationPolicy":{"name":"notificationPolicy","type":"\u001bgrafana.notificationPolicy","title":"Notification policy tree","provider":"go.mondoo.com/mql/v13/providers/grafana"},"organization":{"name":"organization","type":"\u001bgrafana.organization","title":"Organization details","provider":"go.mondoo.com/mql/v13/providers/grafana"},"role":{"name":"role","type":"\u001bgrafana.role","title":"Grafana RBAC role (Enterprise / Cloud)","desc":"Examine a single RBAC role: UID, name (e.g., `fixed:datasources:writer`), display name, description, group, version number, the `global` (built-in) and `hidden` flags, the permissions map (action → scope list), and `created` / `updated` timestamps. Iterate `grafana.roles` to audit which roles grant which actions across the organization.","provider":"go.mondoo.com/mql/v13/providers/grafana","is_implicit_resource":true},"roles":{"name":"roles","type":"\u0019\u001bgrafana.role","title":"RBAC roles (Grafana Enterprise/Cloud)","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"samlSettings":{"name":"samlSettings","type":"\u001bgrafana.samlSettings","title":"SAML SSO settings (convenience accessor for the saml provider)","provider":"go.mondoo.com/mql/v13/providers/grafana"},"serviceAccount":{"name":"serviceAccount","type":"\u001bgrafana.serviceAccount","title":"Grafana service account","desc":"Examine a service account: numeric ID, parent org ID, name and login, the assigned role (Admin / Editor / Viewer), the `disabled` and `external` flags, and the typed list of tokens issued for this service account.","provider":"go.mondoo.com/mql/v13/providers/grafana","is_implicit_resource":true},"serviceAccountToken":{"name":"serviceAccountToken","type":"\u001bgrafana.serviceAccountToken","title":"Grafana service account token","desc":"Examine a single token issued for a Grafana service account: token ID, the parent service-account ID, the token name, creation timestamp, expiration timestamp (zero when none is configured), a `hasExpiration` predicate, the seconds remaining until expiration (negative when expired), and an `isExpired` flag — used for token hygiene audits and rotation policies.","provider":"go.mondoo.com/mql/v13/providers/grafana","is_implicit_resource":true},"serviceAccounts":{"name":"serviceAccounts","type":"\u0019\u001bgrafana.serviceAccount","title":"Service accounts","provider":"go.mondoo.com/mql/v13/providers/grafana"},"ssoSettings":{"name":"ssoSettings","type":"\u0019\u001bgrafana.ssoSettings","title":"SSO settings for all configured identity providers","provider":"go.mondoo.com/mql/v13/providers/grafana"},"user":{"name":"user","type":"\u001bgrafana.user","title":"Grafana organization user","desc":"Examine a single human user: identity (user ID, org ID, email, display name, login handle), the org-level role (Admin / Editor / Viewer), `lastSeenAt` and a human-readable age, the auth-module the user authenticates against (e.g., `oauth_google`, `ldap`, `saml`, empty for password), the auth labels Grafana attaches, and the convenience predicates `isExternal`, `isGrafanaAdmin`, `isDisabled`, and `mfaEnabled`. RBAC permissions granted to this user are surfaced as an action → scope list map.","provider":"go.mondoo.com/mql/v13/providers/grafana","is_implicit_resource":true},"users":{"name":"users","type":"\u0019\u001bgrafana.user","title":"Users in the organization","provider":"go.mondoo.com/mql/v13/providers/grafana"}},"title":"Grafana","desc":"Examine a Grafana instance via its HTTP API: organization details, human users with their roles and MFA / external-auth status, service accounts and their tokens, configured datasources, alerting contact points, the notification-policy routing tree, legacy API keys, RBAC roles, and SSO settings (with a focused view of SAML configuration). The surface auditors use to find weak datasource credentials, missing MFA, expired or broad-scope tokens, deprecated API keys, and permissive SSO configuration.","min_provider_version":"13.0.1","provider":"go.mondoo.com/mql/v13/providers/grafana"},"grafana.apiKey":{"id":"grafana.apiKey","name":"grafana.apiKey","fields":{"expiration":{"name":"expiration","type":"\t","is_mandatory":true,"title":"Timestamp when the key expires (zero if no expiration)","provider":"go.mondoo.com/mql/v13/providers/grafana"},"hasExpiration":{"name":"hasExpiration","type":"\u0004","is_mandatory":true,"title":"Whether an expiration is set on the key","provider":"go.mondoo.com/mql/v13/providers/grafana"},"id":{"name":"id","type":"\u0005","is_mandatory":true,"title":"API key ID","provider":"go.mondoo.com/mql/v13/providers/grafana"},"isExpired":{"name":"isExpired","type":"\u0004","is_mandatory":true,"title":"Whether the key has expired","provider":"go.mondoo.com/mql/v13/providers/grafana"},"name":{"name":"name","type":"\u0007","is_mandatory":true,"title":"Key name","provider":"go.mondoo.com/mql/v13/providers/grafana"},"orgId":{"name":"orgId","type":"\u0005","is_mandatory":true,"title":"Organization ID","provider":"go.mondoo.com/mql/v13/providers/grafana"},"role":{"name":"role","type":"\u0007","is_mandatory":true,"title":"Role granted by the key (Admin, Editor, Viewer)","provider":"go.mondoo.com/mql/v13/providers/grafana"},"serviceAccountId":{"name":"serviceAccountId","type":"\u0005","is_mandatory":true,"title":"Service account ID this key was migrated to (zero if not migrated)","provider":"go.mondoo.com/mql/v13/providers/grafana"}},"title":"Legacy Grafana API key","desc":"Deprecated in favor of service accounts and tokens, which should be used for new integrations. Examine a single legacy API key: numeric ID and parent org ID, key name, granted role (Admin / Editor / Viewer), expiration timestamp (zero when none is set) plus `hasExpiration` and `isExpired` predicates, and the service-account ID this key was migrated to (zero when not migrated).","min_provider_version":"13.0.5","defaults":"name role","provider":"go.mondoo.com/mql/v13/providers/grafana","maturity":"deprecated"},"grafana.contactPoint":{"id":"grafana.contactPoint","name":"grafana.contactPoint","fields":{"disableResolveMessage":{"name":"disableResolveMessage","type":"\u0004","is_mandatory":true,"title":"Whether resolve messages are disabled","provider":"go.mondoo.com/mql/v13/providers/grafana"},"hasHttpAuth":{"name":"hasHttpAuth","type":"\u0004","title":"Whether HTTP authentication (basic auth or bearer token) is configured","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"isHttps":{"name":"isHttps","type":"\u0004","title":"Whether the configured webhook/URL uses HTTPS (true if no URL applies, e.g., email)","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"name":{"name":"name","type":"\u0007","is_mandatory":true,"title":"Contact point name","provider":"go.mondoo.com/mql/v13/providers/grafana"},"settings":{"name":"settings","type":"\n","is_mandatory":true,"title":"Contact point settings (non-secret fields)","provider":"go.mondoo.com/mql/v13/providers/grafana"},"tlsSkipVerify":{"name":"tlsSkipVerify","type":"\u0004","title":"Whether TLS verification is disabled in the contact point settings","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"type":{"name":"type","type":"\u0007","is_mandatory":true,"title":"Contact point type (e.g., email, slack, webhook, pagerduty)","provider":"go.mondoo.com/mql/v13/providers/grafana"},"uid":{"name":"uid","type":"\u0007","is_mandatory":true,"title":"Contact point UID","provider":"go.mondoo.com/mql/v13/providers/grafana"},"url":{"name":"url","type":"\u0007","title":"URL configured on the contact point (webhook/slack URL when applicable)","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"}},"title":"Grafana alerting contact point","desc":"Examine a single alerting contact point: UID, name, type (email, slack, webhook, pagerduty, …), the `disableResolveMessage` flag, the (non-secret) settings dict, the URL configured on the contact point (when applicable), and derived posture predicates — `isHttps`, `tlsSkipVerify`, `hasHttpAuth` — used to flag contact points that route alerts over plaintext or with unverified TLS.","min_provider_version":"13.0.1","defaults":"uid name type","provider":"go.mondoo.com/mql/v13/providers/grafana"},"grafana.datasource":{"id":"grafana.datasource","name":"grafana.datasource","fields":{"access":{"name":"access","type":"\u0007","is_mandatory":true,"title":"Access mode (proxy or direct)","provider":"go.mondoo.com/mql/v13/providers/grafana"},"basicAuth":{"name":"basicAuth","type":"\u0004","is_mandatory":true,"title":"Whether basic auth is enabled for this datasource","provider":"go.mondoo.com/mql/v13/providers/grafana"},"basicAuthUser":{"name":"basicAuthUser","type":"\u0007","is_mandatory":true,"title":"Basic auth username (no password is ever returned by the API)","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"database":{"name":"database","type":"\u0007","is_mandatory":true,"title":"Database name (datasource-type specific)","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"hasBasicAuthPassword":{"name":"hasBasicAuthPassword","type":"\u0004","is_mandatory":true,"title":"Whether the datasource has an inline plaintext basic auth password set (legacy, insecure)","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"hasPassword":{"name":"hasPassword","type":"\u0004","is_mandatory":true,"title":"Whether the datasource has an inline plaintext password set (legacy, insecure)","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"id":{"name":"id","type":"\u0005","is_mandatory":true,"title":"Datasource ID","provider":"go.mondoo.com/mql/v13/providers/grafana"},"isDefault":{"name":"isDefault","type":"\u0004","is_mandatory":true,"title":"Whether this is the default datasource","provider":"go.mondoo.com/mql/v13/providers/grafana"},"isHttps":{"name":"isHttps","type":"\u0004","title":"Whether the datasource URL uses HTTPS","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"jsonData":{"name":"jsonData","type":"\n","is_mandatory":true,"title":"JSON data configuration (non-secret fields)","provider":"go.mondoo.com/mql/v13/providers/grafana"},"name":{"name":"name","type":"\u0007","is_mandatory":true,"title":"Datasource name","provider":"go.mondoo.com/mql/v13/providers/grafana"},"oauthPassThru":{"name":"oauthPassThru","type":"\u0004","title":"Whether OAuth pass-through (oauthPassThru) is enabled","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"orgId":{"name":"orgId","type":"\u0005","is_mandatory":true,"title":"Organization ID","provider":"go.mondoo.com/mql/v13/providers/grafana"},"readOnly":{"name":"readOnly","type":"\u0004","is_mandatory":true,"title":"Whether this datasource is read-only","provider":"go.mondoo.com/mql/v13/providers/grafana"},"secureJsonFields":{"name":"secureJsonFields","type":"\u0019\u0007","is_mandatory":true,"title":"Names of secret fields stored encrypted (e.g., basicAuthPassword, tlsClientCert)","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"tlsClientAuth":{"name":"tlsClientAuth","type":"\u0004","title":"Whether mutual TLS (client cert) is configured","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"tlsSkipVerify":{"name":"tlsSkipVerify","type":"\u0004","title":"Whether TLS server-certificate verification is skipped (jsonData.tlsSkipVerify)","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"type":{"name":"type","type":"\u0007","is_mandatory":true,"title":"Datasource type (e.g., prometheus, loki, mysql)","provider":"go.mondoo.com/mql/v13/providers/grafana"},"uid":{"name":"uid","type":"\u0007","is_mandatory":true,"title":"Datasource UID","provider":"go.mondoo.com/mql/v13/providers/grafana"},"url":{"name":"url","type":"\u0007","is_mandatory":true,"title":"Datasource URL","provider":"go.mondoo.com/mql/v13/providers/grafana"},"user":{"name":"user","type":"\u0007","is_mandatory":true,"title":"Username for non-basic-auth credential schemes (e.g., direct DB user)","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"withCredentials":{"name":"withCredentials","type":"\u0004","is_mandatory":true,"title":"Whether browser cookies (session credentials) are forwarded with proxied requests","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"}},"title":"Grafana datasource","desc":"Examine a configured datasource: identity (numeric ID, UID, org ID, name, type — prometheus, loki, mysql, …), access mode and URL, the default-datasource and read-only flags, basic-auth status with the inline username, the database name and DB user, predicates for inline plaintext passwords (`hasPassword`, `hasBasicAuthPassword`) — both legacy / insecure indicators — the `withCredentials` cookie-forwarding flag, the names of secret fields stored encrypted, the non-secret JSON config dict, and the derived TLS posture (`isHttps`, `tlsSkipVerify`, `tlsClientAuth`, `oauthPassThru`).","min_provider_version":"13.0.1","defaults":"id name type","provider":"go.mondoo.com/mql/v13/providers/grafana"},"grafana.notificationPolicy":{"id":"grafana.notificationPolicy","name":"grafana.notificationPolicy","fields":{"groupBy":{"name":"groupBy","type":"\u0019\u0007","is_mandatory":true,"title":"Labels to group alerts by","provider":"go.mondoo.com/mql/v13/providers/grafana"},"receiver":{"name":"receiver","type":"\u0007","is_mandatory":true,"title":"Default receiver name","provider":"go.mondoo.com/mql/v13/providers/grafana"},"routes":{"name":"routes","type":"\u0019\n","is_mandatory":true,"title":"Nested routing rules","provider":"go.mondoo.com/mql/v13/providers/grafana"}},"title":"Grafana notification policy tree","desc":"Examine the alerting notification-policy tree: the default receiver, the labels alerts are grouped by, and the nested routing rules dispatching alerts to specific contact points.","min_provider_version":"13.0.1","provider":"go.mondoo.com/mql/v13/providers/grafana"},"grafana.organization":{"id":"grafana.organization","name":"grafana.organization","fields":{"id":{"name":"id","type":"\u0005","is_mandatory":true,"title":"Organization ID","provider":"go.mondoo.com/mql/v13/providers/grafana"},"name":{"name":"name","type":"\u0007","is_mandatory":true,"title":"Organization name","provider":"go.mondoo.com/mql/v13/providers/grafana"}},"title":"Grafana organization","desc":"Examine the connected Grafana organization's identity: its numeric ID and display name. Grafana organizations scope users, datasources, and most other resources.","min_provider_version":"13.0.1","defaults":"id name","provider":"go.mondoo.com/mql/v13/providers/grafana"},"grafana.role":{"id":"grafana.role","name":"grafana.role","fields":{"created":{"name":"created","type":"\t","is_mandatory":true,"title":"Timestamp when the role was created","provider":"go.mondoo.com/mql/v13/providers/grafana"},"description":{"name":"description","type":"\u0007","is_mandatory":true,"title":"Description of the role's purpose","provider":"go.mondoo.com/mql/v13/providers/grafana"},"displayName":{"name":"displayName","type":"\u0007","is_mandatory":true,"title":"Human-readable display name","provider":"go.mondoo.com/mql/v13/providers/grafana"},"global":{"name":"global","type":"\u0004","is_mandatory":true,"title":"Whether the role is built-in to Grafana (cannot be modified)","provider":"go.mondoo.com/mql/v13/providers/grafana"},"group":{"name":"group","type":"\u0007","is_mandatory":true,"title":"Group the role belongs to (e.g., \"Data sources\")","provider":"go.mondoo.com/mql/v13/providers/grafana"},"hidden":{"name":"hidden","type":"\u0004","is_mandatory":true,"title":"Whether the role is hidden from the UI by default","provider":"go.mondoo.com/mql/v13/providers/grafana"},"name":{"name":"name","type":"\u0007","is_mandatory":true,"title":"Role name (e.g., fixed:datasources:writer)","provider":"go.mondoo.com/mql/v13/providers/grafana"},"permissions":{"name":"permissions","type":"\u001a\u0007\u0019\u0007","is_mandatory":true,"title":"Permissions granted by this role (action -\u003e scope list)","provider":"go.mondoo.com/mql/v13/providers/grafana"},"uid":{"name":"uid","type":"\u0007","is_mandatory":true,"title":"Role UID","provider":"go.mondoo.com/mql/v13/providers/grafana"},"updated":{"name":"updated","type":"\t","is_mandatory":true,"title":"Timestamp when the role was last updated","provider":"go.mondoo.com/mql/v13/providers/grafana"},"version":{"name":"version","type":"\u0005","is_mandatory":true,"title":"Role version","provider":"go.mondoo.com/mql/v13/providers/grafana"}},"title":"Grafana RBAC role (Enterprise / Cloud)","desc":"Examine a single RBAC role: UID, name (e.g., `fixed:datasources:writer`), display name, description, group, version number, the `global` (built-in) and `hidden` flags, the permissions map (action → scope list), and `created` / `updated` timestamps. Iterate `grafana.roles` to audit which roles grant which actions across the organization.","min_provider_version":"13.0.5","defaults":"name displayName","provider":"go.mondoo.com/mql/v13/providers/grafana"},"grafana.samlSettings":{"id":"grafana.samlSettings","name":"grafana.samlSettings","fields":{"allowIdpInitiated":{"name":"allowIdpInitiated","type":"\u0004","is_mandatory":true,"title":"Whether IdP-initiated SSO is allowed","provider":"go.mondoo.com/mql/v13/providers/grafana"},"allowSignUp":{"name":"allowSignUp","type":"\u0004","is_mandatory":true,"title":"Whether new users are auto-registered on first login","provider":"go.mondoo.com/mql/v13/providers/grafana"},"allowedOrganizations":{"name":"allowedOrganizations","type":"\u0007","is_mandatory":true,"title":"Comma-separated list of allowed organizations","provider":"go.mondoo.com/mql/v13/providers/grafana"},"enabled":{"name":"enabled","type":"\u0004","is_mandatory":true,"title":"Whether SAML SSO is enabled","provider":"go.mondoo.com/mql/v13/providers/grafana"},"settings":{"name":"settings","type":"\n","is_mandatory":true,"title":"Raw provider settings (secrets redacted by Grafana)","provider":"go.mondoo.com/mql/v13/providers/grafana"},"signRequests":{"name":"signRequests","type":"\u0004","is_mandatory":true,"title":"Whether the SP-initiated request is signed","provider":"go.mondoo.com/mql/v13/providers/grafana"},"signatureAlgorithm":{"name":"signatureAlgorithm","type":"\u0007","is_mandatory":true,"title":"SAML signature algorithm (e.g., rsa-sha256)","provider":"go.mondoo.com/mql/v13/providers/grafana"},"singleLogoutEnabled":{"name":"singleLogoutEnabled","type":"\u0004","is_mandatory":true,"title":"Whether single-logout is enabled","provider":"go.mondoo.com/mql/v13/providers/grafana"},"skipOrgRoleSync":{"name":"skipOrgRoleSync","type":"\u0004","is_mandatory":true,"title":"Whether email-based skip-org-role-sync is enabled","provider":"go.mondoo.com/mql/v13/providers/grafana"},"source":{"name":"source","type":"\u0007","is_mandatory":true,"title":"Source of the configuration (system or database)","provider":"go.mondoo.com/mql/v13/providers/grafana"}},"title":"Grafana SAML SSO settings (Enterprise / Cloud)","desc":"Examine the security-relevant fields of the SAML SSO configuration (a focused view of the `saml` entry from `grafana.ssoSettings`): enabled flag, configuration source (`system` vs `database`), the signature algorithm (e.g., rsa-sha256), whether SP-initiated requests are signed, single-logout enabled flag, whether IdP-initiated SSO is allowed, the auto-signup flag, the allowed-organizations list, the `skipOrgRoleSync` flag, and the raw provider settings dict (with secrets redacted by Grafana).","min_provider_version":"13.0.5","defaults":"enabled","provider":"go.mondoo.com/mql/v13/providers/grafana"},"grafana.serviceAccount":{"id":"grafana.serviceAccount","name":"grafana.serviceAccount","fields":{"id":{"name":"id","type":"\u0005","is_mandatory":true,"title":"Service account ID","provider":"go.mondoo.com/mql/v13/providers/grafana"},"isDisabled":{"name":"isDisabled","type":"\u0004","is_mandatory":true,"title":"Whether the service account is disabled","provider":"go.mondoo.com/mql/v13/providers/grafana"},"isExternal":{"name":"isExternal","type":"\u0004","is_mandatory":true,"title":"Whether the service account is externally managed","provider":"go.mondoo.com/mql/v13/providers/grafana"},"login":{"name":"login","type":"\u0007","is_mandatory":true,"title":"Service account login","provider":"go.mondoo.com/mql/v13/providers/grafana"},"name":{"name":"name","type":"\u0007","is_mandatory":true,"title":"Service account name","provider":"go.mondoo.com/mql/v13/providers/grafana"},"orgId":{"name":"orgId","type":"\u0005","is_mandatory":true,"title":"Organization ID","provider":"go.mondoo.com/mql/v13/providers/grafana"},"role":{"name":"role","type":"\u0007","is_mandatory":true,"title":"Service account role (Admin, Editor, Viewer)","provider":"go.mondoo.com/mql/v13/providers/grafana"},"tokens":{"name":"tokens","type":"\u0019\u001bgrafana.serviceAccountToken","title":"Tokens associated with this service account","provider":"go.mondoo.com/mql/v13/providers/grafana"}},"title":"Grafana service account","desc":"Examine a service account: numeric ID, parent org ID, name and login, the assigned role (Admin / Editor / Viewer), the `disabled` and `external` flags, and the typed list of tokens issued for this service account.","min_provider_version":"13.0.1","defaults":"id name role","provider":"go.mondoo.com/mql/v13/providers/grafana"},"grafana.serviceAccountToken":{"id":"grafana.serviceAccountToken","name":"grafana.serviceAccountToken","fields":{"created":{"name":"created","type":"\t","is_mandatory":true,"title":"Timestamp when the token was created","provider":"go.mondoo.com/mql/v13/providers/grafana"},"expiration":{"name":"expiration","type":"\t","is_mandatory":true,"title":"Timestamp when the token expires (zero if no expiration)","provider":"go.mondoo.com/mql/v13/providers/grafana"},"hasExpiration":{"name":"hasExpiration","type":"\u0004","is_mandatory":true,"title":"Whether the token has an expiration date set","provider":"go.mondoo.com/mql/v13/providers/grafana"},"id":{"name":"id","type":"\u0005","is_mandatory":true,"title":"Token ID","provider":"go.mondoo.com/mql/v13/providers/grafana"},"isExpired":{"name":"isExpired","type":"\u0004","is_mandatory":true,"title":"Whether the token is expired","provider":"go.mondoo.com/mql/v13/providers/grafana"},"name":{"name":"name","type":"\u0007","is_mandatory":true,"title":"Token name","provider":"go.mondoo.com/mql/v13/providers/grafana"},"secondsUntilExpiration":{"name":"secondsUntilExpiration","type":"\u0006","is_mandatory":true,"title":"Seconds until expiration (negative if expired, 0 if no expiration)","provider":"go.mondoo.com/mql/v13/providers/grafana"},"serviceAccountId":{"name":"serviceAccountId","type":"\u0005","is_mandatory":true,"title":"Service account ID this token belongs to","provider":"go.mondoo.com/mql/v13/providers/grafana"}},"title":"Grafana service account token","desc":"Examine a single token issued for a Grafana service account: token ID, the parent service-account ID, the token name, creation timestamp, expiration timestamp (zero when none is configured), a `hasExpiration` predicate, the seconds remaining until expiration (negative when expired), and an `isExpired` flag — used for token hygiene audits and rotation policies.","min_provider_version":"13.0.1","defaults":"id name","provider":"go.mondoo.com/mql/v13/providers/grafana"},"grafana.ssoSettings":{"id":"grafana.ssoSettings","name":"grafana.ssoSettings","fields":{"allowSignUp":{"name":"allowSignUp","type":"\u0004","is_mandatory":true,"title":"Whether new users are auto-registered on first login","provider":"go.mondoo.com/mql/v13/providers/grafana"},"enabled":{"name":"enabled","type":"\u0004","is_mandatory":true,"title":"Whether SSO for this provider is enabled","provider":"go.mondoo.com/mql/v13/providers/grafana"},"hasDomainRestriction":{"name":"hasDomainRestriction","type":"\u0004","is_mandatory":true,"title":"Whether sign-in is restricted to the configured allowed_domains/orgs","provider":"go.mondoo.com/mql/v13/providers/grafana"},"provider":{"name":"provider","type":"\u0007","is_mandatory":true,"title":"Provider name (e.g., saml, github, google, generic_oauth, azuread, gitlab, okta)","provider":"go.mondoo.com/mql/v13/providers/grafana"},"settings":{"name":"settings","type":"\n","is_mandatory":true,"title":"Provider settings (non-secret fields; secrets are redacted by Grafana)","provider":"go.mondoo.com/mql/v13/providers/grafana"},"source":{"name":"source","type":"\u0007","is_mandatory":true,"title":"Source of the configuration (system or database)","provider":"go.mondoo.com/mql/v13/providers/grafana"}},"title":"Grafana SSO settings for a single identity provider","desc":"Examine the SSO configuration for one identity provider (saml, github, google, generic_oauth, azuread, gitlab, okta, …): the provider name, configuration source (`system` vs `database`), enabled flag, the (non-secret) settings dict (Grafana redacts secrets), the `allowSignUp` flag, and a `hasDomainRestriction` predicate indicating whether the provider restricts sign-in to a configured allowed-domains / orgs list.","min_provider_version":"13.0.5","defaults":"provider source","provider":"go.mondoo.com/mql/v13/providers/grafana"},"grafana.user":{"id":"grafana.user","name":"grafana.user","fields":{"authLabels":{"name":"authLabels","type":"\u0019\u0007","title":"Auth labels populated by Grafana (e.g., [\"OAuth\"], [\"LDAP\"])","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"authModule":{"name":"authModule","type":"\u0007","title":"Auth provider module name (e.g., oauth_google, ldap, saml, \"\" for password)","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"email":{"name":"email","type":"\u0007","is_mandatory":true,"title":"User email address","provider":"go.mondoo.com/mql/v13/providers/grafana"},"isDisabled":{"name":"isDisabled","type":"\u0004","title":"Whether the user account is disabled","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"isExternal":{"name":"isExternal","type":"\u0004","title":"Whether the user authenticates via an external identity provider","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"isGrafanaAdmin":{"name":"isGrafanaAdmin","type":"\u0004","title":"Whether the user is a Grafana server-level admin","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"lastSeenAt":{"name":"lastSeenAt","type":"\t","is_mandatory":true,"title":"Timestamp when the user was last seen","provider":"go.mondoo.com/mql/v13/providers/grafana"},"lastSeenAtAge":{"name":"lastSeenAtAge","type":"\u0007","is_mandatory":true,"title":"Human-readable last seen age","provider":"go.mondoo.com/mql/v13/providers/grafana"},"login":{"name":"login","type":"\u0007","is_mandatory":true,"title":"User login handle","provider":"go.mondoo.com/mql/v13/providers/grafana"},"mfaEnabled":{"name":"mfaEnabled","type":"\u0004","title":"Whether multi-factor authentication is enabled for this user","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"name":{"name":"name","type":"\u0007","is_mandatory":true,"title":"User display name","provider":"go.mondoo.com/mql/v13/providers/grafana"},"orgId":{"name":"orgId","type":"\u0005","is_mandatory":true,"title":"Organization ID","provider":"go.mondoo.com/mql/v13/providers/grafana"},"permissions":{"name":"permissions","type":"\u001a\u0007\u0019\u0007","title":"RBAC permissions granted to this user (action -\u003e scope list)","min_provider_version":"13.0.5","provider":"go.mondoo.com/mql/v13/providers/grafana"},"role":{"name":"role","type":"\u0007","is_mandatory":true,"title":"User role in the organization (Admin, Editor, Viewer)","provider":"go.mondoo.com/mql/v13/providers/grafana"},"userId":{"name":"userId","type":"\u0005","is_mandatory":true,"title":"User ID","provider":"go.mondoo.com/mql/v13/providers/grafana"}},"title":"Grafana organization user","desc":"Examine a single human user: identity (user ID, org ID, email, display name, login handle), the org-level role (Admin / Editor / Viewer), `lastSeenAt` and a human-readable age, the auth-module the user authenticates against (e.g., `oauth_google`, `ldap`, `saml`, empty for password), the auth labels Grafana attaches, and the convenience predicates `isExternal`, `isGrafanaAdmin`, `isDisabled`, and `mfaEnabled`. RBAC permissions granted to this user are surfaced as an action → scope list map.","min_provider_version":"13.0.1","defaults":"login role","provider":"go.mondoo.com/mql/v13/providers/grafana"}}}