Stay organized with collections
Save and categorize content based on your preferences.
This document describes how you can give different teams access to different
sets of projects. You can establish this kind of multi-tenant monitoring by
using metrics scopes in combination with
multiple instances of Grafana and multiple data source syncers.
You need to set up only one Grafana instance and one data source syncer
for each metrics scope, regardless of how many projects are
in the metrics scope or how many Google Cloud regions you use:
Queries to Monarch automatically expand to all projects within a
metrics scope, unless a project_id filter is included.
Queries execute across all regions unless a location filter is
included.
You don't need to change anything on the ingestion side to achieve
multi-tenant monitoring.
The following diagram illustrates a configuration for multi-tenant monitoring:
To set up and use a configuration like the one in the diagram, set up
your metrics scopes, Grafana instances, and data source syncers
as follows:
You want Dev team A to be able to read from and access Projects 1 and 2. To
set up this access, you do the following:
Put Project 1 and Project 2 into the metrics scope of
scoping_project_A.
Put a data source syncer in Project 1, and configure it
to use scoping_project_A. Give the syncer's service account
Monitoring Viewer permissions for scoping_project_A.
When a user issues queries from the Grafana instance associated with this
data source syncer, Monarch expands scoping_project_A
into its constituent monitored projects and returns results for both
Project 1 and Project 2, across all Google Cloud regions. Because
the Grafana instance and data source syncer live within Project 1, only
users with access to Project 1 can query scoping_project_A.
You want Dev team B to be able to read from and access Projects 3 and 4. To
set up this access, you do the following:
Put Project 3 and Project 4 into the metrics scope of
scoping_project_B.
Put a data source syncer in Project 3, and configure it
to use scoping_project_B. Give the syncer's service account
Monitoring Viewer permissions for scoping_project_B.
When a user issues queries from the Grafana instance associated with this
data source syncer, Monarch expands scoping_project_B
into its constituent monitored projects and returns results for both
Project 3 and Project 4, across all Google Cloud regions. Because
the Grafana instance and data source syncer live within Project 3, only
users with access to Project 3 can query scoping_project_B.
You want the SRE team to be able to read from and access Projects 1, 2, 3, 4,
and 5. To set up this access, you do the following:
Put all the projects into the metrics scope of
scoping_project_C.
Put a data source syncer in Project 5, and configure it
to use scoping_project_C. Give the syncer's service account
Monitoring Viewer permissions for scoping_project_C.
When a user issues queries from the Grafana instance associated with this
data source syncer, Monarch expands scoping_project_C
into its constituent monitored projects and returns results for Projects
1, 2, 3, 4, and 5, across all Google Cloud regions. Because
the Grafana instance and data source syncer live within Project 5, only
users with access to Project 5 can query scoping_project_C.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Multi-tenant monitoring and querying\n\nThis document describes how you can give different teams access to different\nsets of projects. You can establish this kind of multi-tenant monitoring by\nusing [metrics scopes](/stackdriver/docs/managed-prometheus/best-practices/config#metrics-scopes) in combination with\nmultiple instances of Grafana and multiple [data source syncers](/stackdriver/docs/managed-prometheus/query#grafana-oauth).\n\nYou need to set up only one Grafana instance and one data source syncer\nfor each metrics scope, regardless of how many projects are\nin the metrics scope or how many Google Cloud regions you use:\n\n- Queries to Monarch automatically expand to all projects within a\n metrics scope, unless a `project_id` filter is included.\n\n- Queries execute across all regions unless a `location` filter is\n included.\n\nYou don't need to change anything on the ingestion side to achieve\nmulti-tenant monitoring.\n\nThe following diagram illustrates a configuration for multi-tenant monitoring:\n\nTo set up and use a configuration like the one in the diagram, set up\nyour metrics scopes, Grafana instances, and data source syncers\nas follows:\n\n- You want Dev team A to be able to read from and access Projects 1 and 2. To\n set up this access, you do the following:\n\n - Put Project 1 and Project 2 into the metrics scope of\n scoping_project_A.\n\n - Put a data source syncer in Project 1, and configure it\n to use scoping_project_A. Give the syncer's service account\n [Monitoring Viewer](/monitoring/access-control#mon_roles_desc) permissions for scoping_project_A.\n\n When a user issues queries from the Grafana instance associated with this\n data source syncer, Monarch expands scoping_project_A\n into its constituent monitored projects and returns results for both\n Project 1 and Project 2, across all Google Cloud regions. Because\n the Grafana instance and data source syncer live within Project 1, only\n users with access to Project 1 can query scoping_project_A.\n- You want Dev team B to be able to read from and access Projects 3 and 4. To\n set up this access, you do the following:\n\n - Put Project 3 and Project 4 into the metrics scope of\n scoping_project_B.\n\n - Put a data source syncer in Project 3, and configure it\n to use scoping_project_B. Give the syncer's service account\n [Monitoring Viewer](/monitoring/access-control#mon_roles_desc) permissions for scoping_project_B.\n\n When a user issues queries from the Grafana instance associated with this\n data source syncer, Monarch expands scoping_project_B\n into its constituent monitored projects and returns results for both\n Project 3 and Project 4, across all Google Cloud regions. Because\n the Grafana instance and data source syncer live within Project 3, only\n users with access to Project 3 can query scoping_project_B.\n- You want the SRE team to be able to read from and access Projects 1, 2, 3, 4,\n and 5. To set up this access, you do the following:\n\n - Put all the projects into the metrics scope of\n scoping_project_C.\n\n - Put a data source syncer in Project 5, and configure it\n to use scoping_project_C. Give the syncer's service account\n [Monitoring Viewer](/monitoring/access-control#mon_roles_desc) permissions for scoping_project_C.\n\n When a user issues queries from the Grafana instance associated with this\n data source syncer, Monarch expands scoping_project_C\n into its constituent monitored projects and returns results for Projects\n 1, 2, 3, 4, and 5, across all Google Cloud regions. Because\n the Grafana instance and data source syncer live within Project 5, only\n users with access to Project 5 can query scoping_project_C."]]
