Skip to content
PERCONA MONITORING AND MANAGEMENT DOCUMENTATION

Rate this page
Thanks for your feedback
Thank you! The feedback has been submitted.

Get free database assistance or contact our experts for personalized support.

Get help from Percona

Labels for access control

In PMM, labels are key/value pairs attached to every monitored service, node, and agent, such as environment=production, service_type=mysql, or cluster=eu-west. You can use these labels to control which monitoring data each user can see.

When you create a role and assign it to a user, you specify which label values that user is allowed to access. PMM then filters dashboards and Query Analytics so that user only sees data from services that match those labels. A DBA responsible for production MySQL databases, for example, could be restricted to environment=production and service_type=mysql, with no visibility into staging or other database types.

To see the standard labels PMM assigns automatically and learn how to add custom labels when adding a service, see Labels reference.

How label-based access control works

Label-based access control (LBAC) restricts what each user can see by matching the labels on their role against the labels on monitored services. When a user opens a dashboard or Query Analytics, PMM automatically filters the data to show only the services whose labels match the user’s role.

Here’s how it works:

  1. Create roles with specific label selectors. For example, you might allow the QA team to access only metrics related to test environments by assigning them a role with the environment=test label or limit visibility to metrics related only to MySQL services with the service_type=mysql label.
  2. Assign roles to users based on their responsibilities. Each role can include multiple labels, and only data series matching all associated labels will be visible to users with that role. This ensures precise, fine-grained access control to your data.
  3. Users see only the metrics and data that match their role’s label selectors

Standard vs custom labels

PMM supports two types of labels for access control. When a user adds a service to monitoring, PMM automatically assigns standard labels based on the service type, such as service_type, agent_type, and node_name. Additional labels like service_id and node_id are also auto-generated by PMM.

You can override some standard labels when creating objects such as Nodes, Services, or Agents. You can also define and assign custom labels. Unlike standard labels, custom labels are user-defined and can only be added or updated manually.

Both standard and custom labels are propagated to the relevant metrics collected by the PMM Client. These labels are preserved during metric collection and can be used in PromQL queries.

Examples

Label Type Object Label name Example
Standard Node node_id 5bdfb1b4-c6c4-4086-83a2-e8daa0b84d4b
Standard Service service_type mysql, mongodb, postgresql etc.
Custom Node, Service, Agent Any string matching the regular expression:
[a-zA-Z_][a-zA-Z0-9_]*.
Also, it cannot start with two underscores.		 owner=”joe”
_rack=”12345”

Adding labels when creating services

You can add standard or custom labels while adding a service to monitoring in PMM.

To set the labels via the user interface:

  1. From the main menu, go to Inventory > Add service.

  2. Select the service you want to monitor.

  3. Complete the required connection details.

  4. In the Labels section, enter standard and custom labels.

You can also add standard and custom labels using pmm-admin.

Modifying existing labels

PMM allows modifying certain standard labels after a service is created:

  • environment
  • cluster
  • replication_set
  • external_group

For other standard labels that cannot be modified directly, you must remove the service and re-add it with the desired labels.

This can be done either via PMM UI or via an API endpoint.

Modifying the custom labels can be done as well via PMM UI of via the same API endpoint.