Skip to content
PERCONA MONITORING AND MANAGEMENT DOCUMENTATION

For help, click the link below to get free database assistance or contact our experts for personalized support.

Get help from Percona

Labels for access control

Label-based access control in PMM allows you to precisely manage which monitoring data users can access based on their roles and responsibilities.

This feature is essential for organizations with multiple teams, compliance requirements, or where different users need different levels of visibility.

How LBAC works

Access control in PMM uses Prometheus label selectors to filter metrics and Query Analytics data.

Here’s how it works:

  1. Create roles with specific label selectors. For example, you might allow the QA team to access only metrics related to test environments by assigning them a role with the environment=test label or limit visibility to metrics related only to MySQL services with the service_type=mysql label.
  2. Assign roles to users based on their responsibilities. Each role can include multiple labels, and only data series matching all associated labels will be visible to users with that role. This ensures precise, fine-grained access control to your data.
  3. Users see only the metrics and data that match their role’s label selectors

Standard vs custom labels

PMM supports two types of labels for access control. When a user adds a service to monitoring, PMM automatically assigns standard labels based on the service type, such as service_type, agent_type, and node_name. Additional labels like service_id and node_id are also auto-generated by PMM.

You can override some standard labels when creating objects such as Nodes, Services, or Agents. You can also define and assign custom labels. Unlike standard labels, custom labels are user-defined and can only be added or updated manually.

Both standard and custom labels are propagated to the relevant metrics collected by the PMM Client. These labels are preserved during metric collection and can be used in PromQL queries.

Examples

Label Type Object Label name Example
Standard Node node_id 5bdfb1b4-c6c4-4086-83a2-e8daa0b84d4b
Standard Service service_type mysql, mongodb, postgresql etc.
Custom Node, Service, Agent Any string matching the regular expression:
[a-zA-Z_][a-zA-Z0-9_]*.
Also, it cannot start with two underscores.		 owner=”joe”
_rack=”12345”

Adding labels when creating services

You can add standard or custom labels while adding a service to monitoring in PMM.

To set the labels via the user interface:

  1. From the Main menu, go to PMM Configuration > PMM Services > Add Service.

  2. Select the service you want to monitor.

  3. Complete the required connection details.

  4. Enter standard labels via the input section Labels.

  5. Enter custom labels via section Custom labels.

PMM Inventory - Add Service

You can also add standard and custom labels using pmm-admin.

Modifying existing labels

PMM allows modifying certain standard labels after a service is created:

  • environment
  • cluster
  • replication_set
  • external_group

For other standard labels that cannot be modified directly, you must remove the service and re-add it with the desired labels.

This can be done either via PMM UI or via an API endpoint.

Modifying the custom labels can be done as well via PMM UI of via the same API endpoint.