diff --git a/monitor/grafana/config.tf b/monitor/grafana/config.tf
index 0b93418..83bf5d3 100644
--- a/monitor/grafana/config.tf
+++ b/monitor/grafana/config.tf
@@ -20,19 +20,26 @@ provisioning = /etc/grafana/provisioning
 [server]
 domain = ''
 root_url = 'https://${local.dns-name}/'
+[users]
+auto_assign_org = true
+auto_assign_org_id = 0
 [auth]
 oauth_allow_insecure_email_lookup = true
+signout_redirect_url = '${module.oauth2.sso_signout_url}'
 [auth.anonymous]
 enabled = true
 org_name = Main Org.
 org_role = Viewer
 [auth.generic_oauth]
 enabled = true
-scopes = openid email nickname
+name = vynil
+scopes = openid profile email
 client_id = '${module.oauth2.client_id}'
 client_secret = '${module.oauth2.client_secret}'
-auth_url = '${module.oauth2.sso_authorize}'
-api_url	= '${module.oauth2.sso_userinfo}'
+auth_url = '${module.oauth2.sso_authorize_url}'
+api_url	= '${module.oauth2.sso_userinfo_url}'
+token_url = '${module.oauth2.sso_token_url}'
+role_attribute_path = contains(groups, '${module.application.main_group}-admin') && 'Admin' || contains(groups, '${module.application.main_group}') && 'Editor' || 'Viewer'
   EOF
   }
 }
diff --git a/monitor/grafana/index.yaml b/monitor/grafana/index.yaml
index a916aa6..ce5af4f 100644
--- a/monitor/grafana/index.yaml
+++ b/monitor/grafana/index.yaml
@@ -6,16 +6,21 @@ metadata:
   name: grafana
   description: null
 options:
-  sub-domain:
-    default: grafana
-    examples:
-    - grafana
-    type: string
   ingress-class:
     default: traefik
     examples:
     - traefik
     type: string
+  app-group:
+    default: monitor
+    examples:
+    - monitor
+    type: string
+  sub-domain:
+    default: grafana
+    examples:
+    - grafana
+    type: string
   images:
     default:
       busybox:
@@ -118,10 +123,15 @@ options:
     examples:
     - grafana_admin
     type: string
-  domain-name:
-    default: your_company.com
+  domain:
+    default: your-company
     examples:
-    - your_company.com
+    - your-company
+    type: string
+  issuer:
+    default: letsencrypt-prod
+    examples:
+    - letsencrypt-prod
     type: string
   volume:
     default:
@@ -142,20 +152,10 @@ options:
         default: 10Gi
         type: string
     type: object
-  issuer:
-    default: letsencrypt-prod
+  domain-name:
+    default: your_company.com
     examples:
-    - letsencrypt-prod
-    type: string
-  domain:
-    default: your-company
-    examples:
-    - your-company
-    type: string
-  app-group:
-    default: monitor
-    examples:
-    - monitor
+    - your_company.com
     type: string
 dependencies: []
 providers:
diff --git a/monitor/grafana/presentation.tf b/monitor/grafana/presentation.tf
index 3d151e0..d78c302 100644
--- a/monitor/grafana/presentation.tf
+++ b/monitor/grafana/presentation.tf
@@ -38,6 +38,7 @@ module "ingress" {
   app_group         = var.app-group
   dns_name          = local.dns-name
   icon              = local.icon
+  sub_groups        = ["admin"]
   protocol_provider = module.oauth2.provider-id
   providers = {
     authentik = authentik