diff --git a/group_vars/grafana.yml b/group_vars/grafana.yml
index 254405df9012fbcd00bd4fde24ae8482dc2e9359..9653f4a385bdc537d8dacf236d8285314ec2ad3c 100644
--- a/group_vars/grafana.yml
+++ b/group_vars/grafana.yml
@@ -4,6 +4,10 @@ glob_grafana:
   ldap_base: "{{ glob_ldap.base }}"
   ldap_master_ipv4: "{{ glob_ldap.servers[0] }}"
   ldap_user_tree: "ou=passwd,{{ glob_ldap.base }}"
+  ldap_group_tree: "ou=group,{{ glob_ldap.base }}"
+  ldap_group_filter: "uid"
+  ldap_group_admin: "cn=_nounou,ou=group,{{ glob_ldap.base }}"
+  ldap_group_editor: "*"  # Everyone is editor
 
 logos:
   - which: crans_logo_white_small.svg
diff --git a/roles/grafana/templates/ldap.toml.j2 b/roles/grafana/templates/ldap.toml.j2
index c92a93308d8847a880f9e293d5866293e3ebbe83..7685d90f1f3d4ba10de2a177fa016ee9b2987af3 100644
--- a/roles/grafana/templates/ldap.toml.j2
+++ b/roles/grafana/templates/ldap.toml.j2
@@ -31,8 +31,8 @@ search_base_dns = ["ou=passwd,dc=crans,dc=org"]
 ## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
 ## Please check grafana LDAP docs for examples
 group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
-group_search_base_dns = ["ou=group,{{ grafana.ldap_base }}"]
-group_search_filter_user_attribute = "cn"
+group_search_base_dns = ["{{ grafana.ldap_group_tree }}"]
+group_search_filter_user_attribute = "{{ grafana.ldap_group_filter }}"
 
 # Specify names of the ldap attributes your ldap uses
 [servers.attributes]
@@ -41,7 +41,13 @@ surname = "sn"
 username = "uid"
 email =  "mail"
 
+# Nounous can administrate
+[[servers.group_mappings]]
+group_dn = "{{ grafana.ldap_group_admin }}"
+org_role = "Admin"
+grafana_admin = true
+
 # All LDAP members can edit
 [[servers.group_mappings]]
-group_dn = "*"
+group_dn = "{{ grafana.ldap_group_editor }}"
 org_role = "Editor"