diff --git a/roles/grafana/templates/grafana.ini.j2 b/roles/grafana/templates/grafana.ini.j2
index d5d524c405b1d6104db675e1a7e2a636e2be5a31..2af3fd67fa91f4c879f29a86590e986e519b2f69 100644
--- a/roles/grafana/templates/grafana.ini.j2
+++ b/roles/grafana/templates/grafana.ini.j2
@@ -477,8 +477,8 @@ api_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-c
 ;allowed_domains =
 ;team_ids =
 ;allowed_organizations =
-role_attribute_path: contains(roles[*], 'DevOps') && 'Admin' || contains(roles[*], 'Staff') && 'Viewer'
-;role_attribute_strict = false
+role_attribute_path: contains(roles[*], 'DevOps') && 'Admin'
+role_attribute_strict = true
 ;tls_skip_verify_insecure = false
 ;tls_client_cert =
 ;tls_client_key =
diff --git a/tf-stage2/keycloak.tf b/tf-stage2/keycloak.tf
index 8a5e3fc9b65147b1a3d6e953ad40326483ff4a35..7b64ad1c30b76ea4fa4f111a8e40845d167c2084 100644
--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -419,8 +419,7 @@ resource "keycloak_group_roles" "devops" {
   realm_id = "archlinux"
   group_id = keycloak_group.staff_groups["DevOps"].id
   role_ids = [
-    keycloak_role.devops.id,
-    keycloak_role.grafana_archlinux_devops.id
+    keycloak_role.devops.id
   ]
 }
 
@@ -775,29 +774,6 @@ resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapp
   add_to_access_token = false
 }
 
-// All of the below is to restrict access to Grafana to members in the Arch Linux DevOps group.
-resource "keycloak_role" "grafana_archlinux_devops" {
-  realm_id    = "archlinux"
-  client_id   = keycloak_openid_client.grafana_openid_client.id
-  name        = "DevOps"
-  description = "Arch Linux Staff Grafana"
-}
-
-resource "keycloak_generic_client_role_mapper" "grafana_archlinux_devops_to_email" {
-  realm_id        = "archlinux"
-  role_id         = keycloak_role.grafana_archlinux_devops.id
-  client_scope_id = keycloak_openid_client_scope.email.id
-}
-
-// This needs to be imported from the default client scopes created by Keycloak.
-resource "keycloak_openid_client_scope" "email" {
-  realm_id               = "archlinux"
-  name                   = "email"
-  description            = "OpenID Connect built-in scope: email"
-  include_in_token_scope = true
-  consent_screen_text    = "$${emailScopeConsentText}"
-}
-
 resource "keycloak_openid_client" "hedgedoc_openid_client" {
   realm_id      = "archlinux"
   client_id     = "openid_hedgedoc"