diff --git a/argocd/manifests/grafana/configmap.yaml b/argocd/manifests/grafana/configmap.yaml
index f0c00a7..077779b 100644
--- a/argocd/manifests/grafana/configmap.yaml
+++ b/argocd/manifests/grafana/configmap.yaml
@@ -21,7 +21,8 @@ data:
     client_secret = $__env{GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET}
     enabled = true
     name = Authentik
-    role_attribute_path = 'Admin'
+    role_attribute_path = contains(groups[*], 'admins') && 'Admin' || 'Viewer'
+    skip_org_role_sync = false
     scopes = openid profile email
     token_url = https://authentik.ops.eblu.me/application/o/token/
 
diff --git a/docs/changelog.d/fix-grafana-oauth-role.bugfix.md b/docs/changelog.d/fix-grafana-oauth-role.bugfix.md
new file mode 100644
index 0000000..9479f1c
--- /dev/null
+++ b/docs/changelog.d/fix-grafana-oauth-role.bugfix.md
@@ -0,0 +1 @@
+Fix Grafana OAuth role mapping: INI parser was stripping quotes from `role_attribute_path = 'Admin'`, causing all Authentik users to get Viewer role instead of Admin. Now uses group-based mapping from the `admins` Authentik group.