grafana/pkg/services/accesscontrol/models.go

package accesscontrol

import (
	"encoding/json"
	"time"
)

// RoleRegistration stores a role and its assignments to built-in roles
// (Viewer, Editor, Admin, Grafana Admin)
type RoleRegistration struct {
	Role   RoleDTO
	Grants []string
}

// Role is the model for Role in RBAC.
type Role struct {
	ID          int64  `json:"-" xorm:"pk autoincr 'id'"`
	OrgID       int64  `json:"-" xorm:"org_id"`
	Version     int64  `json:"version"`
	UID         string `xorm:"uid" json:"uid"`
	Name        string `json:"name"`
	Description string `json:"description"`

	Updated time.Time `json:"updated"`
	Created time.Time `json:"created"`
}

type RoleDTO struct {
	Version     int64        `json:"version"`
	UID         string       `xorm:"uid" json:"uid"`
	Name        string       `json:"name"`
	Description string       `json:"description"`
	Permissions []Permission `json:"permissions,omitempty"`

	ID    int64 `json:"-" xorm:"pk autoincr 'id'"`
	OrgID int64 `json:"-" xorm:"org_id"`

	Updated time.Time `json:"updated"`
	Created time.Time `json:"created"`
}

func (r RoleDTO) Role() Role {
	return Role{
		ID:          r.ID,
		OrgID:       r.OrgID,
		UID:         r.UID,
		Name:        r.Name,
		Description: r.Description,
		Updated:     r.Updated,
		Created:     r.Created,
	}
}

func (r RoleDTO) Global() bool {
	return r.OrgID == GlobalOrgID
}

func (r Role) Global() bool {
	return r.OrgID == GlobalOrgID
}

func (r RoleDTO) MarshalJSON() ([]byte, error) {
	type Alias RoleDTO
	return json.Marshal(&struct {
		Alias
		Global bool `json:"global" xorm:"-"`
	}{
		Alias:  (Alias)(r),
		Global: r.Global(),
	})
}

func (r Role) MarshalJSON() ([]byte, error) {
	type Alias Role
	return json.Marshal(&struct {
		Alias
		Global bool `json:"global" xorm:"-"`
	}{
		Alias:  (Alias)(r),
		Global: r.Global(),
	})
}

// Permission is the model for access control permissions.
type Permission struct {
	ID     int64  `json:"-" xorm:"pk autoincr 'id'"`
	RoleID int64  `json:"-" xorm:"role_id"`
	Action string `json:"action"`
	Scope  string `json:"scope"`

	Updated time.Time `json:"updated"`
	Created time.Time `json:"created"`
}

func (p Permission) OSSPermission() Permission {
	return Permission{
		Action: p.Action,
		Scope:  p.Scope,
	}
}

const (
	GlobalOrgID = 0
	// Permission actions

	// Users actions
	ActionUsersRead     = "users:read"
	ActionUsersWrite    = "users:write"
	ActionUsersTeamRead = "users.teams:read"
	// We can ignore gosec G101 since this does not contain any credentials.
	// nolint:gosec
	ActionUsersAuthTokenList = "users.authtoken:list"
	// We can ignore gosec G101 since this does not contain any credentials.
	// nolint:gosec
	ActionUsersAuthTokenUpdate = "users.authtoken:update"
	// We can ignore gosec G101 since this does not contain any credentials.
	// nolint:gosec
	ActionUsersPasswordUpdate    = "users.password:update"
	ActionUsersDelete            = "users:delete"
	ActionUsersCreate            = "users:create"
	ActionUsersEnable            = "users:enable"
	ActionUsersDisable           = "users:disable"
	ActionUsersPermissionsUpdate = "users.permissions:update"
	ActionUsersLogout            = "users:logout"
	ActionUsersQuotasList        = "users.quotas:list"
	ActionUsersQuotasUpdate      = "users.quotas:update"

	// Org actions
	ActionOrgUsersRead       = "org.users:read"
	ActionOrgUsersAdd        = "org.users:add"
	ActionOrgUsersRemove     = "org.users:remove"
	ActionOrgUsersRoleUpdate = "org.users.role:update"

	// LDAP actions
	ActionLDAPUsersRead    = "ldap.user:read"
	ActionLDAPUsersSync    = "ldap.user:sync"
	ActionLDAPStatusRead   = "ldap.status:read"
	ActionLDAPConfigReload = "ldap.config:reload"

	// Server actions
	ActionServerStatsRead = "server.stats:read"

	// Settings actions
	ActionSettingsRead = "settings:read"

	// Datasources actions
	ActionDatasourcesExplore = "datasources:explore"

	// Plugin actions
	ActionPluginsManage = "plugins:manage"

	// Global Scopes
	ScopeGlobalUsersAll = "global:users:*"

	// Users scope
	ScopeUsersAll = "users:*"

	// Settings scope
	ScopeSettingsAll = "settings:*"
)

const RoleGrafanaAdmin = "Grafana Admin"

const FixedRolePrefix = "fixed:"
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00			`package accesscontrol`

			`import (`
Add extra fields to OSS types to support enterprise (#39427) 2021-09-21 02:58:35 -05:00			`"encoding/json"`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00			`"time"`
			`)`

Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad. 2021-08-04 07:44:37 -05:00			`// RoleRegistration stores a role and its assignments to built-in roles`
			`// (Viewer, Editor, Admin, Grafana Admin)`
			`type RoleRegistration struct {`
			`Role RoleDTO`
			`Grants []string`
			`}`

Add extra fields to OSS types to support enterprise (#39427) 2021-09-21 02:58:35 -05:00			`// Role is the model for Role in RBAC.`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00			`type Role struct {`
Add extra fields to OSS types to support enterprise (#39427) 2021-09-21 02:58:35 -05:00			ID int64 `json:"-" xorm:"pk autoincr 'id'"`
			OrgID int64 `json:"-" xorm:"org_id"`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00			Version int64 `json:"version"`
Add extra fields to OSS types to support enterprise (#39427) 2021-09-21 02:58:35 -05:00			UID string `xorm:"uid" json:"uid"`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00			Name string `json:"name"`
			Description string `json:"description"`

			Updated time.Time `json:"updated"`
			Created time.Time `json:"created"`
			`}`

			`type RoleDTO struct {`
			Version int64 `json:"version"`
Add extra fields to OSS types to support enterprise (#39427) 2021-09-21 02:58:35 -05:00			UID string `xorm:"uid" json:"uid"`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00			Name string `json:"name"`
			Description string `json:"description"`
			Permissions []Permission `json:"permissions,omitempty"`
Add extra fields to OSS types to support enterprise (#39427) 2021-09-21 02:58:35 -05:00
			ID int64 `json:"-" xorm:"pk autoincr 'id'"`
			OrgID int64 `json:"-" xorm:"org_id"`

			Updated time.Time `json:"updated"`
			Created time.Time `json:"created"`
			`}`

			`func (r RoleDTO) Role() Role {`
			`return Role{`
			`ID: r.ID,`
			`OrgID: r.OrgID,`
			`UID: r.UID,`
			`Name: r.Name,`
			`Description: r.Description,`
			`Updated: r.Updated,`
			`Created: r.Created,`
			`}`
			`}`

			`func (r RoleDTO) Global() bool {`
			`return r.OrgID == GlobalOrgID`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00			`}`

Add extra fields to OSS types to support enterprise (#39427) 2021-09-21 02:58:35 -05:00			`func (r Role) Global() bool {`
			`return r.OrgID == GlobalOrgID`
			`}`

			`func (r RoleDTO) MarshalJSON() ([]byte, error) {`
			`type Alias RoleDTO`
			`return json.Marshal(&struct {`
			`Alias`
			Global bool `json:"global" xorm:"-"`
			`}{`
			`Alias: (Alias)(r),`
			`Global: r.Global(),`
			`})`
			`}`

			`func (r Role) MarshalJSON() ([]byte, error) {`
			`type Alias Role`
			`return json.Marshal(&struct {`
			`Alias`
			Global bool `json:"global" xorm:"-"`
			`}{`
			`Alias: (Alias)(r),`
			`Global: r.Global(),`
			`})`
			`}`

			`// Permission is the model for access control permissions.`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00			`type Permission struct {`
Add extra fields to OSS types to support enterprise (#39427) 2021-09-21 02:58:35 -05:00			ID int64 `json:"-" xorm:"pk autoincr 'id'"`
			RoleID int64 `json:"-" xorm:"role_id"`
Access Control: Move database-related models to enterprise (#32907) * Move database-related models to enterprise * Chore: use GetUserBuiltInRoles() method * Rename permission to action 2021-04-13 08:28:11 -05:00			Action string `json:"action"`
			Scope string `json:"scope"`
Add extra fields to OSS types to support enterprise (#39427) 2021-09-21 02:58:35 -05:00
			Updated time.Time `json:"updated"`
			Created time.Time `json:"created"`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00			`}`

Add extra fields to OSS types to support enterprise (#39427) 2021-09-21 02:58:35 -05:00			`func (p Permission) OSSPermission() Permission {`
			`return Permission{`
			`Action: p.Action,`
			`Scope: p.Scope,`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00			`}`
			`}`
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 09:31:27 -05:00
			`const (`
Add extra fields to OSS types to support enterprise (#39427) 2021-09-21 02:58:35 -05:00			`GlobalOrgID = 0`
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 09:31:27 -05:00			`// Permission actions`

Access control: Make Admin/Users UI working with the permissions (#33176) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints 2021-04-22 05:19:41 -05:00			`// Users actions`
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 09:31:27 -05:00			`ActionUsersRead = "users:read"`
			`ActionUsersWrite = "users:write"`
			`ActionUsersTeamRead = "users.teams:read"`
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-24 04:36:28 -05:00			`// We can ignore gosec G101 since this does not contain any credentials.`
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 09:31:27 -05:00			`// nolint:gosec`
			`ActionUsersAuthTokenList = "users.authtoken:list"`
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-24 04:36:28 -05:00			`// We can ignore gosec G101 since this does not contain any credentials.`
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 09:31:27 -05:00			`// nolint:gosec`
			`ActionUsersAuthTokenUpdate = "users.authtoken:update"`
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-24 04:36:28 -05:00			`// We can ignore gosec G101 since this does not contain any credentials.`
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 09:31:27 -05:00			`// nolint:gosec`
			`ActionUsersPasswordUpdate = "users.password:update"`
			`ActionUsersDelete = "users:delete"`
			`ActionUsersCreate = "users:create"`
			`ActionUsersEnable = "users:enable"`
			`ActionUsersDisable = "users:disable"`
			`ActionUsersPermissionsUpdate = "users.permissions:update"`
			`ActionUsersLogout = "users:logout"`
			`ActionUsersQuotasList = "users.quotas:list"`
			`ActionUsersQuotasUpdate = "users.quotas:update"`

Access control: Make Admin/Users UI working with the permissions (#33176) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints 2021-04-22 05:19:41 -05:00			`// Org actions`
			`ActionOrgUsersRead = "org.users:read"`
			`ActionOrgUsersAdd = "org.users:add"`
			`ActionOrgUsersRemove = "org.users:remove"`
			`ActionOrgUsersRoleUpdate = "org.users.role:update"`

			`// LDAP actions`
Access Control: Add fine-grained access control to ldap handlers (#35525) * Add new accesscontrol action for ldap config reload * Update ldapAdminEditRole with new ldap config reload permission * wrap /ldap/reload with accesscontrol authorize middleware * document new action and update fixed:ldap:admin:edit with said action * add fake accesscontrol implementation for tests * Add accesscontrol tests for ldap handlers Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> 2021-06-11 08:58:18 -05:00			`ActionLDAPUsersRead = "ldap.user:read"`
			`ActionLDAPUsersSync = "ldap.user:sync"`
			`ActionLDAPStatusRead = "ldap.status:read"`
			`ActionLDAPConfigReload = "ldap.config:reload"`
Access control: Make Admin/Users UI working with the permissions (#33176) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints 2021-04-22 05:19:41 -05:00
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 10:36:48 -05:00			`// Server actions`
			`ActionServerStatsRead = "server.stats:read"`

			`// Settings actions`
			`ActionSettingsRead = "settings:read"`

Access Control: Add fine-grained access control to explore (#35883) * add fixed role for datasource read operations * Add action for datasource explore * add authorize middleware to explore index route * add fgac support for explore navlink * update hasAccessToExplore to check if accesscontrol is enable and evalute action if it is * add getExploreRoles to evalute roles based onaccesscontrol, viewersCanEdit and default * create function to evaluate permissions or using fallback if accesscontrol is disabled * change hasAccess to prop and derive the value in mapStateToProps * add test case to ensure buttons is not rendered when user does not have access * Only hide return with changes button * remove internal links if user does not have access to explorer Co-authored-by: Ivana Huckova <30407135+ivanahuckova@users.noreply.github.com> 2021-07-02 07:43:12 -05:00			`// Datasources actions`
			`ActionDatasourcesExplore = "datasources:explore"`

Plugins: Fix catalog permissions for org and server admins (#37504) * simplify toggle + add link to server admin * feat(catalog): org admins can configure plugin apps, cannot install/uninstall plugins * fix(catalog): dont show buttons if user doesn't have install permissions * feat(catalog): cater for accessing catalog via /plugins and /admin/plugins * feat(catalog): use location for list links and match.url to define breadcrumb links * test(catalog): mock isGrafanaAdmin for PluginDetails tests * test(catalog): preserve default bootdata in PluginDetails mock * refactor(catalog): move orgAdmin check out of state and make easier to reason with Co-authored-by: Will Browne <will.browne@grafana.com> 2021-08-04 04:49:05 -05:00			`// Plugin actions`
			`ActionPluginsManage = "plugins:manage"`

Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 09:31:27 -05:00			`// Global Scopes`
Access control: Clean up users scopes (#33532) Following discussion in grafana/grafana-enterprise#1292, removing org-scoped users scopes to make it clear that the local organization is the default and the alternative to that is a global scope (for a select few endpoints) 2021-05-03 03:27:12 -05:00			`ScopeGlobalUsersAll = "global:users:*"`
Access control: Make Admin/Users UI working with the permissions (#33176) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints 2021-04-22 05:19:41 -05:00
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad. 2021-08-04 07:44:37 -05:00			`// Users scope`
			`ScopeUsersAll = "users:*"`
Access control: Add a role for provisioning admins (#33787) 2021-05-10 04:46:42 -05:00
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 10:36:48 -05:00			`// Settings scope`
Access Control: Make the evaluator prefix match only (#38025) * Make the evaluator prefix match only * Handle empty scopes * Bump version of settings read role Co-authored-by: Karl Persson <kalle.persson@grafana.com> 2021-08-23 07:03:20 -05:00			`ScopeSettingsAll = "settings:*"`
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 09:31:27 -05:00			`)`

			`const RoleGrafanaAdmin = "Grafana Admin"`
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad. 2021-08-04 07:44:37 -05:00
			`const FixedRolePrefix = "fixed:"`