Access control: Add a role for provisioning admins (#33787)

2025-01-16 11:42:35 -06:00 · 2021-05-10 11:46:42 +02:00 · 2021-05-10 11:46:42 +02:00 · 1d15686bdf
commit 1d15686bdf
parent baf80dad82
2 changed files with 23 additions and 0 deletions
--- a/pkg/services/accesscontrol/models.go
+++ b/pkg/services/accesscontrol/models.go
@ -42,6 +42,10 @@ func (p RoleDTO) Role() Role {
 const (
 	// Permission actions
 	// Actions
 	// Provisioning actions
 	ActionProvisioningReload = "provisioning:reload"
 	// Users actions
 	ActionUsersRead     = "users:read"
 	ActionUsersWrite    = "users:write"
@ -80,6 +84,9 @@ const (
 	ScopeUsersSelf = "users:self"
 	ScopeUsersAll  = "users:*"
 	// Services Scopes
 	ScopeServicesAll = "service:*"
 )
 const RoleGrafanaAdmin = "Grafana Admin"
--- a/pkg/services/accesscontrol/roles.go
+++ b/pkg/services/accesscontrol/roles.go
@ -124,6 +124,17 @@ var usersAdminEditRole = RoleDTO{
 	}),
 }
 var provisioningAdminRole = RoleDTO{
 	Name:    provisioningAdmin,
 	Version: 1,
 	Permissions: []Permission{
 		{
 			Action: ActionProvisioningReload,
 			Scope:  ScopeServicesAll,
 		},
 	},
 }
 // PredefinedRoles provides a map of permission sets/roles which can be
 // assigned to a set of users. When adding a new resource protected by
 // Grafana access control the default permissions should be added to a
@ -139,6 +150,8 @@ var PredefinedRoles = map[string]RoleDTO{
 	ldapAdminRead: ldapAdminReadRole,
 	ldapAdminEdit: ldapAdminEditRole,
 	provisioningAdmin: provisioningAdminRole,
 }
 const (
@ -150,6 +163,8 @@ const (
 	ldapAdminEdit = "grafana:roles:ldap:admin:edit"
 	ldapAdminRead = "grafana:roles:ldap:admin:read"
 	provisioningAdmin = "grafana:roles:provisioning:admin"
 )
 // PredefinedRoleGrants specifies which organization roles are assigned
@ -158,6 +173,7 @@ var PredefinedRoleGrants = map[string][]string{
 	RoleGrafanaAdmin: {
 		ldapAdminEdit,
 		ldapAdminRead,
 		provisioningAdmin,
 		usersAdminEdit,
 		usersAdminRead,
 		usersOrgEdit,