From 1d99500b3ebee1756bf2e5a8765f1446d0c8afe0 Mon Sep 17 00:00:00 2001
From: Alexander Zobnin <alexanderzobnin@gmail.com>
Date: Thu, 27 Apr 2023 16:46:47 +0300
Subject: [PATCH] SAML UI: Fix permissions for
 fixed:authentication.config:writer role (#67290)

* SAML UI: Fix permissions for fixed:authentication.config:writer role

* Remove read permissions for auth settings
---
 .../rbac-fixed-basic-role-definitions/index.md            | 2 +-
 .../configure-authentication/saml-ui/index.md             | 2 +-
 pkg/services/accesscontrol/roles.go                       | 8 --------
 3 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md b/docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md
index 5816de6580d..804ec775c0c 100644
--- a/docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md
+++ b/docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md
@@ -42,7 +42,7 @@ The following tables list permissions associated with basic and fixed roles.
 | `fixed:annotations:writer`             | All permissions from `fixed:annotations:reader` <br>`annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:*`                                                                                                             | Read, create, update and delete all annotations and annotation tags.                                                                                                                                                                                                                  |
 | `fixed:apikeys:reader`                 | `apikeys:read` for scope `apikeys:*`                                                                                                                                                                                                                                 | Read all api keys.                                                                                                                                                                                                                                                                    |
 | `fixed:apikeys:writer`                 | All permissions from `fixed:apikeys:reader` and <br> `apikeys:create` <br> `apikeys:delete` for scope `apikeys:*`                                                                                                                                                    | Read, create, delete all api keys.                                                                                                                                                                                                                                                    |
-| `fixed:authentication.config:writer`   | `settings:read` <br> `settings:write` for scopes `settings:auth:*` and `settings:auth.saml:*`                                                                                                                                                                        | Read and update authentication and SAML settings.                                                                                                                                                                                                                                     |
+| `fixed:authentication.config:writer`   | `settings:read` for scope `settings:auth.saml:*` <br> `settings:write` for scope `settings:auth.saml:*`                                                                                                                                                              | Read and update authentication and SAML settings.                                                                                                                                                                                                                                     |
 | `fixed:dashboards:creator`             | `dashboards:create`<br>`folders:read`                                                                                                                                                                                                                                | Create dashboards.                                                                                                                                                                                                                                                                    |
 | `fixed:dashboards.insights:reader`     | `dashboards.insights:read`                                                                                                                                                                                                                                           | Read dashboard insights data and see presence indicators.                                                                                                                                                                                                                             |
 | `fixed:dashboards.permissions:reader`  | `dashboards.permissions:read`                                                                                                                                                                                                                                        | Read all dashboard permissions.                                                                                                                                                                                                                                                       |
diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/saml-ui/index.md b/docs/sources/setup-grafana/configure-security/configure-authentication/saml-ui/index.md
index 255aa74abed..9b3cc4aaef3 100644
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/saml-ui/index.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/saml-ui/index.md
@@ -25,7 +25,7 @@ The Grafana SAML UI provides the following advantages over configuring SAML in t
 To follow this guide, you need:
 
 - Knowledge of SAML authentication. Refer to [SAML authentication in Grafana]({{< relref "../saml/" >}}) for an overview of Grafana's SAML integration.
-- Permissions `settings:read` and `settings:write` with scope `settings:auth:*` that allow you to read and update authentication settings.
+- Permissions `settings:read` and `settings:write` with scope `settings:auth.saml:*` that allow you to read and update SAML authentication settings.
 
   These permissions are granted by `fixed:authentication.config:writer` role.
   By default, this role is granted to Grafana server administrator in self-hosted instances and to Organization admins in Grafana Cloud instances.
diff --git a/pkg/services/accesscontrol/roles.go b/pkg/services/accesscontrol/roles.go
index 1b02f2db662..c9dc935fe04 100644
--- a/pkg/services/accesscontrol/roles.go
+++ b/pkg/services/accesscontrol/roles.go
@@ -178,18 +178,10 @@ var (
 		Description: "Read and update authentication configuration and access configuration UI.",
 		Group:       "Settings",
 		Permissions: []Permission{
-			{
-				Action: ActionSettingsRead,
-				Scope:  ScopeSettingsAuth,
-			},
 			{
 				Action: ActionSettingsRead,
 				Scope:  ScopeSettingsSAML,
 			},
-			{
-				Action: ActionSettingsWrite,
-				Scope:  ScopeSettingsAuth,
-			},
 			{
 				Action: ActionSettingsWrite,
 				Scope:  ScopeSettingsSAML,