RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683)

* Return slice of permissions instead of slice of pointers for permissions
2025-02-25 18:55:37 -06:00 · 2022-06-14 10:17:48 +02:00 · 2022-06-14 10:17:48 +02:00 · 44ffbfd6aa
commit 44ffbfd6aa
parent 5aab95885f
29 changed files with 311 additions and 315 deletions
--- a/pkg/api/admin_provisioning_test.go
+++ b/pkg/api/admin_provisioning_test.go
@ -17,7 +17,7 @@ type reloadProvisioningTestCase struct {
 	url          string
 	expectedCode int
 	expectedBody string
-	permissions  []*accesscontrol.Permission
+	permissions  []accesscontrol.Permission
 	exit         bool
 	checkCall    func(mock provisioning.ProvisioningServiceMock)
 }
@ -28,7 +28,7 @@ func TestAPI_AdminProvisioningReload_AccessControl(t *testing.T) {
 			desc:         "should work for dashboards with specific scope",
 			expectedCode: http.StatusOK,
 			expectedBody: `{"message":"Dashboards config reloaded"}`,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: ActionProvisioningReload,
 					Scope:  ScopeProvisionersDashboards,
@ -43,7 +43,7 @@ func TestAPI_AdminProvisioningReload_AccessControl(t *testing.T) {
 			desc:         "should work for dashboards with broader scope",
 			expectedCode: http.StatusOK,
 			expectedBody: `{"message":"Dashboards config reloaded"}`,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: ActionProvisioningReload,
 					Scope:  ScopeProvisionersAll,
@ -57,7 +57,7 @@ func TestAPI_AdminProvisioningReload_AccessControl(t *testing.T) {
 		{
 			desc:         "should fail for dashboard with wrong scope",
 			expectedCode: http.StatusForbidden,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: ActionProvisioningReload,
 					Scope:  "services:noservice",
@ -76,7 +76,7 @@ func TestAPI_AdminProvisioningReload_AccessControl(t *testing.T) {
 			desc:         "should work for notifications with specific scope",
 			expectedCode: http.StatusOK,
 			expectedBody: `{"message":"Notifications config reloaded"}`,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: ActionProvisioningReload,
 					Scope:  ScopeProvisionersNotifications,
@ -97,7 +97,7 @@ func TestAPI_AdminProvisioningReload_AccessControl(t *testing.T) {
 			desc:         "should work for datasources with specific scope",
 			expectedCode: http.StatusOK,
 			expectedBody: `{"message":"Datasources config reloaded"}`,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: ActionProvisioningReload,
 					Scope:  ScopeProvisionersDatasources,
@ -118,7 +118,7 @@ func TestAPI_AdminProvisioningReload_AccessControl(t *testing.T) {
 			desc:         "should work for plugins with specific scope",
 			expectedCode: http.StatusOK,
 			expectedBody: `{"message":"Plugins config reloaded"}`,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: ActionProvisioningReload,
 					Scope:  ScopeProvisionersPlugins,
--- a/pkg/api/admin_test.go
+++ b/pkg/api/admin_test.go
@ -15,7 +15,7 @@ type getSettingsTestCase struct {
 	desc         string
 	expectedCode int
 	expectedBody string
-	permissions  []*accesscontrol.Permission
+	permissions  []accesscontrol.Permission
 }
 func TestAPI_AdminGetSettings(t *testing.T) {
@ -24,7 +24,7 @@ func TestAPI_AdminGetSettings(t *testing.T) {
 			desc:         "should return all settings",
 			expectedCode: http.StatusOK,
 			expectedBody: `{"auth.proxy":{"enable_login_token":"false","enabled":"false"},"auth.saml":{"allow_idp_initiated":"false","enabled":"true"}}`,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: accesscontrol.ActionSettingsRead,
 					Scope:  accesscontrol.ScopeSettingsAll,
@ -35,7 +35,7 @@ func TestAPI_AdminGetSettings(t *testing.T) {
 			desc:         "should only return auth.saml settings",
 			expectedCode: http.StatusOK,
 			expectedBody: `{"auth.saml":{"allow_idp_initiated":"false","enabled":"true"}}`,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: accesscontrol.ActionSettingsRead,
 					Scope:  "settings:auth.saml:*",
@ -46,7 +46,7 @@ func TestAPI_AdminGetSettings(t *testing.T) {
 			desc:         "should only partial properties from auth.saml and auth.proxy settings",
 			expectedCode: http.StatusOK,
 			expectedBody: `{"auth.proxy":{"enable_login_token":"false"},"auth.saml":{"enabled":"true"}}`,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: accesscontrol.ActionSettingsRead,
 					Scope:  "settings:auth.saml:enabled",
@ -101,7 +101,7 @@ func TestAdmin_AccessControl(t *testing.T) {
 			desc:         "AdminGetStats should return 200 for user with correct permissions",
 			url:          "/api/admin/stats",
 			method:       http.MethodGet,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: accesscontrol.ActionServerStatsRead,
 				},
@ -112,7 +112,7 @@ func TestAdmin_AccessControl(t *testing.T) {
 			desc:         "AdminGetStats should return 403 for user without required permissions",
 			url:          "/api/admin/stats",
 			method:       http.MethodGet,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: "wrong",
 				},
@ -123,7 +123,7 @@ func TestAdmin_AccessControl(t *testing.T) {
 			desc:         "AdminGetSettings should return 200 for user with correct permissions",
 			url:          "/api/admin/settings",
 			method:       http.MethodGet,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: accesscontrol.ActionSettingsRead,
 				},
@ -134,7 +134,7 @@ func TestAdmin_AccessControl(t *testing.T) {
 			desc:         "AdminGetSettings should return 403 for user without required permissions",
 			url:          "/api/admin/settings",
 			method:       http.MethodGet,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: "wrong",
 				},
--- a/pkg/api/annotations_test.go
+++ b/pkg/api/annotations_test.go
@ -501,7 +501,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 	}
 	type args struct {
-		permissions []*accesscontrol.Permission
+		permissions []accesscontrol.Permission
 		url         string
 		body        io.Reader
 		method      string
@ -515,7 +515,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl getting annotations with correct permissions is allowed",
 			args: args{
-				permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: accesscontrol.ScopeAnnotationsAll}},
+				permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: accesscontrol.ScopeAnnotationsAll}},
 				url:         "/api/annotations",
 				method:      http.MethodGet,
 			},
@ -524,7 +524,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl getting annotations without permissions is forbidden",
 			args: args{
-				permissions: []*accesscontrol.Permission{},
+				permissions: []accesscontrol.Permission{},
 				url:         "/api/annotations",
 				method:      http.MethodGet,
 			},
@ -533,7 +533,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl getting annotation by ID with correct permissions is allowed",
 			args: args{
-				permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: accesscontrol.ScopeAnnotationsAll}},
+				permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: accesscontrol.ScopeAnnotationsAll}},
 				url:         "/api/annotations/1",
 				method:      http.MethodGet,
 			},
@ -542,7 +542,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl getting annotation by ID without permissions is forbidden",
 			args: args{
-				permissions: []*accesscontrol.Permission{},
+				permissions: []accesscontrol.Permission{},
 				url:         "/api/annotations",
 				method:      http.MethodGet,
 			},
@ -551,7 +551,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl getting tags for annotations with correct permissions is allowed",
 			args: args{
-				permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead}},
+				permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead}},
 				url:         "/api/annotations/tags",
 				method:      http.MethodGet,
 			},
@ -560,7 +560,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl getting tags for annotations without correct permissions is forbidden",
 			args: args{
-				permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite}},
+				permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite}},
 				url:         "/api/annotations/tags",
 				method:      http.MethodGet,
 			},
@ -569,7 +569,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl update dashboard annotation with permissions is allowed",
 			args: args{
-				permissions: []*accesscontrol.Permission{{
+				permissions: []accesscontrol.Permission{{
 					Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard,
 				}},
 				url:    "/api/annotations/1",
@ -581,7 +581,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl update dashboard annotation without permissions is forbidden",
 			args: args{
-				permissions: []*accesscontrol.Permission{},
+				permissions: []accesscontrol.Permission{},
 				url:         "/api/annotations/1",
 				method:      http.MethodPut,
 				body:        mockRequestBody(updateCmd),
@ -591,7 +591,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl update organization annotation with permissions is allowed",
 			args: args{
-				permissions: []*accesscontrol.Permission{{
+				permissions: []accesscontrol.Permission{{
 					Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsAll,
 				}},
 				url:    "/api/annotations/2",
@ -603,7 +603,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl update organization annotation without permissions is forbidden",
 			args: args{
-				permissions: []*accesscontrol.Permission{{
+				permissions: []accesscontrol.Permission{{
 					Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard,
 				}},
 				url:    "/api/annotations/2",
@ -615,7 +615,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl patch dashboard annotation with permissions is allowed",
 			args: args{
-				permissions: []*accesscontrol.Permission{{
+				permissions: []accesscontrol.Permission{{
 					Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard,
 				}},
 				url:    "/api/annotations/1",
@ -627,7 +627,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl patch dashboard annotation without permissions is forbidden",
 			args: args{
-				permissions: []*accesscontrol.Permission{},
+				permissions: []accesscontrol.Permission{},
 				url:         "/api/annotations/1",
 				method:      http.MethodPatch,
 				body:        mockRequestBody(patchCmd),
@ -637,7 +637,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl patch organization annotation with permissions is allowed",
 			args: args{
-				permissions: []*accesscontrol.Permission{{
+				permissions: []accesscontrol.Permission{{
 					Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsAll,
 				}},
 				url:    "/api/annotations/2",
@ -649,7 +649,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl patch organization annotation without permissions is forbidden",
 			args: args{
-				permissions: []*accesscontrol.Permission{{
+				permissions: []accesscontrol.Permission{{
 					Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard,
 				}},
 				url:    "/api/annotations/2",
@ -661,7 +661,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl create dashboard annotation with permissions is allowed",
 			args: args{
-				permissions: []*accesscontrol.Permission{{
+				permissions: []accesscontrol.Permission{{
 					Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeDashboard,
 				}},
 				url:    "/api/annotations",
@ -673,7 +673,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl create dashboard annotation without permissions is forbidden",
 			args: args{
-				permissions: []*accesscontrol.Permission{},
+				permissions: []accesscontrol.Permission{},
 				url:         "/api/annotations",
 				method:      http.MethodPost,
 				body:        mockRequestBody(postDashboardCmd),
@ -683,7 +683,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl create dashboard annotation with incorrect permissions is forbidden",
 			args: args{
-				permissions: []*accesscontrol.Permission{{
+				permissions: []accesscontrol.Permission{{
 					Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeOrganization,
 				}},
 				url:    "/api/annotations",
@ -695,7 +695,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl create organization annotation with permissions is allowed",
 			args: args{
-				permissions: []*accesscontrol.Permission{{
+				permissions: []accesscontrol.Permission{{
 					Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsAll,
 				}},
 				url:    "/api/annotations",
@ -707,7 +707,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl create organization annotation without permissions is forbidden",
 			args: args{
-				permissions: []*accesscontrol.Permission{{
+				permissions: []accesscontrol.Permission{{
 					Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeDashboard,
 				}},
 				url:    "/api/annotations",
@ -719,7 +719,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl delete dashboard annotation with permissions is allowed",
 			args: args{
-				permissions: []*accesscontrol.Permission{{
+				permissions: []accesscontrol.Permission{{
 					Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard,
 				}},
 				url:    "/api/annotations/1",
@ -730,7 +730,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl delete dashboard annotation without permissions is forbidden",
 			args: args{
-				permissions: []*accesscontrol.Permission{},
+				permissions: []accesscontrol.Permission{},
 				url:         "/api/annotations/1",
 				method:      http.MethodDelete,
 			},
@ -739,7 +739,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl delete organization annotation with permissions is allowed",
 			args: args{
-				permissions: []*accesscontrol.Permission{{
+				permissions: []accesscontrol.Permission{{
 					Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsAll,
 				}},
 				url:    "/api/annotations/2",
@ -750,7 +750,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl delete organization annotation without permissions is forbidden",
 			args: args{
-				permissions: []*accesscontrol.Permission{{
+				permissions: []accesscontrol.Permission{{
 					Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard,
 				}},
 				url:    "/api/annotations/2",
@ -761,7 +761,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl create graphite annotation with permissions is allowed",
 			args: args{
-				permissions: []*accesscontrol.Permission{{
+				permissions: []accesscontrol.Permission{{
 					Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsAll,
 				}},
 				url:    "/api/annotations/graphite",
@ -773,7 +773,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl create organization annotation without permissions is forbidden",
 			args: args{
-				permissions: []*accesscontrol.Permission{{
+				permissions: []accesscontrol.Permission{{
 					Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeDashboard,
 				}},
 				url:    "/api/annotations/graphite",
@ -865,7 +865,7 @@ func TestAPI_MassDeleteAnnotations_AccessControl(t *testing.T) {
 	require.NoError(t, err)
 	type args struct {
-		permissions []*accesscontrol.Permission
+		permissions []accesscontrol.Permission
 		url         string
 		body        io.Reader
 		method      string
@ -879,7 +879,7 @@ func TestAPI_MassDeleteAnnotations_AccessControl(t *testing.T) {
 		{
 			name: "Mass delete dashboard annotations without dashboardId is not allowed",
 			args: args{
-				permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
+				permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
 				url:         "/api/annotations/mass-delete",
 				method:      http.MethodPost,
 				body: mockRequestBody(dtos.MassDeleteAnnotationsCmd{
@ -892,7 +892,7 @@ func TestAPI_MassDeleteAnnotations_AccessControl(t *testing.T) {
 		{
 			name: "Mass delete dashboard annotations without panelId is not allowed",
 			args: args{
-				permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
+				permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
 				url:         "/api/annotations/mass-delete",
 				method:      http.MethodPost,
 				body: mockRequestBody(dtos.MassDeleteAnnotationsCmd{
@ -905,7 +905,7 @@ func TestAPI_MassDeleteAnnotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl mass delete dashboard annotations with correct dashboardId and panelId as input is allowed",
 			args: args{
-				permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
+				permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
 				url:         "/api/annotations/mass-delete",
 				method:      http.MethodPost,
 				body: mockRequestBody(dtos.MassDeleteAnnotationsCmd{
@ -918,7 +918,7 @@ func TestAPI_MassDeleteAnnotations_AccessControl(t *testing.T) {
 		{
 			name: "Mass delete organization annotations without input to delete all organization annotations is allowed",
 			args: args{
-				permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
+				permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
 				url:         "/api/annotations/mass-delete",
 				method:      http.MethodPost,
 				body: mockRequestBody(dtos.MassDeleteAnnotationsCmd{
@ -931,7 +931,7 @@ func TestAPI_MassDeleteAnnotations_AccessControl(t *testing.T) {
 		{
 			name: "Mass delete organization annotations without permissions is forbidden",
 			args: args{
-				permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
+				permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
 				url:         "/api/annotations/mass-delete",
 				method:      http.MethodPost,
 				body: mockRequestBody(dtos.MassDeleteAnnotationsCmd{
@ -944,7 +944,7 @@ func TestAPI_MassDeleteAnnotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl mass delete dashboard annotations with correct annotationId as input is allowed",
 			args: args{
-				permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
+				permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
 				url:         "/api/annotations/mass-delete",
 				method:      http.MethodPost,
 				body: mockRequestBody(dtos.MassDeleteAnnotationsCmd{
@ -956,7 +956,7 @@ func TestAPI_MassDeleteAnnotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl mass delete annotation without access to dashboard annotations is forbidden",
 			args: args{
-				permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
+				permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
 				url:         "/api/annotations/mass-delete",
 				method:      http.MethodPost,
 				body: mockRequestBody(dtos.MassDeleteAnnotationsCmd{
@ -968,7 +968,7 @@ func TestAPI_MassDeleteAnnotations_AccessControl(t *testing.T) {
 		{
 			name: "AccessControl mass delete annotation without access to organization annotations is forbidden",
 			args: args{
-				permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
+				permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
 				url:         "/api/annotations/mass-delete",
 				method:      http.MethodPost,
 				body: mockRequestBody(dtos.MassDeleteAnnotationsCmd{
--- a/pkg/api/common_test.go
+++ b/pkg/api/common_test.go
@ -231,7 +231,7 @@ func (s *fakeRenderService) Init() error {
 	return nil
 }
-func setupAccessControlScenarioContext(t *testing.T, cfg *setting.Cfg, url string, permissions []*accesscontrol.Permission) (*scenarioContext, *HTTPServer) {
+func setupAccessControlScenarioContext(t *testing.T, cfg *setting.Cfg, url string, permissions []accesscontrol.Permission) (*scenarioContext, *HTTPServer) {
 	cfg.Quota.Enabled = false
 	store := sqlstore.InitTestDB(t)
@ -260,7 +260,7 @@ type accessControlTestCase struct {
 	desc         string
 	url          string
 	method       string
-	permissions  []*accesscontrol.Permission
+	permissions  []accesscontrol.Permission
 }
 // accessControlScenarioContext contains the setups for accesscontrol tests
@ -287,9 +287,9 @@ type accessControlScenarioContext struct {
 	dashboardsStore dashboards.Store
 }
-func setAccessControlPermissions(acmock *accesscontrolmock.Mock, perms []*accesscontrol.Permission, org int64) {
+func setAccessControlPermissions(acmock *accesscontrolmock.Mock, perms []accesscontrol.Permission, org int64) {
 	acmock.GetUserPermissionsFunc =
-		func(_ context.Context, u *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+		func(_ context.Context, u *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
 			if u.OrgId == org {
 				return perms, nil
 			}
--- a/pkg/api/datasources_test.go
+++ b/pkg/api/datasources_test.go
@ -239,7 +239,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesPut should return 404 if datasource not found",
 				url:          fmt.Sprintf("/api/datasources/%v", "12345678"),
 				method:       http.MethodPut,
-				permissions: []*ac.Permission{
+				permissions: []ac.Permission{
 					{
 						Action: datasources.ActionWrite,
 						Scope:  datasources.ScopeAll,
@ -254,7 +254,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGet should return 200 for user with correct permissions",
 				url:          "/api/datasources/",
 				method:       http.MethodGet,
-				permissions:  []*ac.Permission{{Action: datasources.ActionRead, Scope: datasources.ScopeAll}},
+				permissions:  []ac.Permission{{Action: datasources.ActionRead, Scope: datasources.ScopeAll}},
 			},
 		},
 		{
@ -263,7 +263,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGet should return 403 for user without required permissions",
 				url:          "/api/datasources/",
 				method:       http.MethodGet,
-				permissions:  []*ac.Permission{{Action: "wrong"}},
+				permissions:  []ac.Permission{{Action: "wrong"}},
 			},
 		},
 		{
@ -273,7 +273,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesPost should return 200 for user with correct permissions",
 				url:          "/api/datasources/",
 				method:       http.MethodPost,
-				permissions:  []*ac.Permission{{Action: datasources.ActionCreate}},
+				permissions:  []ac.Permission{{Action: datasources.ActionCreate}},
 			},
 			expectedDS: &testDatasource,
 		},
@ -283,7 +283,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesPost should return 403 for user without required permissions",
 				url:          "/api/datasources/",
 				method:       http.MethodPost,
-				permissions:  []*ac.Permission{{Action: "wrong"}},
+				permissions:  []ac.Permission{{Action: "wrong"}},
 			},
 		},
 		{
@ -293,7 +293,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesPut should return 200 for user with correct permissions",
 				url:          fmt.Sprintf("/api/datasources/%v", testDatasource.Id),
 				method:       http.MethodPut,
-				permissions: []*ac.Permission{
+				permissions: []ac.Permission{
 					{
 						Action: datasources.ActionWrite,
 						Scope:  fmt.Sprintf("datasources:id:%v", testDatasource.Id),
@ -308,7 +308,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesPut should return 403 for user without required permissions",
 				url:          fmt.Sprintf("/api/datasources/%v", testDatasource.Id),
 				method:       http.MethodPut,
-				permissions:  []*ac.Permission{{Action: "wrong"}},
+				permissions:  []ac.Permission{{Action: "wrong"}},
 			},
 		},
 		{
@ -318,7 +318,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesPut should return 403 for read only datasource",
 				url:          fmt.Sprintf("/api/datasources/%v", testDatasourceReadOnly.Id),
 				method:       http.MethodPut,
-				permissions: []*ac.Permission{
+				permissions: []ac.Permission{
 					{
 						Action: datasources.ActionWrite,
 						Scope:  fmt.Sprintf("datasources:id:%v", testDatasourceReadOnly.Id),
@ -333,7 +333,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesDeleteByID should return 200 for user with correct permissions",
 				url:          fmt.Sprintf("/api/datasources/%v", testDatasource.Id),
 				method:       http.MethodDelete,
-				permissions: []*ac.Permission{
+				permissions: []ac.Permission{
 					{
 						Action: datasources.ActionDelete,
 						Scope:  fmt.Sprintf("datasources:id:%v", testDatasource.Id),
@ -348,7 +348,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesDeleteByID should return 403 for user without required permissions",
 				url:          fmt.Sprintf("/api/datasources/%v", testDatasource.Id),
 				method:       http.MethodDelete,
-				permissions:  []*ac.Permission{{Action: "wrong"}},
+				permissions:  []ac.Permission{{Action: "wrong"}},
 			},
 		},
 		{
@ -357,7 +357,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesDeleteByUID should return 200 for user with correct permissions",
 				url:          fmt.Sprintf("/api/datasources/uid/%v", testDatasource.Uid),
 				method:       http.MethodDelete,
-				permissions: []*ac.Permission{
+				permissions: []ac.Permission{
 					{
 						Action: datasources.ActionDelete,
 						Scope:  fmt.Sprintf("datasources:uid:%v", testDatasource.Uid),
@ -372,7 +372,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesDeleteByUID should return 403 for user without required permissions",
 				url:          fmt.Sprintf("/api/datasources/uid/%v", testDatasource.Uid),
 				method:       http.MethodDelete,
-				permissions:  []*ac.Permission{{Action: "wrong"}},
+				permissions:  []ac.Permission{{Action: "wrong"}},
 			},
 		},
 		{
@ -381,7 +381,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesDeleteByName should return 200 for user with correct permissions",
 				url:          fmt.Sprintf("/api/datasources/name/%v", testDatasource.Name),
 				method:       http.MethodDelete,
-				permissions: []*ac.Permission{
+				permissions: []ac.Permission{
 					{
 						Action: datasources.ActionDelete,
 						Scope:  fmt.Sprintf("datasources:name:%v", testDatasource.Name),
@ -396,7 +396,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesDeleteByName should return 403 for user without required permissions",
 				url:          fmt.Sprintf("/api/datasources/name/%v", testDatasource.Name),
 				method:       http.MethodDelete,
-				permissions:  []*ac.Permission{{Action: "wrong"}},
+				permissions:  []ac.Permission{{Action: "wrong"}},
 			},
 		},
 		{
@ -405,7 +405,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGetByID should return 200 for user with correct permissions",
 				url:          fmt.Sprintf("/api/datasources/%v", testDatasource.Id),
 				method:       http.MethodGet,
-				permissions: []*ac.Permission{
+				permissions: []ac.Permission{
 					{
 						Action: datasources.ActionRead,
 						Scope:  fmt.Sprintf("datasources:id:%v", testDatasource.Id),
@ -420,7 +420,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGetByID should return 403 for user without required permissions",
 				url:          fmt.Sprintf("/api/datasources/%v", testDatasource.Id),
 				method:       http.MethodGet,
-				permissions:  []*ac.Permission{{Action: "wrong"}},
+				permissions:  []ac.Permission{{Action: "wrong"}},
 			},
 		},
 		{
@ -429,7 +429,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGetByUID should return 200 for user with correct permissions",
 				url:          fmt.Sprintf("/api/datasources/uid/%v", testDatasource.Uid),
 				method:       http.MethodGet,
-				permissions: []*ac.Permission{
+				permissions: []ac.Permission{
 					{
 						Action: datasources.ActionRead,
 						Scope:  fmt.Sprintf("datasources:uid:%v", testDatasource.Uid),
@ -444,7 +444,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGetByUID should return 403 for user without required permissions",
 				url:          fmt.Sprintf("/api/datasources/uid/%v", testDatasource.Uid),
 				method:       http.MethodGet,
-				permissions:  []*ac.Permission{{Action: "wrong"}},
+				permissions:  []ac.Permission{{Action: "wrong"}},
 			},
 		},
 		{
@ -453,7 +453,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGetByName should return 200 for user with correct permissions",
 				url:          fmt.Sprintf("/api/datasources/name/%v", testDatasource.Name),
 				method:       http.MethodGet,
-				permissions: []*ac.Permission{
+				permissions: []ac.Permission{
 					{
 						Action: datasources.ActionRead,
 						Scope:  fmt.Sprintf("datasources:name:%v", testDatasource.Name),
@ -468,7 +468,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGetByName should return 403 for user without required permissions",
 				url:          fmt.Sprintf("/api/datasources/name/%v", testDatasource.Name),
 				method:       http.MethodGet,
-				permissions:  []*ac.Permission{{Action: "wrong"}},
+				permissions:  []ac.Permission{{Action: "wrong"}},
 			},
 			expectedDS: &testDatasource,
 		},
@ -478,7 +478,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGetIdByName should return 200 for user with correct permissions",
 				url:          fmt.Sprintf("/api/datasources/id/%v", testDatasource.Name),
 				method:       http.MethodGet,
-				permissions: []*ac.Permission{
+				permissions: []ac.Permission{
 					{
 						Action: datasources.ActionIDRead,
 						Scope:  fmt.Sprintf("datasources:name:%v", testDatasource.Name),
@ -493,7 +493,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGetIdByName should return 403 for user without required permissions",
 				url:          fmt.Sprintf("/api/datasources/id/%v", testDatasource.Name),
 				method:       http.MethodGet,
-				permissions:  []*ac.Permission{{Action: "wrong"}},
+				permissions:  []ac.Permission{{Action: "wrong"}},
 			},
 			expectedDS: &testDatasource,
 		},
--- a/pkg/api/ldap_debug_test.go
+++ b/pkg/api/ldap_debug_test.go
@ -514,7 +514,7 @@ func TestLDAP_AccessControl(t *testing.T) {
 			method:       http.MethodPost,
 			desc:         "ReloadLDAPCfg should return 200 for user with correct permissions",
 			expectedCode: http.StatusOK,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: accesscontrol.ActionLDAPConfigReload},
 			},
 		},
@ -523,7 +523,7 @@ func TestLDAP_AccessControl(t *testing.T) {
 			method:       http.MethodPost,
 			desc:         "ReloadLDAPCfg should return 403 for user without required permissions",
 			expectedCode: http.StatusForbidden,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: "wrong"},
 			},
 		},
@ -532,7 +532,7 @@ func TestLDAP_AccessControl(t *testing.T) {
 			method:       http.MethodGet,
 			desc:         "GetLDAPStatus should return 200 for user without required permissions",
 			expectedCode: http.StatusOK,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: accesscontrol.ActionLDAPStatusRead},
 			},
 		},
@ -541,7 +541,7 @@ func TestLDAP_AccessControl(t *testing.T) {
 			method:       http.MethodGet,
 			desc:         "GetLDAPStatus should return 200 for user without required permissions",
 			expectedCode: http.StatusForbidden,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: "wrong"},
 			},
 		},
@ -550,7 +550,7 @@ func TestLDAP_AccessControl(t *testing.T) {
 			method:       http.MethodGet,
 			desc:         "GetUserFromLDAP should return 200 for user with required permissions",
 			expectedCode: http.StatusOK,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: accesscontrol.ActionLDAPUsersRead},
 			},
 		},
@ -559,7 +559,7 @@ func TestLDAP_AccessControl(t *testing.T) {
 			method:       http.MethodGet,
 			desc:         "GetUserFromLDAP should return 403 for user without required permissions",
 			expectedCode: http.StatusForbidden,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: "wrong"},
 			},
 		},
@ -568,7 +568,7 @@ func TestLDAP_AccessControl(t *testing.T) {
 			method:       http.MethodPost,
 			desc:         "PostSyncUserWithLDAP should return 200 for user without required permissions",
 			expectedCode: http.StatusOK,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: accesscontrol.ActionLDAPUsersSync},
 			},
 		},
@ -577,7 +577,7 @@ func TestLDAP_AccessControl(t *testing.T) {
 			method:       http.MethodPost,
 			desc:         "PostSyncUserWithLDAP should return 200 for user without required permissions",
 			expectedCode: http.StatusForbidden,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: "wrong"},
 			},
 		},
--- a/pkg/api/org_test.go
+++ b/pkg/api/org_test.go
@ -69,17 +69,17 @@ func TestAPIEndpoint_GetCurrentOrg_AccessControl(t *testing.T) {
 	require.NoError(t, err)
 	t.Run("AccessControl allows viewing CurrentOrg with correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsRead}}, sc.initCtx.OrgId)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsRead}}, sc.initCtx.OrgId)
 		response := callAPI(sc.server, http.MethodGet, getCurrentOrgURL, nil, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
 	t.Run("AccessControl prevents viewing CurrentOrg with correct permissions in another org", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsRead}}, 2)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsRead}}, 2)
 		response := callAPI(sc.server, http.MethodGet, getCurrentOrgURL, nil, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 	t.Run("AccessControl prevents viewing CurrentOrg with incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
 		response := callAPI(sc.server, http.MethodGet, getCurrentOrgURL, nil, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
@ -115,19 +115,19 @@ func TestAPIEndpoint_PutCurrentOrg_AccessControl(t *testing.T) {
 	input := strings.NewReader(testUpdateOrgNameForm)
 	t.Run("AccessControl allows updating current org with correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsWrite}}, sc.initCtx.OrgId)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, sc.initCtx.OrgId)
 		response := callAPI(sc.server, http.MethodPut, putCurrentOrgURL, input, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
 	t.Run("AccessControl prevents updating current org with correct permissions in another org", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsWrite}}, 2)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, 2)
 		response := callAPI(sc.server, http.MethodPut, putCurrentOrgURL, input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 	t.Run("AccessControl prevents updating current org with incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
 		response := callAPI(sc.server, http.MethodPut, putCurrentOrgURL, input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
@ -163,20 +163,20 @@ func TestAPIEndpoint_PutCurrentOrgAddress_AccessControl(t *testing.T) {
 	input := strings.NewReader(testUpdateOrgAddressForm)
 	t.Run("AccessControl allows updating current org address with correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsWrite}}, sc.initCtx.OrgId)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, sc.initCtx.OrgId)
 		response := callAPI(sc.server, http.MethodPut, putCurrentOrgAddressURL, input, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
 	input = strings.NewReader(testUpdateOrgAddressForm)
 	t.Run("AccessControl prevents updating current org address with correct permissions in another org", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsWrite}}, 2)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, 2)
 		response := callAPI(sc.server, http.MethodPut, putCurrentOrgAddressURL, input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 	t.Run("AccessControl prevents updating current org address with incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
 		response := callAPI(sc.server, http.MethodPut, putCurrentOrgAddressURL, input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
@ -235,14 +235,14 @@ func TestAPIEndpoint_CreateOrgs_AccessControl(t *testing.T) {
 	input := strings.NewReader(fmt.Sprintf(testCreateOrgCmd, 2))
 	t.Run("AccessControl allows creating Orgs with correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsCreate}}, accesscontrol.GlobalOrgID)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsCreate}}, accesscontrol.GlobalOrgID)
 		response := callAPI(sc.server, http.MethodPost, createOrgsURL, input, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
 	input = strings.NewReader(fmt.Sprintf(testCreateOrgCmd, 3))
 	t.Run("AccessControl prevents creating Orgs with incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, accesscontrol.GlobalOrgID)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, accesscontrol.GlobalOrgID)
 		response := callAPI(sc.server, http.MethodPost, createOrgsURL, input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
@ -273,17 +273,17 @@ func TestAPIEndpoint_DeleteOrgs_AccessControl(t *testing.T) {
 	setupOrgsDBForAccessControlTests(t, sc.db, *sc.initCtx.SignedInUser, 2)
 	t.Run("AccessControl prevents deleting Orgs with incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
 		response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(deleteOrgsURL, 2), nil, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 	t.Run("AccessControl prevents deleting Orgs with correct permissions in another org", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsDelete}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsDelete}}, 1)
 		response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(deleteOrgsURL, 2), nil, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 	t.Run("AccessControl allows deleting Orgs with correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsDelete}}, 2)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsDelete}}, 2)
 		response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(deleteOrgsURL, 2), nil, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
@ -310,17 +310,17 @@ func TestAPIEndpoint_SearchOrgs_AccessControl(t *testing.T) {
 	setInitCtxSignedInViewer(sc.initCtx)
 	t.Run("AccessControl allows listing Orgs with correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsRead}}, accesscontrol.GlobalOrgID)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsRead}}, accesscontrol.GlobalOrgID)
 		response := callAPI(sc.server, http.MethodGet, searchOrgsURL, nil, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
 	t.Run("AccessControl prevents listing Orgs with correct permissions not granted globally", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsRead}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsRead}}, 1)
 		response := callAPI(sc.server, http.MethodGet, searchOrgsURL, nil, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 	t.Run("AccessControl prevents listing Orgs with incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, accesscontrol.GlobalOrgID)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, accesscontrol.GlobalOrgID)
 		response := callAPI(sc.server, http.MethodGet, searchOrgsURL, nil, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
@ -353,17 +353,17 @@ func TestAPIEndpoint_GetOrg_AccessControl(t *testing.T) {
 	setupOrgsDBForAccessControlTests(t, sc.db, *sc.initCtx.SignedInUser, 2)
 	t.Run("AccessControl allows viewing another org with correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsRead}}, 2)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsRead}}, 2)
 		response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsURL, 2), nil, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
 	t.Run("AccessControl prevents viewing another org with correct permissions in another org", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsRead}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsRead}}, 1)
 		response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsURL, 2), nil, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 	t.Run("AccessControl prevents viewing another org with incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
 		response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsURL, 2), nil, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
@ -396,12 +396,12 @@ func TestAPIEndpoint_GetOrgByName_AccessControl(t *testing.T) {
 	setupOrgsDBForAccessControlTests(t, sc.db, *sc.initCtx.SignedInUser, 2)
 	t.Run("AccessControl allows viewing another org with correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsRead}}, accesscontrol.GlobalOrgID)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsRead}}, accesscontrol.GlobalOrgID)
 		response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsByNameURL, "TestOrg2"), nil, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
 	t.Run("AccessControl prevents viewing another org with incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, accesscontrol.GlobalOrgID)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, accesscontrol.GlobalOrgID)
 		response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsByNameURL, "TestOrg2"), nil, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
@ -437,19 +437,19 @@ func TestAPIEndpoint_PutOrg_AccessControl(t *testing.T) {
 	input := strings.NewReader(testUpdateOrgNameForm)
 	t.Run("AccessControl allows updating another org with correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsWrite}}, 2)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, 2)
 		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsURL, 2), input, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
 	t.Run("AccessControl prevents updating another org with correct permissions in another org", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsWrite}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, 1)
 		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsURL, 2), input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 	t.Run("AccessControl prevents updating another org with incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
 		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsURL, 2), input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
@ -485,20 +485,20 @@ func TestAPIEndpoint_PutOrgAddress_AccessControl(t *testing.T) {
 	input := strings.NewReader(testUpdateOrgAddressForm)
 	t.Run("AccessControl allows updating another org address with correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsWrite}}, 2)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, 2)
 		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsAddressURL, 2), input, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
 	input = strings.NewReader(testUpdateOrgAddressForm)
 	t.Run("AccessControl prevents updating another org address with correct permissions in the current org", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsWrite}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, 1)
 		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsAddressURL, 2), input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 	t.Run("AccessControl prevents updating another org address with incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
 		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsAddressURL, 2), input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
--- a/pkg/api/org_users_test.go
+++ b/pkg/api/org_users_test.go
@ -208,14 +208,14 @@ func TestOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
 			desc:         "UsersLookupGet should return 200 for user with correct permissions",
 			url:          "/api/org/users/lookup",
 			method:       http.MethodGet,
-			permissions:  []*accesscontrol.Permission{{Action: accesscontrol.ActionOrgUsersRead, Scope: accesscontrol.ScopeUsersAll}},
+			permissions:  []accesscontrol.Permission{{Action: accesscontrol.ActionOrgUsersRead, Scope: accesscontrol.ScopeUsersAll}},
 		},
 		{
 			expectedCode: http.StatusForbidden,
 			desc:         "UsersLookupGet should return 403 for user without required permissions",
 			url:          "/api/org/users/lookup",
 			method:       http.MethodGet,
-			permissions:  []*accesscontrol.Permission{{Action: "wrong"}},
+			permissions:  []accesscontrol.Permission{{Action: "wrong"}},
 		},
 	}
--- a/pkg/api/preferences_test.go
+++ b/pkg/api/preferences_test.go
@ -79,17 +79,17 @@ func TestAPIEndpoint_GetCurrentOrgPreferences_AccessControl(t *testing.T) {
 	require.NoError(t, err)
 	t.Run("AccessControl allows getting org preferences with correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsPreferencesRead}}, sc.initCtx.OrgId)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsPreferencesRead}}, sc.initCtx.OrgId)
 		response := callAPI(sc.server, http.MethodGet, getOrgPreferencesURL, nil, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
 	t.Run("AccessControl prevents getting org preferences with correct permissions in another org", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsPreferencesRead}}, 2)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsPreferencesRead}}, 2)
 		response := callAPI(sc.server, http.MethodGet, getOrgPreferencesURL, nil, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 	t.Run("AccessControl prevents getting org preferences with incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
 		response := callAPI(sc.server, http.MethodGet, getOrgPreferencesURL, nil, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
@ -125,21 +125,21 @@ func TestAPIEndpoint_PutCurrentOrgPreferences_AccessControl(t *testing.T) {
 	input := strings.NewReader(testUpdateOrgPreferencesCmd)
 	t.Run("AccessControl allows updating org preferences with correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsPreferencesWrite}}, sc.initCtx.OrgId)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsPreferencesWrite}}, sc.initCtx.OrgId)
 		response := callAPI(sc.server, http.MethodPut, putOrgPreferencesURL, input, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
 	input = strings.NewReader(testUpdateOrgPreferencesCmd)
 	t.Run("AccessControl prevents updating org preferences with correct permissions in another org", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsPreferencesWrite}}, 2)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsPreferencesWrite}}, 2)
 		response := callAPI(sc.server, http.MethodPut, putOrgPreferencesURL, input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 	input = strings.NewReader(testUpdateOrgPreferencesCmd)
 	t.Run("AccessControl prevents updating org preferences with incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
 		response := callAPI(sc.server, http.MethodPut, putOrgPreferencesURL, input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
--- a/pkg/api/quota_test.go
+++ b/pkg/api/quota_test.go
@ -66,17 +66,17 @@ func TestAPIEndpoint_GetCurrentOrgQuotas_AccessControl(t *testing.T) {
 	setupDBAndSettingsForAccessControlQuotaTests(t, sc)
 	t.Run("AccessControl allows viewing CurrentOrgQuotas with correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsQuotasRead}}, sc.initCtx.OrgId)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsQuotasRead}}, sc.initCtx.OrgId)
 		response := callAPI(sc.server, http.MethodGet, getCurrentOrgQuotasURL, nil, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
 	t.Run("AccessControl prevents viewing CurrentOrgQuotas with correct permissions in another org", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsQuotasRead}}, 2)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsQuotasRead}}, 2)
 		response := callAPI(sc.server, http.MethodGet, getCurrentOrgQuotasURL, nil, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 	t.Run("AccessControl prevents viewing CurrentOrgQuotas with incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
 		response := callAPI(sc.server, http.MethodGet, getCurrentOrgQuotasURL, nil, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
@ -107,17 +107,17 @@ func TestAPIEndpoint_GetOrgQuotas_AccessControl(t *testing.T) {
 	setupDBAndSettingsForAccessControlQuotaTests(t, sc)
 	t.Run("AccessControl allows viewing another org quotas with correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsQuotasRead}}, 2)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsQuotasRead}}, 2)
 		response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsQuotasURL, 2), nil, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
 	t.Run("AccessControl prevents viewing another org quotas with correct permissions in another org", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsQuotasRead}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsQuotasRead}}, 1)
 		response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsQuotasURL, 2), nil, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 	t.Run("AccessControl prevents viewing another org quotas with incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
 		response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsQuotasURL, 2), nil, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
@ -151,21 +151,21 @@ func TestAPIEndpoint_PutOrgQuotas_AccessControl(t *testing.T) {
 	input := strings.NewReader(testUpdateOrgQuotaCmd)
 	t.Run("AccessControl allows updating another org quotas with correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsQuotasWrite}}, 2)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsQuotasWrite}}, 2)
 		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsQuotasURL, 2, "org_user"), input, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
 	input = strings.NewReader(testUpdateOrgQuotaCmd)
 	t.Run("AccessControl prevents updating another org quotas with correct permissions in another org", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsQuotasWrite}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsQuotasWrite}}, 1)
 		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsQuotasURL, 2, "org_user"), input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 	input = strings.NewReader(testUpdateOrgQuotaCmd)
 	t.Run("AccessControl prevents updating another org quotas with incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
 		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsQuotasURL, 2, "org_user"), input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
--- a/pkg/api/search_test.go
+++ b/pkg/api/search_test.go
@ -27,8 +27,8 @@ func TestHTTPServer_Search(t *testing.T) {
 		},
 	}
-	sc.acmock.GetUserPermissionsFunc = func(ctx context.Context, user *models.SignedInUser, options accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+	sc.acmock.GetUserPermissionsFunc = func(ctx context.Context, user *models.SignedInUser, options accesscontrol.Options) ([]accesscontrol.Permission, error) {
-		return []*accesscontrol.Permission{
+		return []accesscontrol.Permission{
 			{Action: "folders:read", Scope: "folders:*"},
 			{Action: "folders:write", Scope: "folders:uid:folder2"},
 			{Action: "dashboards:read", Scope: "dashboards:*"},
--- a/pkg/api/team_members_test.go
+++ b/pkg/api/team_members_test.go
@ -202,7 +202,7 @@ func TestGetTeamMembersAPIEndpoint_RBAC(t *testing.T) {
 	setInitCtxSignedInViewer(sc.initCtx)
 	t.Run("Access control allows getting a team members with the right permissions", func(t *testing.T) {
 		setAccessControlPermissions(sc.acmock,
-			[]*ac.Permission{
+			[]ac.Permission{
 				{Action: ac.ActionTeamsPermissionsRead, Scope: ac.Scope("teams", "id", "1")},
 				{Action: ac.ActionOrgUsersRead, Scope: ac.ScopeUsersAll},
 			},
@ -220,7 +220,7 @@ func TestGetTeamMembersAPIEndpoint_RBAC(t *testing.T) {
 	setInitCtxSignedInOrgAdmin(sc.initCtx)
 	t.Run("Access control filters team members based on user permissions", func(t *testing.T) {
 		setAccessControlPermissions(sc.acmock,
-			[]*ac.Permission{
+			[]ac.Permission{
 				{Action: ac.ActionTeamsPermissionsRead, Scope: ac.Scope("teams", "id", "1")},
 				{Action: ac.ActionOrgUsersRead, Scope: ac.Scope("users", "id", "2")},
 				{Action: ac.ActionOrgUsersRead, Scope: ac.Scope("users", "id", "3")},
@ -238,7 +238,7 @@ func TestGetTeamMembersAPIEndpoint_RBAC(t *testing.T) {
 	setInitCtxSignedInViewer(sc.initCtx)
 	t.Run("Access control prevents getting a team member with incorrect scope", func(t *testing.T) {
 		setAccessControlPermissions(sc.acmock,
-			[]*ac.Permission{{Action: ac.ActionTeamsPermissionsRead, Scope: ac.Scope("teams", "id", "2")}},
+			[]ac.Permission{{Action: ac.ActionTeamsPermissionsRead, Scope: ac.Scope("teams", "id", "2")}},
 			testOrgId)
 		response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(teamMemberGetRoute, "1"), nil, t)
 		require.Equal(t, http.StatusForbidden, response.Code)
@ -256,7 +256,7 @@ func TestAddTeamMembersAPIEndpoint_RBAC(t *testing.T) {
 	newUserId := createUser(sc.db, testOrgId, t)
 	input := strings.NewReader(fmt.Sprintf(createTeamMemberCmd, newUserId))
 	t.Run("Access control allows adding a team member with the right permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:1"}}, 1)
+		setAccessControlPermissions(sc.acmock, []ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:1"}}, 1)
 		response := callAPI(sc.server, http.MethodPost, fmt.Sprintf(teamMemberAddRoute, "1"), input, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
@ -265,14 +265,14 @@ func TestAddTeamMembersAPIEndpoint_RBAC(t *testing.T) {
 	newUserId = createUser(sc.db, testOrgId, t)
 	input = strings.NewReader(fmt.Sprintf(teamCmd, newUserId))
 	t.Run("Access control prevents from adding a team member with the wrong permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*ac.Permission{{Action: ac.ActionTeamsPermissionsRead, Scope: "teams:id:1"}}, 1)
+		setAccessControlPermissions(sc.acmock, []ac.Permission{{Action: ac.ActionTeamsPermissionsRead, Scope: "teams:id:1"}}, 1)
 		response := callAPI(sc.server, http.MethodPost, fmt.Sprintf(teamMemberAddRoute, "1"), input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 	setInitCtxSignedInViewer(sc.initCtx)
 	t.Run("Access control prevents adding a team member with incorrect scope", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:2"}}, 1)
+		setAccessControlPermissions(sc.acmock, []ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:2"}}, 1)
 		response := callAPI(sc.server, http.MethodPost, fmt.Sprintf(teamMemberAddRoute, "1"), input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
@ -335,7 +335,7 @@ func TestUpdateTeamMembersAPIEndpoint_RBAC(t *testing.T) {
 	setInitCtxSignedInViewer(sc.initCtx)
 	input := strings.NewReader(fmt.Sprintf(updateTeamMemberCmd, models.PERMISSION_ADMIN))
 	t.Run("Access control allows updating a team member with the right permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:1"}}, 1)
+		setAccessControlPermissions(sc.acmock, []ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:1"}}, 1)
 		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(teamMemberUpdateRoute, "1", "2"), input, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
@ -343,14 +343,14 @@ func TestUpdateTeamMembersAPIEndpoint_RBAC(t *testing.T) {
 	setInitCtxSignedInOrgAdmin(sc.initCtx)
 	input = strings.NewReader(fmt.Sprintf(updateTeamMemberCmd, models.PERMISSION_ADMIN))
 	t.Run("Access control prevents updating a team member with the wrong permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*ac.Permission{{Action: ac.ActionTeamsPermissionsRead, Scope: "teams:id:1"}}, 1)
+		setAccessControlPermissions(sc.acmock, []ac.Permission{{Action: ac.ActionTeamsPermissionsRead, Scope: "teams:id:1"}}, 1)
 		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(teamMemberUpdateRoute, "1", "2"), input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 	setInitCtxSignedInViewer(sc.initCtx)
 	t.Run("Access control prevents updating a team member with incorrect scope", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:2"}}, 1)
+		setAccessControlPermissions(sc.acmock, []ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:2"}}, 1)
 		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(teamMemberUpdateRoute, "1", "2"), input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
@ -408,21 +408,21 @@ func TestDeleteTeamMembersAPIEndpoint_RBAC(t *testing.T) {
 	setInitCtxSignedInViewer(sc.initCtx)
 	t.Run("Access control allows removing a team member with the right permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:1"}}, 1)
+		setAccessControlPermissions(sc.acmock, []ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:1"}}, 1)
 		response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(teamMemberDeleteRoute, "1", "2"), nil, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
 	setInitCtxSignedInOrgAdmin(sc.initCtx)
 	t.Run("Access control prevents removing a team member with the wrong permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*ac.Permission{{Action: ac.ActionTeamsPermissionsRead, Scope: "teams:id:1"}}, 1)
+		setAccessControlPermissions(sc.acmock, []ac.Permission{{Action: ac.ActionTeamsPermissionsRead, Scope: "teams:id:1"}}, 1)
 		response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(teamMemberDeleteRoute, "1", "3"), nil, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 	setInitCtxSignedInViewer(sc.initCtx)
 	t.Run("Access control prevents removing a team member with incorrect scope", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:2"}}, 1)
+		setAccessControlPermissions(sc.acmock, []ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:2"}}, 1)
 		response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(teamMemberDeleteRoute, "1", "3"), nil, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
--- a/pkg/api/team_test.go
+++ b/pkg/api/team_test.go
@ -195,14 +195,14 @@ func TestTeamAPIEndpoint_CreateTeam_RBAC(t *testing.T) {
 	setInitCtxSignedInViewer(sc.initCtx)
 	input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
 	t.Run("Access control allows creating teams with the correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsCreate}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsCreate}}, 1)
 		response := callAPI(sc.server, http.MethodPost, createTeamURL, input, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
 	input = strings.NewReader(fmt.Sprintf(teamCmd, 2))
 	t.Run("Access control prevents creating teams with the incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "teams:invalid"}}, accesscontrol.GlobalOrgID)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "teams:invalid"}}, accesscontrol.GlobalOrgID)
 		response := callAPI(sc.server, http.MethodPost, createTeamURL, input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
@ -219,13 +219,13 @@ func TestTeamAPIEndpoint_SearchTeams_RBAC(t *testing.T) {
 	setInitCtxSignedInViewer(sc.initCtx)
 	t.Run("Access control prevents searching for teams with the incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:*"}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:*"}}, 1)
 		response := callAPI(sc.server, http.MethodGet, searchTeamsURL, http.NoBody, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 	t.Run("Access control allows searching for teams with the correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:*"}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:*"}}, 1)
 		response := callAPI(sc.server, http.MethodGet, searchTeamsURL, http.NoBody, t)
 		assert.Equal(t, http.StatusOK, response.Code)
@ -237,7 +237,7 @@ func TestTeamAPIEndpoint_SearchTeams_RBAC(t *testing.T) {
 	})
 	t.Run("Access control filters teams based on user permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}, {Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:3"}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}, {Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:3"}}, 1)
 		response := callAPI(sc.server, http.MethodGet, searchTeamsURL, http.NoBody, t)
 		assert.Equal(t, http.StatusOK, response.Code)
@ -262,13 +262,13 @@ func TestTeamAPIEndpoint_GetTeamByID_RBAC(t *testing.T) {
 	setInitCtxSignedInViewer(sc.initCtx)
 	t.Run("Access control prevents getting a team with the incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:2"}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:2"}}, 1)
 		response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 	t.Run("Access control allows getting a team with the correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}}, 1)
 		response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
 		assert.Equal(t, http.StatusOK, response.Code)
@ -293,7 +293,7 @@ func TestTeamAPIEndpoint_UpdateTeam_RBAC(t *testing.T) {
 	input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
 	t.Run("Access control allows updating teams with the correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:1"}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:1"}}, 1)
 		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamURL, 1), input, t)
 		assert.Equal(t, http.StatusOK, response.Code)
@ -305,7 +305,7 @@ func TestTeamAPIEndpoint_UpdateTeam_RBAC(t *testing.T) {
 	input = strings.NewReader(fmt.Sprintf(teamCmd, 2))
 	t.Run("Access control allows updating teams with the correct global permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:*"}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:*"}}, 1)
 		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamURL, 1), input, t)
 		assert.Equal(t, http.StatusOK, response.Code)
@ -317,7 +317,7 @@ func TestTeamAPIEndpoint_UpdateTeam_RBAC(t *testing.T) {
 	input = strings.NewReader(fmt.Sprintf(teamCmd, 3))
 	t.Run("Access control prevents updating teams with the incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:2"}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:2"}}, 1)
 		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamURL, 1), input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
@ -340,7 +340,7 @@ func TestTeamAPIEndpoint_DeleteTeam_RBAC(t *testing.T) {
 	setInitCtxSignedInViewer(sc.initCtx)
 	t.Run("Access control prevents deleting teams with the incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:7"}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:7"}}, 1)
 		response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
@ -350,7 +350,7 @@ func TestTeamAPIEndpoint_DeleteTeam_RBAC(t *testing.T) {
 	})
 	t.Run("Access control allows deleting teams with the correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:1"}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:1"}}, 1)
 		response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
 		assert.Equal(t, http.StatusOK, response.Code)
@ -381,13 +381,13 @@ func TestTeamAPIEndpoint_GetTeamPreferences_RBAC(t *testing.T) {
 	t.Run("Access control allows getting team preferences with the correct permissions", func(t *testing.T) {
 		setAccessControlPermissions(sc.acmock,
-			[]*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}}, 1)
+			[]accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}}, 1)
 		response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(detailTeamPreferenceURL, 1), http.NoBody, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
 	t.Run("Access control prevents getting team preferences with the incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:2"}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:2"}}, 1)
 		response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(detailTeamPreferenceURL, 1), http.NoBody, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
@ -413,7 +413,7 @@ func TestTeamAPIEndpoint_UpdateTeamPreferences_RBAC(t *testing.T) {
 	input := strings.NewReader(teamPreferenceCmd)
 	t.Run("Access control allows updating team preferences with the correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:1"}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:1"}}, 1)
 		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamPreferenceURL, 1), input, t)
 		assert.Equal(t, http.StatusOK, response.Code)
@ -425,7 +425,7 @@ func TestTeamAPIEndpoint_UpdateTeamPreferences_RBAC(t *testing.T) {
 	input = strings.NewReader(teamPreferenceCmdLight)
 	t.Run("Access control prevents updating team preferences with the incorrect permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:2"}}, 1)
+		setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:2"}}, 1)
 		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamPreferenceURL, 1), input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
--- a/pkg/services/accesscontrol/accesscontrol.go
+++ b/pkg/services/accesscontrol/accesscontrol.go
@ -21,7 +21,7 @@ type AccessControl interface {
 	Evaluate(ctx context.Context, user *models.SignedInUser, evaluator Evaluator) (bool, error)
 	// GetUserPermissions returns user permissions with only action and scope fields set.
-	GetUserPermissions(ctx context.Context, user *models.SignedInUser, options Options) ([]*Permission, error)
+	GetUserPermissions(ctx context.Context, user *models.SignedInUser, options Options) ([]Permission, error)
 	//IsDisabled returns if access control is enabled or not
 	IsDisabled() bool
@ -42,7 +42,7 @@ type RoleRegistry interface {
 type PermissionsStore interface {
 	// GetUserPermissions returns user permissions with only action and scope fields set.
-	GetUserPermissions(ctx context.Context, query GetUserPermissionsQuery) ([]*Permission, error)
+	GetUserPermissions(ctx context.Context, query GetUserPermissionsQuery) ([]Permission, error)
 }
 type TeamPermissionsService interface {
@ -144,7 +144,7 @@ var ReqOrgAdminOrEditor = func(c *models.ReqContext) bool {
 	return c.OrgRole == models.ROLE_ADMIN || c.OrgRole == models.ROLE_EDITOR
 }
-func BuildPermissionsMap(permissions []*Permission) map[string]bool {
+func BuildPermissionsMap(permissions []Permission) map[string]bool {
 	permissionsMap := make(map[string]bool)
 	for _, p := range permissions {
 		permissionsMap[p.Action] = true
@ -154,7 +154,7 @@ func BuildPermissionsMap(permissions []*Permission) map[string]bool {
 }
 // GroupScopesByAction will group scopes on action
-func GroupScopesByAction(permissions []*Permission) map[string][]string {
+func GroupScopesByAction(permissions []Permission) map[string][]string {
 	m := make(map[string][]string)
 	for _, p := range permissions {
 		m[p.Action] = append(m[p.Action], p.Scope)
--- a/pkg/services/accesscontrol/database/database.go
+++ b/pkg/services/accesscontrol/database/database.go
@ -20,8 +20,8 @@ type AccessControlStore struct {
 	sql *sqlstore.SQLStore
 }
-func (s *AccessControlStore) GetUserPermissions(ctx context.Context, query accesscontrol.GetUserPermissionsQuery) ([]*accesscontrol.Permission, error) {
+func (s *AccessControlStore) GetUserPermissions(ctx context.Context, query accesscontrol.GetUserPermissionsQuery) ([]accesscontrol.Permission, error) {
-	result := make([]*accesscontrol.Permission, 0)
+	result := make([]accesscontrol.Permission, 0)
 	err := s.sql.WithDbSession(ctx, func(sess *sqlstore.DBSession) error {
 		filter, params := userRolesFilter(query.OrgID, query.UserID, query.Roles)
--- a/pkg/services/accesscontrol/filter_bench_test.go
+++ b/pkg/services/accesscontrol/filter_bench_test.go
@ -48,7 +48,7 @@ func benchmarkFilter(b *testing.B, numDs, numPermissions int) {
 	}
 }
-func setupFilterBenchmark(b *testing.B, numDs, numPermissions int) (*sqlstore.SQLStore, []*accesscontrol.Permission) {
+func setupFilterBenchmark(b *testing.B, numDs, numPermissions int) (*sqlstore.SQLStore, []accesscontrol.Permission) {
 	b.Helper()
 	store := sqlstore.InitTestDB(b)
@ -64,9 +64,9 @@ func setupFilterBenchmark(b *testing.B, numDs, numPermissions int) (*sqlstore.SQ
 		numPermissions = numDs
 	}
-	permissions := make([]*accesscontrol.Permission, 0, numPermissions)
+	permissions := make([]accesscontrol.Permission, 0, numPermissions)
 	for i := 1; i <= numPermissions; i++ {
-		permissions = append(permissions, &accesscontrol.Permission{
+		permissions = append(permissions, accesscontrol.Permission{
 			Action: "datasources:read",
 			Scope:  accesscontrol.Scope("datasources", "id", strconv.Itoa(i)),
 		})
--- a/pkg/services/accesscontrol/middleware_test.go
+++ b/pkg/services/accesscontrol/middleware_test.go
@ -34,7 +34,7 @@ func TestMiddleware(t *testing.T) {
 		{
 			desc: "should pass middleware for correct permissions",
 			ac: mock.New().WithPermissions(
-				[]*accesscontrol.Permission{{Action: "users:read", Scope: "users:*"}},
+				[]accesscontrol.Permission{{Action: "users:read", Scope: "users:*"}},
 			),
 			evaluator:      accesscontrol.EvalPermission("users:read", "users:*"),
 			expectFallback: false,
@ -43,7 +43,7 @@ func TestMiddleware(t *testing.T) {
 		{
 			desc: "should not reach endpoint when missing permissions",
 			ac: mock.New().WithPermissions(
-				[]*accesscontrol.Permission{{Action: "users:read", Scope: "users:1"}},
+				[]accesscontrol.Permission{{Action: "users:read", Scope: "users:1"}},
 			),
 			evaluator:      accesscontrol.EvalPermission("users:read", "users:*"),
 			expectFallback: false,
--- a/pkg/services/accesscontrol/mock/mock.go
+++ b/pkg/services/accesscontrol/mock/mock.go
@ -25,7 +25,7 @@ type Calls struct {
 type Mock struct {
 	// Unless an override is provided, permissions will be returned by GetUserPermissions
-	permissions []*accesscontrol.Permission
+	permissions []accesscontrol.Permission
 	// Unless an override is provided, disabled will be returned by IsDisabled
 	disabled bool
 	// Unless an override is provided, builtInRoles will be returned by GetUserBuiltInRoles
@ -36,7 +36,7 @@ type Mock struct {
 	// Override functions
 	EvaluateFunc                       func(context.Context, *models.SignedInUser, accesscontrol.Evaluator) (bool, error)
-	GetUserPermissionsFunc             func(context.Context, *models.SignedInUser, accesscontrol.Options) ([]*accesscontrol.Permission, error)
+	GetUserPermissionsFunc             func(context.Context, *models.SignedInUser, accesscontrol.Options) ([]accesscontrol.Permission, error)
 	IsDisabledFunc                     func() bool
 	DeclareFixedRolesFunc              func(...accesscontrol.RoleRegistration) error
 	GetUserBuiltInRolesFunc            func(user *models.SignedInUser) []string
@ -53,7 +53,7 @@ func New() *Mock {
 	mock := &Mock{
 		Calls:          Calls{},
 		disabled:       false,
-		permissions:    []*accesscontrol.Permission{},
+		permissions:    []accesscontrol.Permission{},
 		builtInRoles:   []string{},
 		scopeResolvers: accesscontrol.NewScopeResolvers(),
 	}
@ -65,7 +65,7 @@ func (m Mock) GetUsageStats(ctx context.Context) map[string]interface{} {
 	return make(map[string]interface{})
 }
-func (m Mock) WithPermissions(permissions []*accesscontrol.Permission) *Mock {
+func (m Mock) WithPermissions(permissions []accesscontrol.Permission) *Mock {
 	m.permissions = permissions
 	return &m
 }
@ -104,7 +104,7 @@ func (m *Mock) Evaluate(ctx context.Context, user *models.SignedInUser, evaluato
 // GetUserPermissions returns user permissions.
 // This mock return m.permissions unless an override is provided.
-func (m *Mock) GetUserPermissions(ctx context.Context, user *models.SignedInUser, opts accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+func (m *Mock) GetUserPermissions(ctx context.Context, user *models.SignedInUser, opts accesscontrol.Options) ([]accesscontrol.Permission, error) {
 	m.Calls.GetUserPermissions = append(m.Calls.GetUserPermissions, []interface{}{ctx, user, opts})
 	// Use override if provided
 	if m.GetUserPermissionsFunc != nil {
--- a/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go
+++ b/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go
@ -103,7 +103,7 @@ func (ac *OSSAccessControlService) Evaluate(ctx context.Context, user *models.Si
 }
 // GetUserPermissions returns user permissions based on built-in roles
-func (ac *OSSAccessControlService) GetUserPermissions(ctx context.Context, user *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+func (ac *OSSAccessControlService) GetUserPermissions(ctx context.Context, user *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
 	timer := prometheus.NewTimer(metrics.MAccessPermissionsSummary)
 	defer timer.ObserveDuration()
@ -120,28 +120,24 @@ func (ac *OSSAccessControlService) GetUserPermissions(ctx context.Context, user
 	}
 	permissions = append(permissions, dbPermissions...)
 	resolved := make([]*accesscontrol.Permission, 0, len(permissions))
 	keywordMutator := ac.scopeResolvers.GetScopeKeywordMutator(user)
-	for _, p := range permissions {
+	for i := range permissions {
 		// if the permission has a keyword in its scope it will be resolved
-		p.Scope, err = keywordMutator(ctx, p.Scope)
+		permissions[i].Scope, err = keywordMutator(ctx, permissions[i].Scope)
 		if err != nil {
 			return nil, err
 		}
 		resolved = append(resolved, p)
 	}
-	return resolved, nil
+	return permissions, nil
 }
-func (ac *OSSAccessControlService) getFixedPermissions(ctx context.Context, user *models.SignedInUser) []*accesscontrol.Permission {
+func (ac *OSSAccessControlService) getFixedPermissions(ctx context.Context, user *models.SignedInUser) []accesscontrol.Permission {
-	permissions := make([]*accesscontrol.Permission, 0)
+	permissions := make([]accesscontrol.Permission, 0)
 	for _, builtin := range accesscontrol.GetOrgRoles(ac.cfg, user) {
 		if basicRole, ok := ac.roles[builtin]; ok {
-			for i := range basicRole.Permissions {
+			permissions = append(permissions, basicRole.Permissions...)
 				permissions = append(permissions, &basicRole.Permissions[i])
 			}
 		}
 	}
--- a/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol_test.go
+++ b/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol_test.go
@ -35,10 +35,10 @@ func setupTestEnv(t testing.TB) *OSSAccessControlService {
 }
 // extractRawPermissionsHelper extracts action and scope fields only from a permission slice
-func extractRawPermissionsHelper(perms []*accesscontrol.Permission) []*accesscontrol.Permission {
+func extractRawPermissionsHelper(perms []accesscontrol.Permission) []accesscontrol.Permission {
-	res := make([]*accesscontrol.Permission, len(perms))
+	res := make([]accesscontrol.Permission, len(perms))
 	for i, p := range perms {
-		res[i] = &accesscontrol.Permission{Action: p.Action, Scope: p.Scope}
+		res[i] = accesscontrol.Permission{Action: p.Action, Scope: p.Scope}
 	}
 	return res
 }
@ -421,8 +421,8 @@ func TestOSSAccessControlService_GetUserPermissions(t *testing.T) {
 			rawUserPerms := extractRawPermissionsHelper(userPerms)
-			assert.Contains(t, rawUserPerms, &tt.wantPerm, "Expected resolution of raw permission")
+			assert.Contains(t, rawUserPerms, tt.wantPerm, "Expected resolution of raw permission")
-			assert.NotContains(t, rawUserPerms, &tt.rawPerm, "Expected raw permission to have been resolved")
+			assert.NotContains(t, rawUserPerms, tt.rawPerm, "Expected raw permission to have been resolved")
 		})
 	}
 }
--- a/pkg/services/accesscontrol/resourcepermissions/api_test.go
+++ b/pkg/services/accesscontrol/resourcepermissions/api_test.go
@ -26,7 +26,7 @@ import (
 type getDescriptionTestCase struct {
 	desc           string
 	options        Options
-	permissions    []*accesscontrol.Permission
+	permissions    []accesscontrol.Permission
 	expected       Description
 	expectedStatus int
 }
@ -49,7 +49,7 @@ func TestApi_getDescription(t *testing.T) {
 					"Admin": {"dashboards:read", "dashboards:write", "dashboards:delete", "dashboards.permissions:read", "dashboards:permissions:write"},
 				},
 			},
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: "dashboards.permissions:read"},
 			},
 			expected: Description{
@ -76,7 +76,7 @@ func TestApi_getDescription(t *testing.T) {
 					"View": {"dashboards:read"},
 				},
 			},
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: "dashboards.permissions:read"},
 			},
 			expected: Description{
@ -103,7 +103,7 @@ func TestApi_getDescription(t *testing.T) {
 					"View": {"dashboards:read"},
 				},
 			},
-			permissions:    []*accesscontrol.Permission{},
+			permissions:    []accesscontrol.Permission{},
 			expected:       Description{},
 			expectedStatus: http.StatusForbidden,
 		},
@ -132,7 +132,7 @@ func TestApi_getDescription(t *testing.T) {
 type getPermissionsTestCase struct {
 	desc           string
 	resourceID     string
-	permissions    []*accesscontrol.Permission
+	permissions    []accesscontrol.Permission
 	expectedStatus int
 }
@ -141,7 +141,7 @@ func TestApi_getPermissions(t *testing.T) {
 		{
 			desc:       "expect permissions for resource with id 1",
 			resourceID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
 				{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
 				{Action: accesscontrol.ActionOrgUsersRead, Scope: accesscontrol.ScopeUsersAll},
@ -151,7 +151,7 @@ func TestApi_getPermissions(t *testing.T) {
 		{
 			desc:           "expect http status 403 when missing permission",
 			resourceID:     "1",
-			permissions:    []*accesscontrol.Permission{},
+			permissions:    []accesscontrol.Permission{},
 			expectedStatus: 403,
 		},
 	}
@ -179,7 +179,7 @@ type setBuiltinPermissionTestCase struct {
 	builtInRole    string
 	expectedStatus int
 	permission     string
-	permissions    []*accesscontrol.Permission
+	permissions    []accesscontrol.Permission
 }
 func TestApi_setBuiltinRolePermission(t *testing.T) {
@ -190,7 +190,7 @@ func TestApi_setBuiltinRolePermission(t *testing.T) {
 			builtInRole:    "Viewer",
 			expectedStatus: 200,
 			permission:     "Edit",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
 				{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
 				{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
@ -203,7 +203,7 @@ func TestApi_setBuiltinRolePermission(t *testing.T) {
 			builtInRole:    "Admin",
 			expectedStatus: 200,
 			permission:     "View",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
 				{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
 				{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
@ -216,7 +216,7 @@ func TestApi_setBuiltinRolePermission(t *testing.T) {
 			builtInRole:    "Invalid",
 			expectedStatus: http.StatusBadRequest,
 			permission:     "View",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
 				{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
 			},
@ -227,7 +227,7 @@ func TestApi_setBuiltinRolePermission(t *testing.T) {
 			builtInRole:    "Invalid",
 			expectedStatus: http.StatusForbidden,
 			permission:     "View",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
 			},
 		},
@ -257,7 +257,7 @@ type setTeamPermissionTestCase struct {
 	resourceID     string
 	expectedStatus int
 	permission     string
-	permissions    []*accesscontrol.Permission
+	permissions    []accesscontrol.Permission
 }
 func TestApi_setTeamPermission(t *testing.T) {
@ -268,7 +268,7 @@ func TestApi_setTeamPermission(t *testing.T) {
 			resourceID:     "1",
 			expectedStatus: 200,
 			permission:     "Edit",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
 				{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
 				{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
@ -281,7 +281,7 @@ func TestApi_setTeamPermission(t *testing.T) {
 			resourceID:     "1",
 			expectedStatus: 200,
 			permission:     "View",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
 				{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
 				{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
@ -294,7 +294,7 @@ func TestApi_setTeamPermission(t *testing.T) {
 			resourceID:     "1",
 			expectedStatus: http.StatusBadRequest,
 			permission:     "View",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
 				{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
 			},
@ -305,7 +305,7 @@ func TestApi_setTeamPermission(t *testing.T) {
 			resourceID:     "1",
 			expectedStatus: http.StatusForbidden,
 			permission:     "View",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
 			},
 		},
@ -340,7 +340,7 @@ type setUserPermissionTestCase struct {
 	resourceID     string
 	expectedStatus int
 	permission     string
-	permissions    []*accesscontrol.Permission
+	permissions    []accesscontrol.Permission
 }
 func TestApi_setUserPermission(t *testing.T) {
@ -351,7 +351,7 @@ func TestApi_setUserPermission(t *testing.T) {
 			resourceID:     "1",
 			expectedStatus: 200,
 			permission:     "Edit",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
 				{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
 				{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
@ -364,7 +364,7 @@ func TestApi_setUserPermission(t *testing.T) {
 			resourceID:     "1",
 			expectedStatus: 200,
 			permission:     "View",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
 				{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
 				{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
@ -377,7 +377,7 @@ func TestApi_setUserPermission(t *testing.T) {
 			resourceID:     "1",
 			expectedStatus: http.StatusBadRequest,
 			permission:     "View",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
 				{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
 			},
@ -388,7 +388,7 @@ func TestApi_setUserPermission(t *testing.T) {
 			resourceID:     "1",
 			expectedStatus: http.StatusForbidden,
 			permission:     "View",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
 			},
 		},
--- a/pkg/services/accesscontrol/resourcepermissions/service_test.go
+++ b/pkg/services/accesscontrol/resourcepermissions/service_test.go
@ -36,7 +36,7 @@ func TestService_SetUserPermission(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.desc, func(t *testing.T) {
-			service, sql := setupTestEnvironment(t, []*accesscontrol.Permission{}, Options{
+			service, sql := setupTestEnvironment(t, []accesscontrol.Permission{}, Options{
 				Resource:             "dashboards",
 				Assignments:          Assignments{Users: true},
 				PermissionsToActions: nil,
@ -80,7 +80,7 @@ func TestService_SetTeamPermission(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.desc, func(t *testing.T) {
-			service, sql := setupTestEnvironment(t, []*accesscontrol.Permission{}, Options{
+			service, sql := setupTestEnvironment(t, []accesscontrol.Permission{}, Options{
 				Resource:             "dashboards",
 				Assignments:          Assignments{Teams: true},
 				PermissionsToActions: nil,
@ -124,7 +124,7 @@ func TestService_SetBuiltInRolePermission(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.desc, func(t *testing.T) {
-			service, _ := setupTestEnvironment(t, []*accesscontrol.Permission{}, Options{
+			service, _ := setupTestEnvironment(t, []accesscontrol.Permission{}, Options{
 				Resource:             "dashboards",
 				Assignments:          Assignments{BuiltInRoles: true},
 				PermissionsToActions: nil,
@ -197,7 +197,7 @@ func TestService_SetPermissions(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.desc, func(t *testing.T) {
-			service, sql := setupTestEnvironment(t, []*accesscontrol.Permission{}, tt.options)
+			service, sql := setupTestEnvironment(t, []accesscontrol.Permission{}, tt.options)
 			// seed user
 			_, err := sql.CreateUser(context.Background(), models.CreateUserCommand{Login: "user", OrgId: 1})
@ -216,7 +216,7 @@ func TestService_SetPermissions(t *testing.T) {
 	}
 }
-func setupTestEnvironment(t *testing.T, permissions []*accesscontrol.Permission, ops Options) (*Service, *sqlstore.SQLStore) {
+func setupTestEnvironment(t *testing.T, permissions []accesscontrol.Permission, ops Options) (*Service, *sqlstore.SQLStore) {
 	t.Helper()
 	sql := sqlstore.InitTestDB(t)
--- a/pkg/services/guardian/accesscontrol_guardian_test.go
+++ b/pkg/services/guardian/accesscontrol_guardian_test.go
@ -25,7 +25,7 @@ import (
 type accessControlGuardianTestCase struct {
 	desc           string
 	dashUID        string
-	permissions    []*accesscontrol.Permission
+	permissions    []accesscontrol.Permission
 	viewersCanEdit bool
 	expected       bool
 }
@ -35,7 +35,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
 		{
 			desc:    "should be able to save with dashboard wildcard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "dashboards:*",
@ -46,7 +46,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
 		{
 			desc:    "should be able to save with folder wildcard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "folders:*",
@ -57,7 +57,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
 		{
 			desc:    "should be able to save with dashboard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "dashboards:uid:1",
@ -68,7 +68,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
 		{
 			desc:    "should be able to save with folder scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "folders:uid:general",
@ -79,7 +79,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
 		{
 			desc:    "should not be able to save with incorrect dashboard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "dashboards:uid:10",
@ -90,7 +90,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
 		{
 			desc:    "should not be able to save with incorrect folder scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "folders:uid:100",
@ -114,7 +114,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 		{
 			desc:    "should be able to edit with dashboard wildcard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "dashboards:*",
@ -125,7 +125,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 		{
 			desc:    "should be able to edit with folder wildcard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "folders:*",
@ -136,7 +136,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 		{
 			desc:    "should be able to edit with dashboard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "dashboards:uid:1",
@ -147,7 +147,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 		{
 			desc:    "should be able to edit with folder scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "folders:uid:general",
@ -158,7 +158,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 		{
 			desc:    "should not be able to edit with incorrect dashboard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "dashboards:uid:10",
@ -169,7 +169,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 		{
 			desc:    "should not be able to edit with incorrect folder scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "folders:uid:10",
@ -180,7 +180,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 		{
 			desc:    "should be able to edit with read action when viewer_can_edit is true",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsRead,
 					Scope:  "dashboards:uid:1",
@ -210,7 +210,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
 		{
 			desc:    "should be able to view with dashboard wildcard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsRead,
 					Scope:  "dashboards:*",
@ -221,7 +221,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
 		{
 			desc:    "should be able to view with folder wildcard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsRead,
 					Scope:  "folders:*",
@ -232,7 +232,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
 		{
 			desc:    "should be able to view with dashboard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsRead,
 					Scope:  "dashboards:uid:1",
@ -243,7 +243,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
 		{
 			desc:    "should be able to view with folder scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsRead,
 					Scope:  "folders:uid:general",
@ -254,7 +254,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
 		{
 			desc:    "should not be able to view with incorrect dashboard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsRead,
 					Scope:  "dashboards:uid:10",
@ -265,7 +265,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
 		{
 			desc:    "should not be able to view with incorrect folder scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsRead,
 					Scope:  "folders:uid:10",
@ -290,7 +290,7 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
 		{
 			desc:    "should be able to admin with dashboard wildcard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsPermissionsRead,
 					Scope:  "dashboards:*",
@ -305,7 +305,7 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
 		{
 			desc:    "should be able to admin with folder wildcard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsPermissionsRead,
 					Scope:  "folders:*",
@ -320,7 +320,7 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
 		{
 			desc:    "should be able to admin with dashboard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsPermissionsRead,
 					Scope:  "dashboards:uid:1",
@ -335,7 +335,7 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
 		{
 			desc:    "should be able to admin with folder scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsPermissionsRead,
 					Scope:  "folders:uid:general",
@ -350,7 +350,7 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
 		{
 			desc:    "should not be able to admin with incorrect dashboard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsPermissionsRead,
 					Scope:  "dashboards:uid:10",
@ -365,7 +365,7 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
 		{
 			desc:    "should not be able to admin with incorrect folder scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsPermissionsRead,
 					Scope:  "folders:uid:10",
@ -394,7 +394,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
 		{
 			desc:    "should be able to delete with dashboard wildcard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsDelete,
 					Scope:  "dashboards:*",
@ -405,7 +405,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
 		{
 			desc:    "should be able to delete with folder wildcard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsDelete,
 					Scope:  "folders:*",
@ -416,7 +416,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
 		{
 			desc:    "should be able to delete with dashboard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsDelete,
 					Scope:  "dashboards:uid:1",
@ -427,7 +427,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
 		{
 			desc:    "should be able to delete with folder scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsDelete,
 					Scope:  "folders:uid:general",
@ -438,7 +438,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
 		{
 			desc:    "should not be able to delete with incorrect dashboard scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsDelete,
 					Scope:  "dashboards:uid:10",
@ -449,7 +449,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
 		{
 			desc:    "should not be able to delete with incorrect folder scope",
 			dashUID: "1",
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{
 					Action: dashboards.ActionDashboardsDelete,
 					Scope:  "folders:uid:10",
@ -474,7 +474,7 @@ type accessControlGuardianCanCreateTestCase struct {
 	desc        string
 	isFolder    bool
 	folderID    int64
-	permissions []*accesscontrol.Permission
+	permissions []accesscontrol.Permission
 	expected    bool
 }
@ -484,7 +484,7 @@ func TestAccessControlDashboardGuardian_CanCreate(t *testing.T) {
 			desc:     "should be able to create dashboard in general folder",
 			isFolder: false,
 			folderID: 0,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsCreate, Scope: "folders:uid:general"},
 			},
 			expected: true,
@ -493,7 +493,7 @@ func TestAccessControlDashboardGuardian_CanCreate(t *testing.T) {
 			desc:     "should be able to create dashboard in any folder",
 			isFolder: false,
 			folderID: 0,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsCreate, Scope: "folders:*"},
 			},
 			expected: true,
@ -502,14 +502,14 @@ func TestAccessControlDashboardGuardian_CanCreate(t *testing.T) {
 			desc:        "should not be able to create dashboard without permissions",
 			isFolder:    false,
 			folderID:    0,
-			permissions: []*accesscontrol.Permission{},
+			permissions: []accesscontrol.Permission{},
 			expected:    false,
 		},
 		{
 			desc:     "should be able to create folder with correct permissions",
 			isFolder: true,
 			folderID: 0,
-			permissions: []*accesscontrol.Permission{
+			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersCreate},
 			},
 			expected: true,
@ -518,7 +518,7 @@ func TestAccessControlDashboardGuardian_CanCreate(t *testing.T) {
 			desc:        "should not be able to create folders without permissions",
 			isFolder:    true,
 			folderID:    0,
-			permissions: []*accesscontrol.Permission{},
+			permissions: []accesscontrol.Permission{},
 			expected:    false,
 		},
 	}
@ -579,7 +579,7 @@ func TestAccessControlDashboardGuardian_GetHiddenACL(t *testing.T) {
 	}
 }
-func setupAccessControlGuardianTest(t *testing.T, uid string, permissions []*accesscontrol.Permission, dashboardSvc dashboards.DashboardService) (*AccessControlDashboardGuardian, *models.Dashboard) {
+func setupAccessControlGuardianTest(t *testing.T, uid string, permissions []accesscontrol.Permission, dashboardSvc dashboards.DashboardService) (*AccessControlDashboardGuardian, *models.Dashboard) {
 	t.Helper()
 	store := sqlstore.InitTestDB(t)
--- a/pkg/services/ngalert/api/api_alertmanager_test.go
+++ b/pkg/services/ngalert/api/api_alertmanager_test.go
@ -368,7 +368,7 @@ func TestRouteCreateSilence(t *testing.T) {
 			name:    "new silence, role-based access control is enabled, authorized",
 			silence: silenceGen(withEmptyID),
 			accessControl: func() accesscontrol.AccessControl {
-				return acMock.New().WithPermissions([]*accesscontrol.Permission{
+				return acMock.New().WithPermissions([]accesscontrol.Permission{
 					{Action: accesscontrol.ActionAlertingInstanceCreate},
 				})
 			},
@ -413,7 +413,7 @@ func TestRouteCreateSilence(t *testing.T) {
 			name:    "update silence, role-based access control is enabled, authorized",
 			silence: silenceGen(),
 			accessControl: func() accesscontrol.AccessControl {
-				return acMock.New().WithPermissions([]*accesscontrol.Permission{
+				return acMock.New().WithPermissions([]accesscontrol.Permission{
 					{Action: accesscontrol.ActionAlertingInstanceUpdate},
 				})
 			},
--- a/pkg/services/ngalert/api/api_ruler_test.go
+++ b/pkg/services/ngalert/api/api_ruler_test.go
@ -687,11 +687,11 @@ func createRequestContext(orgID int64, role models2.RoleType, params map[string]
 	}
 }
-func createPermissionsForRules(rules []*models.AlertRule) []*accesscontrol.Permission {
+func createPermissionsForRules(rules []*models.AlertRule) []accesscontrol.Permission {
-	var permissions []*accesscontrol.Permission
+	var permissions []accesscontrol.Permission
 	for _, rule := range rules {
 		for _, query := range rule.Data {
-			permissions = append(permissions, &accesscontrol.Permission{
+			permissions = append(permissions, accesscontrol.Permission{
 				Action: datasources.ActionQuery, Scope: datasources.ScopeProvider.GetResourceScopeUID(query.DatasourceUID),
 			})
 		}
--- a/pkg/services/ngalert/api/api_testing_test.go
+++ b/pkg/services/ngalert/api/api_testing_test.go
@ -35,7 +35,7 @@ func TestRouteTestGrafanaRuleConfig(t *testing.T) {
 			data1 := models.GenerateAlertQuery()
 			data2 := models.GenerateAlertQuery()
-			ac := acMock.New().WithPermissions([]*accesscontrol.Permission{
+			ac := acMock.New().WithPermissions([]accesscontrol.Permission{
 				{Action: datasources.ActionQuery, Scope: datasources.ScopeProvider.GetResourceScopeUID(data1.DatasourceUID)},
 			})
@ -57,7 +57,7 @@ func TestRouteTestGrafanaRuleConfig(t *testing.T) {
 			data1 := models.GenerateAlertQuery()
 			data2 := models.GenerateAlertQuery()
-			ac := acMock.New().WithPermissions([]*accesscontrol.Permission{
+			ac := acMock.New().WithPermissions([]accesscontrol.Permission{
 				{Action: datasources.ActionQuery, Scope: datasources.ScopeProvider.GetResourceScopeUID(data1.DatasourceUID)},
 				{Action: datasources.ActionQuery, Scope: datasources.ScopeProvider.GetResourceScopeUID(data2.DatasourceUID)},
 			})
@ -158,7 +158,7 @@ func TestRouteEvalQueries(t *testing.T) {
 			data1 := models.GenerateAlertQuery()
 			data2 := models.GenerateAlertQuery()
-			ac := acMock.New().WithPermissions([]*accesscontrol.Permission{
+			ac := acMock.New().WithPermissions([]accesscontrol.Permission{
 				{Action: datasources.ActionQuery, Scope: datasources.ScopeProvider.GetResourceScopeUID(data1.DatasourceUID)},
 			})
@ -178,7 +178,7 @@ func TestRouteEvalQueries(t *testing.T) {
 			data1 := models.GenerateAlertQuery()
 			data2 := models.GenerateAlertQuery()
-			ac := acMock.New().WithPermissions([]*accesscontrol.Permission{
+			ac := acMock.New().WithPermissions([]accesscontrol.Permission{
 				{Action: datasources.ActionQuery, Scope: datasources.ScopeProvider.GetResourceScopeUID(data1.DatasourceUID)},
 				{Action: datasources.ActionQuery, Scope: datasources.ScopeProvider.GetResourceScopeUID(data2.DatasourceUID)},
 			})
--- a/pkg/services/serviceaccounts/api/api_test.go
+++ b/pkg/services/serviceaccounts/api/api_test.go
@ -61,8 +61,8 @@ func TestServiceAccountsAPI_CreateServiceAccount(t *testing.T) {
 			wantID: "sa-new-sa",
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionCreate}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionCreate}}, nil
 				},
 				false,
 			),
@ -74,8 +74,8 @@ func TestServiceAccountsAPI_CreateServiceAccount(t *testing.T) {
 			wantError: "service account name already in use",
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionCreate}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionCreate}}, nil
 				},
 				false,
 			),
@ -87,8 +87,8 @@ func TestServiceAccountsAPI_CreateServiceAccount(t *testing.T) {
 			wantError: "required value Name must not be empty",
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionCreate}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionCreate}}, nil
 				},
 				false,
 			),
@ -99,8 +99,8 @@ func TestServiceAccountsAPI_CreateServiceAccount(t *testing.T) {
 			body: map[string]interface{}{},
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{}, nil
+					return []accesscontrol.Permission{}, nil
 				},
 				false,
 			),
@ -171,8 +171,8 @@ func TestServiceAccountsAPI_DeleteServiceAccount(t *testing.T) {
 			user: tests.TestUser{Login: "servicetest1@admin", IsServiceAccount: true},
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionDelete, Scope: serviceaccounts.ScopeAll}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionDelete, Scope: serviceaccounts.ScopeAll}}, nil
 				},
 				false,
 			),
@ -195,8 +195,8 @@ func TestServiceAccountsAPI_DeleteServiceAccount(t *testing.T) {
 			user: tests.TestUser{Login: "servicetest2@admin", IsServiceAccount: true},
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{}, nil
+					return []accesscontrol.Permission{}, nil
 				},
 				false,
 			),
@ -260,8 +260,8 @@ func TestServiceAccountsAPI_RetrieveServiceAccount(t *testing.T) {
 			user: &tests.TestUser{Login: "servicetest1@admin", IsServiceAccount: true},
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: serviceaccounts.ScopeAll}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: serviceaccounts.ScopeAll}}, nil
 				},
 				false,
 			),
@ -272,8 +272,8 @@ func TestServiceAccountsAPI_RetrieveServiceAccount(t *testing.T) {
 			user: &tests.TestUser{Login: "servicetest2@admin", IsServiceAccount: true},
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{}, nil
+					return []accesscontrol.Permission{}, nil
 				},
 				false,
 			),
@ -285,8 +285,8 @@ func TestServiceAccountsAPI_RetrieveServiceAccount(t *testing.T) {
 			Id:   12,
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: serviceaccounts.ScopeAll}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: serviceaccounts.ScopeAll}}, nil
 				},
 				false,
 			),
@ -355,8 +355,8 @@ func TestServiceAccountsAPI_UpdateServiceAccount(t *testing.T) {
 			body: &serviceaccounts.UpdateServiceAccountForm{Name: newString("New Name"), Role: &viewerRole},
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
 				},
 				false,
 			),
@ -368,8 +368,8 @@ func TestServiceAccountsAPI_UpdateServiceAccount(t *testing.T) {
 			body: &serviceaccounts.UpdateServiceAccountForm{Name: newString("New Name 2"), Role: &editorRole},
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
 				},
 				false,
 			),
@ -381,8 +381,8 @@ func TestServiceAccountsAPI_UpdateServiceAccount(t *testing.T) {
 			body: &serviceaccounts.UpdateServiceAccountForm{Name: newString("NameB"), Role: &invalidRole},
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
 				},
 				false,
 			),
@ -394,8 +394,8 @@ func TestServiceAccountsAPI_UpdateServiceAccount(t *testing.T) {
 			body: nil,
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{}, nil
+					return []accesscontrol.Permission{}, nil
 				},
 				false,
 			),
@ -408,8 +408,8 @@ func TestServiceAccountsAPI_UpdateServiceAccount(t *testing.T) {
 			Id:   12,
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
 				},
 				false,
 			),
--- a/pkg/services/serviceaccounts/api/token_test.go
+++ b/pkg/services/serviceaccounts/api/token_test.go
@ -65,8 +65,8 @@ func TestServiceAccountsAPI_CreateToken(t *testing.T) {
 			desc: "should be ok to create serviceaccount token with scope all permissions",
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
 				},
 				false,
 			),
@ -77,8 +77,8 @@ func TestServiceAccountsAPI_CreateToken(t *testing.T) {
 			desc: "serviceaccount token should match SA orgID and SA provided in parameters even if specified in body",
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
 				},
 				false,
 			),
@ -89,8 +89,8 @@ func TestServiceAccountsAPI_CreateToken(t *testing.T) {
 			desc: "should be ok to create serviceaccount token with scope id permissions",
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: "serviceaccounts:id:1"}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: "serviceaccounts:id:1"}}, nil
 				},
 				false,
 			),
@ -101,8 +101,8 @@ func TestServiceAccountsAPI_CreateToken(t *testing.T) {
 			desc: "should be forbidden to create serviceaccount token if wrong scoped",
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: "serviceaccounts:id:2"}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: "serviceaccounts:id:2"}}, nil
 				},
 				false,
 			),
@ -181,8 +181,8 @@ func TestServiceAccountsAPI_DeleteToken(t *testing.T) {
 			keyName: "Test1",
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: "serviceaccounts:id:1"}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: "serviceaccounts:id:1"}}, nil
 				},
 				false,
 			),
@ -193,8 +193,8 @@ func TestServiceAccountsAPI_DeleteToken(t *testing.T) {
 			keyName: "Test2",
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
 				},
 				false,
 			),
@ -205,8 +205,8 @@ func TestServiceAccountsAPI_DeleteToken(t *testing.T) {
 			keyName: "Test3",
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: "serviceaccounts:id:10"}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: "serviceaccounts:id:10"}}, nil
 				},
 				false,
 			),
@ -288,8 +288,8 @@ func TestServiceAccountsAPI_ListTokens(t *testing.T) {
 			}},
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: "serviceaccounts:id:1"}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: "serviceaccounts:id:1"}}, nil
 				},
 				false,
 			),
@ -308,8 +308,8 @@ func TestServiceAccountsAPI_ListTokens(t *testing.T) {
 			}},
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: "serviceaccounts:id:1"}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: "serviceaccounts:id:1"}}, nil
 				},
 				false,
 			),
@ -328,8 +328,8 @@ func TestServiceAccountsAPI_ListTokens(t *testing.T) {
 			}},
 			acmock: tests.SetupMockAccesscontrol(
 				t,
-				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
+				func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
-					return []*accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: "serviceaccounts:id:1"}}, nil
+					return []accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: "serviceaccounts:id:1"}}, nil
 				},
 				false,
 			),
--- a/pkg/services/serviceaccounts/tests/common.go
+++ b/pkg/services/serviceaccounts/tests/common.go
@ -55,7 +55,7 @@ func (s *ServiceAccountMock) Migrated(ctx context.Context, orgID int64) bool {
 }
 func SetupMockAccesscontrol(t *testing.T,
-	userpermissionsfunc func(c context.Context, siu *models.SignedInUser, opt accesscontrol.Options) ([]*accesscontrol.Permission, error),
+	userpermissionsfunc func(c context.Context, siu *models.SignedInUser, opt accesscontrol.Options) ([]accesscontrol.Permission, error),
 	disableAccessControl bool) *accesscontrolmock.Mock {
 	t.Helper()
 	acmock := accesscontrolmock.New()