Access control: service account role check (#47710)

* forbid setting role higher than user's role

* change response code

* can assign API key permissions to non-admin users

* add: assign viewer role directly upon creation

* refactor: add AddSATcommand infavor of AddAPIkey

* refactor: frontend fixes for ServiceAccountToken

Co-authored-by: eleijonmarck <eric.leijonmarck@gmail.com>

pkg/services/serviceaccounts/models.go

@@ -40,6 +40,15 @@ type ServiceAccountDTO struct {
 	AvatarUrl     string          `json:"avatarUrl"`
 	AccessControl map[string]bool `json:"accessControl,omitempty"`
 }
+
+type AddServiceAccountTokenCommand struct {
+	Name          string         `json:"name" binding:"Required"`
+	OrgId         int64          `json:"-"`
+	Key           string         `json:"-"`
+	SecondsToLive int64          `json:"secondsToLive"`
+	Result        *models.ApiKey `json:"-"`
+}
+
 type SearchServiceAccountsResult struct {
 	TotalCount      int64                `json:"totalCount"`
 	ServiceAccounts []*ServiceAccountDTO `json:"serviceAccounts"`