IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Accesscontrol: Rename scope permissions:delegate (#48898)

Browse Source
This commit is contained in:
Gabriel MABILLE 2022-05-11 17:22:43 +02:00 committed by GitHub
parent 233a96d818
commit d31d300ce1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 85 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
docs/sources/enterprise/access-control/custom-role-actions-scopes.md
View File

@ -94,22 +94,22 @@ The following list contains role-based access control actions.
| `reports:delete` | `reports:*` <br> `reports:id:*` | Delete reports. |
| `reports:read` | `reports:*` | List all available reports or get a specific report. |
| `reports:send` | `reports:*` | Send a report email. |
| `roles.builtin:add` | `permissions:delegate` | Create a built-in role assignment. |
| `roles.builtin:add` | `permissions:type:delegate` | Create a built-in role assignment. |
| `roles.builtin:list` | `roles:*` | List built-in role assignments. |
| `roles.builtin:remove` | `permissions:delegate` | Delete a built-in role assignment. |
| `roles:delete` | `permissions:delegate` | Delete a custom role. |
| `roles.builtin:remove` | `permissions:type:delegate` | Delete a built-in role assignment. |
| `roles:delete` | `permissions:type:delegate` | Delete a custom role. |
| `roles:list` | `roles:*` | List available roles without permissions. |
| `roles:read` | `roles:*` <br> `roles:uid:*` | Read a specific role with its permissions. |
| `roles:write` | `permissions:delegate` | Create or update a custom role. |
| `roles:write` | `permissions:type:delegate` | Create or update a custom role. |
| `server.stats:read` | n/a | Read Grafana instance statistics. |
| `settings:read` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../administration/configuration/_index.md" >}}) |
| `settings:write` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../enterprise/settings-updates/_index.md" >}}). |
| `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. |
| `teams.permissions:read` | `teams:*`<br>`teams:id:*` | Read members and External Group Synchronization setup for teams. |
| `teams.permissions:write` | `teams:*`<br>`teams:id:*` | Add, remove and update members and manage External Group Synchronization setup for teams. |
| `teams.roles:add` | `permissions:delegate` | Assign a role to a team. |
| `teams.roles:add` | `permissions:type:delegate` | Assign a role to a team. |
| `teams.roles:list` | `teams:*` | List roles assigned directly to a team. |
| `teams.roles:remove` | `permissions:delegate` | Unassign a role from a team. |
| `teams.roles:remove` | `permissions:type:delegate` | Unassign a role from a team. |
| `teams:create` | n/a | Create teams. |
| `teams:delete` | `teams:*`<br>`teams:id:*` | Delete one or more teams. |
| `teams:read` | `teams:*`<br>`teams:id:*` | Read one or more teams and team preferences. |
@ -121,9 +121,9 @@ The following list contains role-based access control actions.
| `users.permissions:update` | `global.users:*` <br> `global.users:id:*` | Update a users organization-level permissions. |
| `users.quotas:list` | `global.users:*` <br> `global.users:id:*` | List a users quotas. |
| `users.quotas:update` | `global.users:*` <br> `global.users:id:*` | Update a users quotas. |
| `users.roles:add` | `permissions:delegate` | Assign a role to a user. |
| `users.roles:add` | `permissions:type:delegate` | Assign a role to a user. |
| `users.roles:list` | `users:*` | List roles assigned directly to a user. |
| `users.roles:remove` | `permissions:delegate` | Unassign a role from a user. |
| `users.roles:remove` | `permissions:type:delegate` | Unassign a role from a user. |
| `users.teams:read` | `global.users:*` <br> `global.users:id:*` | Read a users teams. |
| `users:create` | n/a | Create a user. |
| `users:delete` | `global.users:*` <br> `global.users:id:*` | Delete a user. |
@ -146,7 +146,7 @@ The following list contains role-based access control scopes.
| `folders:*`<br>`folders:uid:*` | Restrict an action to a set of folders. For example, `folders:*` matches any folder, and `folders:uid:1` matches the folder whose UID is `1`. |
| `global.users:*` <br> `global.users:id:*` | Restrict an action to a set of global users. For example, `global.users:*` matches any user and `global.users:id:1` matches the user whose ID is `1`. |
| `orgs:*` <br> `orgs:id:*` | Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`. |
| `permissions:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |
| `permissions:type:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |
| `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the role-based access control [provisioner]({{< relref "./custom-role-actions-scopes" >}}). |
| `reports:*` <br> `reports:id:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report whose ID is `1`. |
| `roles:*` <br> `roles:uid:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role and `roles:uid:randomuid` matches only the role whose UID is `randomuid`. |

2
docs/sources/enterprise/access-control/manage-rbac-roles.md
View File

@ -152,7 +152,7 @@ Create a custom role when basic roles and fixed roles do not meet your permissio
- [Enable role provisioning]({{< relref "./enable-rbac-and-provisioning#enable-rbac" >}}).
- Ensure that you have permissions to create a custom role.
- By default, the Grafana Admin role has permission to create custom roles.
- A Grafana Admin can delegate the custom role privilege to another user by creating a custom role with the relevant permissions and adding the `permissions:delegate` scope.
- A Grafana Admin can delegate the custom role privilege to another user by creating a custom role with the relevant permissions and adding the `permissions:type:delegate` scope.
### Create custom roles using provisioning

104
docs/sources/http_api/access_control.md
View File

@ -219,12 +219,12 @@ Creates a new custom role and maps given permissions to that role. Note that rol
#### Required permissions
`permission:delegate` scope ensures that users can only create custom roles with the same, or a subset of permissions which the user has.
`permissions:type:delegate` scope ensures that users can only create custom roles with the same, or a subset of permissions which the user has.
For example, if a user does not have required permissions for creating users, they won't be able to create a custom role which allows to do that. This is done to prevent escalation of privileges.
| Action | Scope |
| ----------- | -------------------- |
| roles:write | permissions:delegate |
| Action | Scope |
| ----------- | ------------------------- |
| roles:write | permissions:type:delegate |
#### Example request
@ -245,7 +245,7 @@ Content-Type: application/json
"permissions": [
{
"action": "roles:delete",
"scope": "permissions:delegate"
"scope": "permissions:type:delegate"
}
]
}
@ -290,7 +290,7 @@ Content-Type: application/json; charset=UTF-8
"permissions": [
{
"action": "roles:delete",
"scope": "permissions:delegate",
"scope": "permissions:type:delegate",
"updated": "2021-05-13T23:19:46+02:00",
"created": "2021-05-13T23:19:46+02:00"
}
@ -317,12 +317,12 @@ Update the role with the given UID, and it's permissions with the given UID. The
#### Required permissions
`permission:delegate` scope ensures that users can only update custom roles with the same, or a subset of permissions which the user has.
`permissions:type:delegate` scope ensures that users can only update custom roles with the same, or a subset of permissions which the user has.
For example, if a user does not have required permissions for creating users, they won't be able to update a custom role which allows to do that. This is done to prevent escalation of privileges.
| Action | Scope |
| ----------- | -------------------- |
| roles:write | permissions:delegate |
| Action | Scope |
| ----------- | ------------------------- |
| roles:write | permissions:type:delegate |
#### Example request
@ -342,11 +342,11 @@ Content-Type: application/json
"permissions": [
{
"action": "roles:delete",
"scope": "permissions:delegate"
"scope": "permissions:type:delegate"
},
{
"action": "roles:write",
"scope": "permissions:delegate"
"scope": "permissions:type:delegate"
}
]
}
@ -388,13 +388,13 @@ Content-Type: application/json; charset=UTF-8
"permissions":[
{
"action":"roles:delete",
"scope":"permissions:delegate",
"scope":"permissions:type:delegate",
"updated":"2021-08-06T18:27:40+02:00",
"created":"2021-08-06T18:27:40+02:00"
},
{
"action":"roles:write",
"scope":"permissions:delegate",
"scope":"permissions:type:delegate",
"updated":"2021-08-06T18:27:41+02:00",
"created":"2021-08-06T18:27:41+02:00"
}
@ -423,12 +423,12 @@ Delete a role with the given UID, and it's permissions. If the role is assigned
#### Required permissions
`permission:delegate` scope ensures that users can only delete a custom role with the same, or a subset of permissions which the user has.
`permissions:type:delegate` scope ensures that users can only delete a custom role with the same, or a subset of permissions which the user has.
For example, if a user does not have required permissions for creating users, they won't be able to delete a custom role which allows to do that.
| Action | Scope |
| ------------ | -------------------- |
| roles:delete | permissions:delegate |
| Action | Scope |
| ------------ | ------------------------- |
| roles:delete | permissions:type:delegate |
#### Example request
@ -574,12 +574,12 @@ For bulk updates consider
#### Required permissions
`permission:delegate` scope ensures that users can only assign roles which have same, or a subset of permissions which the user has.
`permissions:type:delegate` scope ensures that users can only assign roles which have same, or a subset of permissions which the user has.
For example, if a user does not have required permissions for creating users, they won't be able to assign a role which will allow to do that. This is done to prevent escalation of privileges.
| Action | Scope |
| --------------- | -------------------- |
| users.roles:add | permissions:delegate |
| Action | Scope |
| --------------- | ------------------------- |
| users.roles:add | permissions:type:delegate |
#### Example request
@ -632,12 +632,12 @@ For bulk updates consider
#### Required permissions
`permission:delegate` scope ensures that users can only unassign roles which have same, or a subset of permissions which the user has.
`permissions:type:delegate` scope ensures that users can only unassign roles which have same, or a subset of permissions which the user has.
For example, if a user does not have required permissions for creating users, they won't be able to unassign a role which will allow to do that. This is done to prevent escalation of privileges.
| Action | Scope |
| ------------------ | -------------------- |
| users.roles:remove | permissions:delegate |
| Action | Scope |
| ------------------ | ------------------------- |
| users.roles:remove | permissions:type:delegate |
#### Query parameters
@ -686,13 +686,13 @@ instead.
#### Required permissions
`permission:delegate` scope ensures that users can only assign or unassign roles which have same, or a subset of permissions which the user has.
`permissions:type:delegate` scope ensures that users can only assign or unassign roles which have same, or a subset of permissions which the user has.
For example, if a user does not have required permissions for creating users, they won't be able to assign or unassign a role which will allow to do that. This is done to prevent escalation of privileges.
| Action | Scope |
| ------------------ | -------------------- |
| users.roles:add | permissions:delegate |
| users.roles:remove | permissions:delegate |
| Action | Scope |
| ------------------ | ------------------------- |
| users.roles:add | permissions:type:delegate |
| users.roles:remove | permissions:type:delegate |
#### Example request
@ -802,12 +802,12 @@ For bulk updates consider [Set team role assignments]({{< ref "#set-team-role-as
#### Required permissions
`permission:delegate` scope ensures that users can only assign roles which have same, or a subset of permissions which the user has.
`permissions:type:delegate` scope ensures that users can only assign roles which have same, or a subset of permissions which the user has.
For example, if a user does not have the permissions required to create users, they won't be able to assign a role that contains these permissions. This is done to prevent escalation of privileges.
| Action | Scope |
| --------------- | -------------------- |
| teams.roles:add | permissions:delegate |
| Action | Scope |
| --------------- | ------------------------- |
| teams.roles:add | permissions:type:delegate |
#### Example request
@ -857,12 +857,12 @@ For bulk updates consider [Set team role assignments]({{< ref "#set-team-role-as
#### Required permissions
`permission:delegate` scope ensures that users can only unassign roles which have same, or a subset of permissions which the user has.
`permissions:type:delegate` scope ensures that users can only unassign roles which have same, or a subset of permissions which the user has.
For example, if a user does not have the permissions required to create users, they won't be able to assign a role that contains these permissions. This is done to prevent escalation of privileges.```
| Action | Scope |
| ------------------ | -------------------- |
| teams.roles:remove | permissions:delegate |
| Action | Scope |
| ------------------ | ------------------------- |
| teams.roles:remove | permissions:type:delegate |
#### Example request
@ -905,13 +905,13 @@ instead.
#### Required permissions
`permission:delegate` scope ensures that users can only assign or unassign roles which have same, or a subset of permissions which the user has.
`permissions:type:delegate` scope ensures that users can only assign or unassign roles which have same, or a subset of permissions which the user has.
For example, if a user does not have required permissions for creating users, they won't be able to assign or unassign a role to a team which will allow to do that. This is done to prevent escalation of privileges.
| Action | Scope |
| ------------------ | -------------------- |
| teams.roles:add | permissions:delegate |
| teams.roles:remove | permissions:delegate |
| Action | Scope |
| ------------------ | ------------------------- |
| teams.roles:add | permissions:type:delegate |
| teams.roles:remove | permissions:type:delegate |
#### Example request
@ -1045,12 +1045,12 @@ Creates a new built-in role assignment.
#### Required permissions
`permission:delegate` scope ensures that users can only create built-in role assignments with the roles which have same, or a subset of permissions which the user has.
`permissions:type:delegate` scope ensures that users can only create built-in role assignments with the roles which have same, or a subset of permissions which the user has.
For example, if a user does not have required permissions for creating users, they won't be able to create a built-in role assignment which will allow to do that. This is done to prevent escalation of privileges.
| Action | Scope |
| ----------------- | -------------------- |
| roles.builtin:add | permissions:delegate |
| Action | Scope |
| ----------------- | ------------------------- |
| roles.builtin:add | permissions:type:delegate |
#### Example request
@ -1103,12 +1103,12 @@ Deletes a built-in role assignment (for one of _Viewer_, _Editor_, _Admin_, or _
#### Required permissions
`permission:delegate` scope ensures that users can only remove built-in role assignments with the roles which have same, or a subset of permissions which the user has.
`permissions:type:delegate` scope ensures that users can only remove built-in role assignments with the roles which have same, or a subset of permissions which the user has.
For example, if a user does not have required permissions for creating users, they won't be able to remove a built-in role assignment which allows to do that.
| Action | Scope |
| -------------------- | -------------------- |
| roles.builtin:remove | permissions:delegate |
| Action | Scope |
| -------------------- | ------------------------- |
| roles.builtin:remove | permissions:type:delegate |
#### Example request

2
pkg/services/accesscontrol/evaluator_test.go
View File

@ -275,7 +275,7 @@ func TestAny_Evaluate(t *testing.T) {
EvalPermission("report:write", Scope("reports", "10")),
),
permissions: map[string][]string{
"permissions:write": {"permissions:delegate"},
"permissions:write": {"permissions:type:delegate"},
},
expected: false,
},

22
public/api-merged.json
View File

@ -38,7 +38,7 @@
}
},
"post": {
"description": "You need to have a permission with action `roles.builtin:add` and scope `permissions:delegate`. `permission:delegate` scope ensures that users can only create built-in role assignments with the roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to create a built-in role assignment which will allow to do that. This is done to prevent escalation of privileges.",
"description": "You need to have a permission with action `roles.builtin:add` and scope `permissions:type:delegate`. `permissions:type:delegate` scope ensures that users can only create built-in role assignments with the roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to create a built-in role assignment which will allow to do that. This is done to prevent escalation of privileges.",
"tags": ["access_control", "enterprise"],
"summary": "Create a built-in role assignment.",
"operationId": "addBuiltinRole",
@ -71,7 +71,7 @@
},
"/access-control/builtin-roles/{builtinRole}/roles/{roleUID}": {
"delete": {
"description": "Deletes a built-in role assignment (for one of Viewer, Editor, Admin, or Grafana Admin) to the role with the provided UID.\n\nYou need to have a permission with action `roles.builtin:remove` and scope `permissions:delegate`. `permission:delegate` scope ensures that users can only remove built-in role assignments with the roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to remove a built-in role assignment which allows to do that.",
"description": "Deletes a built-in role assignment (for one of Viewer, Editor, Admin, or Grafana Admin) to the role with the provided UID.\n\nYou need to have a permission with action `roles.builtin:remove` and scope `permissions:type:delegate`. `permissions:type:delegate` scope ensures that users can only remove built-in role assignments with the roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to remove a built-in role assignment which allows to do that.",
"tags": ["access_control", "enterprise"],
"summary": "Remove a built-in role assignment.",
"operationId": "removeBuiltinRole",
@ -136,7 +136,7 @@
}
},
"post": {
"description": "Creates a new custom role and maps given permissions to that role. Note that roles with the same prefix as Fixed Roles cant be created.\n\nYou need to have a permission with action `roles:write` and scope `permissions:delegate`. `permission:delegate`` scope ensures that users can only create custom roles with the same, or a subset of permissions which the user has.\nFor example, if a user does not have required permissions for creating users, they wont be able to create a custom role which allows to do that. This is done to prevent escalation of privileges.",
"description": "Creates a new custom role and maps given permissions to that role. Note that roles with the same prefix as Fixed Roles cant be created.\n\nYou need to have a permission with action `roles:write` and scope `permissions:type:delegate`. `permissions:type:delegate`` scope ensures that users can only create custom roles with the same, or a subset of permissions which the user has.\nFor example, if a user does not have required permissions for creating users, they wont be able to create a custom role which allows to do that. This is done to prevent escalation of privileges.",
"tags": ["access_control", "enterprise"],
"summary": "Create a new custom role.",
"operationId": "createRoleWithPermissions",
@ -195,7 +195,7 @@
}
},
"put": {
"description": "You need to have a permission with action `roles:write` and scope `permissions:delegate`. `permission:delegate`` scope ensures that users can only create custom roles with the same, or a subset of permissions which the user has.",
"description": "You need to have a permission with action `roles:write` and scope `permissions:type:delegate`. `permissions:type:delegate`` scope ensures that users can only create custom roles with the same, or a subset of permissions which the user has.",
"tags": ["access_control", "enterprise"],
"summary": "Update a custom role.",
"operationId": "updateRoleWithPermissions",
@ -236,7 +236,7 @@
}
},
"delete": {
"description": "Delete a role with the given UID, and its permissions. If the role is assigned to a built-in role, the deletion operation will fail, unless force query param is set to true, and in that case all assignments will also be deleted.\n\nYou need to have a permission with action `roles:delete` and scope `permissions:delegate`. `permission:delegate` scope ensures that users can only delete a custom role with the same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to delete a custom role which allows to do that.",
"description": "Delete a role with the given UID, and its permissions. If the role is assigned to a built-in role, the deletion operation will fail, unless force query param is set to true, and in that case all assignments will also be deleted.\n\nYou need to have a permission with action `roles:delete` and scope `permissions:type:delegate`. `permissions:type:delegate` scope ensures that users can only delete a custom role with the same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to delete a custom role which allows to do that.",
"tags": ["access_control", "enterprise"],
"summary": "Delete a custom role.",
"operationId": "deleteCustomRole",
@ -319,7 +319,7 @@
}
},
"put": {
"description": "You need to have a permission with action `teams.roles:add` and `teams.roles:remove` and scope `permissions:delegate` for each.",
"description": "You need to have a permission with action `teams.roles:add` and `teams.roles:remove` and scope `permissions:type:delegate` for each.",
"tags": ["access_control", "enterprise"],
"summary": "Update team role.",
"operationId": "setTeamRoles",
@ -352,7 +352,7 @@
}
},
"post": {
"description": "You need to have a permission with action `teams.roles:add` and scope `permissions:delegate`.",
"description": "You need to have a permission with action `teams.roles:add` and scope `permissions:type:delegate`.",
"tags": ["access_control", "enterprise"],
"summary": "Add team role.",
"operationId": "addTeamRole",
@ -396,7 +396,7 @@
},
"/access-control/teams/{teamId}/roles/{roleUID}": {
"delete": {
"description": "You need to have a permission with action `teams.roles:remove` and scope `permissions:delegate`.",
"description": "You need to have a permission with action `teams.roles:remove` and scope `permissions:type:delegate`.",
"tags": ["access_control", "enterprise"],
"summary": "Remove team role.",
"operationId": "removeTeamRole",
@ -468,7 +468,7 @@
}
},
"put": {
"description": "Update the users role assignments to match the provided set of UIDs. This will remove any assigned roles that arent in the request and add roles that are in the set but are not already assigned to the user.\nIf you want to add or remove a single role, consider using Add a user role assignment or Remove a user role assignment instead.\n\nYou need to have a permission with action `users.roles:add` and `users.roles:remove` and scope `permissions:delegate` for each. `permission:delegate` scope ensures that users can only assign or unassign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to assign or unassign a role which will allow to do that. This is done to prevent escalation of privileges.",
"description": "Update the users role assignments to match the provided set of UIDs. This will remove any assigned roles that arent in the request and add roles that are in the set but are not already assigned to the user.\nIf you want to add or remove a single role, consider using Add a user role assignment or Remove a user role assignment instead.\n\nYou need to have a permission with action `users.roles:add` and `users.roles:remove` and scope `permissions:type:delegate` for each. `permissions:type:delegate` scope ensures that users can only assign or unassign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to assign or unassign a role which will allow to do that. This is done to prevent escalation of privileges.",
"tags": ["access_control", "enterprise"],
"summary": "Set user role assignments.",
"operationId": "setUserRoles",
@ -501,7 +501,7 @@
}
},
"post": {
"description": "Assign a role to a specific user. For bulk updates consider Set user role assignments.\n\nYou need to have a permission with action `users.roles:add` and scope `permissions:delegate`. `permission:delegate` scope ensures that users can only assign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to assign a role which will allow to do that. This is done to prevent escalation of privileges.",
"description": "Assign a role to a specific user. For bulk updates consider Set user role assignments.\n\nYou need to have a permission with action `users.roles:add` and scope `permissions:type:delegate`. `permissions:type:delegate` scope ensures that users can only assign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to assign a role which will allow to do that. This is done to prevent escalation of privileges.",
"tags": ["access_control", "enterprise"],
"summary": "Add a user role assignment.",
"operationId": "addUserRole",
@ -542,7 +542,7 @@
},
"/access-control/users/{user_id}/roles/{roleUID}": {
"delete": {
"description": "Revoke a role from a user. For bulk updates consider Set user role assignments.\n\nYou need to have a permission with action `users.roles:remove` and scope `permissions:delegate`. `permission:delegate` scope ensures that users can only unassign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to unassign a role which will allow to do that. This is done to prevent escalation of privileges.",
"description": "Revoke a role from a user. For bulk updates consider Set user role assignments.\n\nYou need to have a permission with action `users.roles:remove` and scope `permissions:type:delegate`. `permissions:type:delegate` scope ensures that users can only unassign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to unassign a role which will allow to do that. This is done to prevent escalation of privileges.",
"tags": ["access_control", "enterprise"],
"summary": "Remove a user role assignment.",
"operationId": "removeUserRole",

22
public/api-spec.json
View File

@ -38,7 +38,7 @@
}
},
"post": {
"description": "You need to have a permission with action `roles.builtin:add` and scope `permissions:delegate`. `permission:delegate` scope ensures that users can only create built-in role assignments with the roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to create a built-in role assignment which will allow to do that. This is done to prevent escalation of privileges.",
"description": "You need to have a permission with action `roles.builtin:add` and scope `permissions:type:delegate`. `permissions:type:delegate` scope ensures that users can only create built-in role assignments with the roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to create a built-in role assignment which will allow to do that. This is done to prevent escalation of privileges.",
"tags": ["access_control", "enterprise"],
"summary": "Create a built-in role assignment.",
"operationId": "addBuiltinRole",
@ -71,7 +71,7 @@
},
"/access-control/builtin-roles/{builtinRole}/roles/{roleUID}": {
"delete": {
"description": "Deletes a built-in role assignment (for one of Viewer, Editor, Admin, or Grafana Admin) to the role with the provided UID.\n\nYou need to have a permission with action `roles.builtin:remove` and scope `permissions:delegate`. `permission:delegate` scope ensures that users can only remove built-in role assignments with the roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to remove a built-in role assignment which allows to do that.",
"description": "Deletes a built-in role assignment (for one of Viewer, Editor, Admin, or Grafana Admin) to the role with the provided UID.\n\nYou need to have a permission with action `roles.builtin:remove` and scope `permissions:type:delegate`. `permissions:type:delegate` scope ensures that users can only remove built-in role assignments with the roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to remove a built-in role assignment which allows to do that.",
"tags": ["access_control", "enterprise"],
"summary": "Remove a built-in role assignment.",
"operationId": "removeBuiltinRole",
@ -136,7 +136,7 @@
}
},
"post": {
"description": "Creates a new custom role and maps given permissions to that role. Note that roles with the same prefix as Fixed Roles cant be created.\n\nYou need to have a permission with action `roles:write` and scope `permissions:delegate`. `permission:delegate`` scope ensures that users can only create custom roles with the same, or a subset of permissions which the user has.\nFor example, if a user does not have required permissions for creating users, they wont be able to create a custom role which allows to do that. This is done to prevent escalation of privileges.",
"description": "Creates a new custom role and maps given permissions to that role. Note that roles with the same prefix as Fixed Roles cant be created.\n\nYou need to have a permission with action `roles:write` and scope `permissions:type:delegate`. `permissions:type:delegate`` scope ensures that users can only create custom roles with the same, or a subset of permissions which the user has.\nFor example, if a user does not have required permissions for creating users, they wont be able to create a custom role which allows to do that. This is done to prevent escalation of privileges.",
"tags": ["access_control", "enterprise"],
"summary": "Create a new custom role.",
"operationId": "createRoleWithPermissions",
@ -195,7 +195,7 @@
}
},
"put": {
"description": "You need to have a permission with action `roles:write` and scope `permissions:delegate`. `permission:delegate`` scope ensures that users can only create custom roles with the same, or a subset of permissions which the user has.",
"description": "You need to have a permission with action `roles:write` and scope `permissions:type:delegate`. `permissions:type:delegate`` scope ensures that users can only create custom roles with the same, or a subset of permissions which the user has.",
"tags": ["access_control", "enterprise"],
"summary": "Update a custom role.",
"operationId": "updateRoleWithPermissions",
@ -236,7 +236,7 @@
}
},
"delete": {
"description": "Delete a role with the given UID, and its permissions. If the role is assigned to a built-in role, the deletion operation will fail, unless force query param is set to true, and in that case all assignments will also be deleted.\n\nYou need to have a permission with action `roles:delete` and scope `permissions:delegate`. `permission:delegate` scope ensures that users can only delete a custom role with the same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to delete a custom role which allows to do that.",
"description": "Delete a role with the given UID, and its permissions. If the role is assigned to a built-in role, the deletion operation will fail, unless force query param is set to true, and in that case all assignments will also be deleted.\n\nYou need to have a permission with action `roles:delete` and scope `permissions:type:delegate`. `permissions:type:delegate` scope ensures that users can only delete a custom role with the same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to delete a custom role which allows to do that.",
"tags": ["access_control", "enterprise"],
"summary": "Delete a custom role.",
"operationId": "deleteCustomRole",
@ -319,7 +319,7 @@
}
},
"put": {
"description": "You need to have a permission with action `teams.roles:add` and `teams.roles:remove` and scope `permissions:delegate` for each.",
"description": "You need to have a permission with action `teams.roles:add` and `teams.roles:remove` and scope `permissions:type:delegate` for each.",
"tags": ["access_control", "enterprise"],
"summary": "Update team role.",
"operationId": "setTeamRoles",
@ -352,7 +352,7 @@
}
},
"post": {
"description": "You need to have a permission with action `teams.roles:add` and scope `permissions:delegate`.",
"description": "You need to have a permission with action `teams.roles:add` and scope `permissions:type:delegate`.",
"tags": ["access_control", "enterprise"],
"summary": "Add team role.",
"operationId": "addTeamRole",
@ -396,7 +396,7 @@
},
"/access-control/teams/{teamId}/roles/{roleUID}": {
"delete": {
"description": "You need to have a permission with action `teams.roles:remove` and scope `permissions:delegate`.",
"description": "You need to have a permission with action `teams.roles:remove` and scope `permissions:type:delegate`.",
"tags": ["access_control", "enterprise"],
"summary": "Remove team role.",
"operationId": "removeTeamRole",
@ -468,7 +468,7 @@
}
},
"put": {
"description": "Update the users role assignments to match the provided set of UIDs. This will remove any assigned roles that arent in the request and add roles that are in the set but are not already assigned to the user.\nIf you want to add or remove a single role, consider using Add a user role assignment or Remove a user role assignment instead.\n\nYou need to have a permission with action `users.roles:add` and `users.roles:remove` and scope `permissions:delegate` for each. `permission:delegate` scope ensures that users can only assign or unassign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to assign or unassign a role which will allow to do that. This is done to prevent escalation of privileges.",
"description": "Update the users role assignments to match the provided set of UIDs. This will remove any assigned roles that arent in the request and add roles that are in the set but are not already assigned to the user.\nIf you want to add or remove a single role, consider using Add a user role assignment or Remove a user role assignment instead.\n\nYou need to have a permission with action `users.roles:add` and `users.roles:remove` and scope `permissions:type:delegate` for each. `permissions:type:delegate` scope ensures that users can only assign or unassign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to assign or unassign a role which will allow to do that. This is done to prevent escalation of privileges.",
"tags": ["access_control", "enterprise"],
"summary": "Set user role assignments.",
"operationId": "setUserRoles",
@ -501,7 +501,7 @@
}
},
"post": {
"description": "Assign a role to a specific user. For bulk updates consider Set user role assignments.\n\nYou need to have a permission with action `users.roles:add` and scope `permissions:delegate`. `permission:delegate` scope ensures that users can only assign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to assign a role which will allow to do that. This is done to prevent escalation of privileges.",
"description": "Assign a role to a specific user. For bulk updates consider Set user role assignments.\n\nYou need to have a permission with action `users.roles:add` and scope `permissions:type:delegate`. `permissions:type:delegate` scope ensures that users can only assign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to assign a role which will allow to do that. This is done to prevent escalation of privileges.",
"tags": ["access_control", "enterprise"],
"summary": "Add a user role assignment.",
"operationId": "addUserRole",
@ -542,7 +542,7 @@
},
"/access-control/users/{user_id}/roles/{roleUID}": {
"delete": {
"description": "Revoke a role from a user. For bulk updates consider Set user role assignments.\n\nYou need to have a permission with action `users.roles:remove` and scope `permissions:delegate`. `permission:delegate` scope ensures that users can only unassign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to unassign a role which will allow to do that. This is done to prevent escalation of privileges.",
"description": "Revoke a role from a user. For bulk updates consider Set user role assignments.\n\nYou need to have a permission with action `users.roles:remove` and scope `permissions:type:delegate`. `permissions:type:delegate` scope ensures that users can only unassign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they wont be able to unassign a role which will allow to do that. This is done to prevent escalation of privileges.",
"tags": ["access_control", "enterprise"],
"summary": "Remove a user role assignment.",
"operationId": "removeUserRole",