Access control: use delegatable flag to check if role can be granted (#42070)

* Access control: use delegatable flag to check if role can be granted or not

* Fix naming

pkg/services/accesscontrol/models.go

@@ -64,6 +64,7 @@ type RoleDTO struct {
 	Description string       `json:"description"`
 	Group       string       `xorm:"group_name" json:"group"`
 	Permissions []Permission `json:"permissions,omitempty"`
+	Delegatable *bool        `json:"delegatable,omitempty"`
 
 	ID    int64 `json:"-" xorm:"pk autoincr 'id'"`
 	OrgID int64 `json:"-" xorm:"org_id"`

public/app/core/components/RolePicker/RolePickerMenu.tsx

@@ -194,6 +194,7 @@ export const RolePickerMenu = ({
                       key={i}
                       isSelected={groupSelected(option.value) || groupPartiallySelected(option.value)}
                       partiallySelected={groupPartiallySelected(option.value)}
+                      disabled={option.options?.every(isNotDelegatable)}
                       onChange={onGroupChange}
                       onOpenSubMenu={onOpenSubMenu}
                       onCloseSubMenu={onCloseSubMenu}
@@ -221,6 +222,7 @@ export const RolePickerMenu = ({
                       data={option}
                       key={i}
                       isSelected={!!(option.uid && !!selectedOptions.find((opt) => opt.uid === option.uid))}
+                      disabled={isNotDelegatable(option)}
                       onChange={onChange}
                       hideDescription
                     />
@@ -237,6 +239,7 @@ export const RolePickerMenu = ({
                     data={option}
                     key={i}
                     isSelected={!!(option.uid && !!selectedOptions.find((opt) => opt.uid === option.uid))}
+                    disabled={isNotDelegatable(option)}
                     onChange={onChange}
                     hideDescription
                   />
@@ -329,7 +332,9 @@ export const RolePickerSubMenu = ({
                     disabledOptions?.find((opt) => opt.uid === option.uid))
                 )
               }
-              disabled={!!(option.uid && disabledOptions?.find((opt) => opt.uid === option.uid))}
+              disabled={
+                !!(option.uid && disabledOptions?.find((opt) => opt.uid === option.uid)) || isNotDelegatable(option)
+              }
               onChange={onSelect}
               hideDescription
             />
@@ -507,6 +512,10 @@ const capitalize = (s: string): string => {
 
 const sortRolesByName = (a: Role, b: Role) => a.name.localeCompare(b.name);
 
+const isNotDelegatable = (role: Role) => {
+  return role.delegatable !== undefined && !role.delegatable;
+};
+
 export const getStyles = (theme: GrafanaTheme2) => {
   return {
     menuWrapper: css`

public/app/core/components/RolePicker/UserRolePicker.tsx

@@ -36,9 +36,9 @@ export const UserRolePicker: FC<Props> = ({
 };
 
 export const fetchRoleOptions = async (orgId?: number, query?: string): Promise<Role[]> => {
-  let rolesUrl = '/api/access-control/roles';
+  let rolesUrl = '/api/access-control/roles?delegatable=true';
   if (orgId) {
-    rolesUrl += `?targetOrgId=${orgId}`;
+    rolesUrl += `&targetOrgId=${orgId}`;
   }
   const roles = await getBackendSrv().get(rolesUrl);
   if (!roles || !roles.length) {

public/app/types/accessControl.ts

@@ -57,6 +57,7 @@ export interface Role {
   description: string;
   group: string;
   global: boolean;
+  delegatable?: boolean;
   version: number;
   created: string;
   updated: string;