* Added an option to discord notifier to use discord's webhook name (useful for customizing notifications).
* Support ngalert system with discord username toggle
* Added ngalert discord test
* Apply suggestions from code review
Co-authored-by: gotjosh <josue.abreu@gmail.com>
* Docs updated with discord username setting
* Fix api integration test
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: gotjosh <josue.abreu@gmail.com>
* refactor goconvey in teamguardian package
* use proper order of parameters in equality assertion
Co-authored-by: ying-jeanne <74549700+ying-jeanne@users.noreply.github.com>
Co-authored-by: ying-jeanne <74549700+ying-jeanne@users.noreply.github.com>
* Alerting: Validate contact point configuration during the migration
This minimises the chances of generating broken configuration as part of the migration. Originally, we wanted to generate it and not produce a hard stop in Grafana but this strategy has the chance to avoid delivering notifications for our users.
We now think it's better to hard stop the migration and let the user take care of resolving the configuration manually.
* Add extra fields to OSS types to support enterprise
* Create a service account at the same time as the API key
* Use service account credentials when accessing API with APIkey
* Add GetRole to service, merge RoleDTO and Role structs
This patch merges the identical OSS and Enterprise data structures, which improves the code for two reasons:
1. Makes switching between OSS and Enterprise easier
2. Reduces the chance of incompatibilities developing between the same functions in OSS and Enterprise
* If API key is not linked to a service account, continue login as usual
* Fallback to old auth if no service account linked to key
* Add CloneUserToServiceAccount
* Adding LinkAPIKeyToServiceAccount
* Handle api key link error
* Better error messages for OSS accesscontrol
* Set an invalid user id as default
* Re-arrange field names
* ServiceAccountId is integer
* Better error messages
Co-authored-by: Hugo Häggmark <hugo.haggmark@grafana.com>
Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* update loki
* install openssl from alpine's edge repository
* extracttraceid moved to tracing package
* remove exit if warning limit is exceeded
* disable flaky libraryelements test
* context all the things
* apply feedback
* rollback some alerting changes
* rollback some alerting changes #2
* more rollbacks
* more rollbacks #2
* more rollbacks #3
* more rollbacks #4
* fix integration test
* add missing context
* add missing and remove incorrect dispatch
* Add global week start option to shared preferences
* Add default_week_start to configuration docs
* Add week start option to dashboards
* Add week start argument to tsdb time range parser
* Fix strict check issues
* Add tests for week start
* Change wording on default_week_start documentation
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
* Update week_start column to be a nullable field
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Update configuration to include browser option
* Update WeekStartPicker container selector
Co-authored-by: Hugo Häggmark <hugo.haggmark@grafana.com>
* Add menuShouldPortal to WeekStartPicker to remove deprecation warning
Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
* Add inputId to WeekStartPicker
* Use e2e selector on WeekStartPicker aria-label
* Simplify WeekStartPicker onChange condition
* Specify value type on WeekStartPicker weekStarts
* Remove setWeekStart side effect from reducer
* Fix updateLocale failing to reset week start
* Store week start as string to handle empty values
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Co-authored-by: Hugo Häggmark <hugo.haggmark@grafana.com>
Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
* Remove Convey from dashboards
* Add context for dashboards
* Remove Convey from dashboards
* refactor tests to run setup each time
* Fix last tests
* Adjust after rebase
* Remove print statement
Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com>
* Alerting: Remove invalid Slack URL as we migrate notification channels
Grafana will accept any type of utf8 valid string as the Slack URL and will simply fail as we try to deliver the notification of the channel. The Alertmanager will fail to apply a configuration if the URL of the Slack Receiver is invalid.
This change takes that into account by removing the URL for the receiver as we migrate notification channels that do not pass the url validation. As we assume the notification was not being delivered to being with.
* Add a log line when we modify the channel
Co-authored-by: Yuriy Tseretyan <yuriy.tseretyan@grafana.com>
* Alerting: Fixes a bug when trying to sync broken alertmanager config
Broken alertmanager configuration has the potential to be introduced as part of a migration e.g. due to incompatible data between what grafana accepts and what the Alertmanager expects. When this happens, we expect an eventually consistent behaviour where we'll keep trying to apply the configuration until it works.
As part of change in https://github.com/grafana/grafana/pull/39237 we introduced a regression that modified this behaviour and instead tried to create a new Alertmanager for that organization everytime, which eventually ended up in a panic due to a duplicate metrics being registered.
This PR fixes that and introduces a test to catch further regressions.
* Remove disable orgs
* Encryption: Add support to encrypt/decrypt sjd
* Add datasources.Service as a proxy to datasources db operations
* Encrypt ds.SecureJsonData before calling SQLStore
* Move ds cache code into ds service
* Fix tlsmanager tests
* Fix pluginproxy tests
* Remove some securejsondata.GetEncryptedJsonData usages
* Add pluginsettings.Service as a proxy for plugin settings db operations
* Add AlertNotificationService as a proxy for alert notification db operations
* Remove some securejsondata.GetEncryptedJsonData usages
* Remove more securejsondata.GetEncryptedJsonData usages
* Fix lint errors
* Minor fixes
* Remove encryption global functions usages from ngalert
* Fix lint errors
* Minor fixes
* Minor fixes
* Remove securejsondata.DecryptedValue usage
* Refactor the refactor
* Remove securejsondata.DecryptedValue usage
* Move securejsondata to migrations package
* Move securejsondata to migrations package
* Minor fix
* Fix integration test
* Fix integration tests
* Undo undesired changes
* Fix tests
* Add context.Context into encryption methods
* Fix tests
* Fix tests
* Fix tests
* Trigger CI
* Fix test
* Add names to params of encryption service interface
* Remove bus from CacheServiceImpl
* Add logging
* Add keys to logger
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Add missing key to logger
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Undo changes in markdown files
* Fix formatting
* Add context to secrets service
* Rename decryptSecureJsonData to decryptSecureJsonDataFn
* Name args in GetDecryptedValueFn
* Add template back to NewAlertmanagerNotifier
* Copy GetDecryptedValueFn to ngalert
* Add logging to pluginsettings
* Fix pluginsettings test
Co-authored-by: Tania B <yalyna.ts@gmail.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Extract search users to a new service
* Fix wire provider
* Fix common_test and remove RouteRegister
* Remove old endpoints
* Fix test
* Create search filters using interfaces
* Move Enterprise filter, rename filter for filters and allow use filters with params
* Each filter has unique key
* Back activeLast30Days filter to OSS
* Fix tests
* Delete unusued param
* Move filters to searchusers service and small refactor
* Fix tests
* refactor licenseURL function to use context and export permission evaluation fction
* remove provisioning file
* refactor licenseURL to take in a bool to avoid circular dependencies
* remove function for appending nav link, as it was only used once and move the function to create admin node
* better argument names
* create a function for permission checking
* extend permission checking when displaying server stats
* enable the use of enterprise access control actions when evaluating permissions
* import ordering
* move licensing FGAC action definitions to models package to allow access from oss
* move evaluatePermissions for routes to context serve
* change permission evaluator to take in more permissions
* move licensing FGAC actions again to appease wire
* avoid index out of bounds issue in case no children are passed in when creating server admin node
* simplify syntax for permission checking
Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
* update loading state for server stats
* linting
* more linting
* fix test
* fix a frontend test
* update "licensing.reports:read" action naming
* UI doesn't allow reading only licensing reports and not the rest of licensing info
Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
* feat: add displayname
* refactor: marshal role for fallback displayname
* refactor: moved to private heuristic function for displaynames
* refactor: display name trimspace and remove prefix
* refactor: renaming of fallbackFunction
* refactor: moved methods below struct types
* Alerting: (wip) add template funcs
* Alerting: (wip) numeric template functions
* Alerting: (wip) template functions
* Test for the "args" function
* Alerting: (wip) Documentation for template functions
* Alerting: template functions - refactor
* code review changes
* disable linter error
* Use Prometheus implementation of TemplateExpander
* Update docs/sources/alerting/unified-alerting/alerting-rules/create-grafana-managed-rule.md
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
* change templateCaptureValue to support using template functions
* Update pkg/services/ngalert/state/template.go
Co-authored-by: gotjosh <josue.abreu@gmail.com>
* Test and documentation added for reReplaceAll template function
* complete missing functions, documentation and tests
* Use the alert instance's evaluation time for expanding the template
* strvalue graphlink and tablelink functions
* delete duplicate test
* make strvalue return an empty string
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
Co-authored-by: gotjosh <josue.abreu@gmail.com>
Remove validation for labels to be accepted in the Alertmanager, This helps with datasources that produce non-compatible labels.
Adds an "object_matchers" to alert manager routers so we can support labels names with extended characters beyond prometheus/openmetrics. It only does this for the internal Grafana managed Alert Manager.
This requires a change to alert manager, so for now we use grafana/alertmanager which is a slight fork, with the intention of going back to upstream.
The frontend handles the migration of "matchers" -> "object_matchers" when the route is edited and saved. Once this is done, downgrades will not work old versions will not recognize the "object_matchers".
Co-authored-by: Kyle Brandt <kyle@grafana.com>
Co-authored-by: Nathan Rodman <nathanrodman@gmail.com>
* Add secrets service
* Revert accidental changes in util encryption
* Make minor changes
Move functional options to models
Revert renaming types to models
* Add context
* Minor change in GetDataKey
* Use CreateDataKeyWithDBSession in CreateDataKey
* Handle empty DEK name in DeleteDataKey
* Rename defaultProvider
* Remove secrets store service
* Extract search users to a new service
* Fix wire provider
* Fix common_test and remove RouteRegister
* Remove old endpoints
* Fix test
* Add indexes to dashboards and orgs tables
* Fix lint
* Add context to star and stats
* Use WithTransactionalDbSession
* Add additional ctx
* Remove convey
* Fix star handler name
* Use WithDbSession, use DispatchCtx
* Remove xorm from star
* keep existing unified alert rules untouched
* move silences and other alertmanager files to the organization directory (only if it is a single organization deployment)
* assign the existing notification settings and routes to the first organization
* create default notification settings for each organization in the case of multi org deployment
Require guardian.New to take context.Context as first argument.
Migrates the GetDashboardAclInfoListQuery to be dispatched using context.
Ref #36734
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Co-authored-by: sam boyer <sam.boyer@grafana.com>
* PlaylistPage: removes search due to no wildcard support
* PlaylistPage: adds back search input and wildcard search support
* makes banner to appear only when playlist does not exist
* Chore: small refactor
* Chore: some code refactoring to make it readable
* fixes focus leaving input when query is cleared
* adds styling to the emptyQueryList banner
* extracts emptyQueryListBanner component to a separate file
* adds debounce to search
* use new theme for styling
* Chore: some nit fix
* fixes empty list banner showing for a second before the full list is loaded
* Fix: removes search when playlist is empty
Co-authored-by: Ash <ashharrison90@gmail.com>
Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com>
* Add method GetAllLatestAlertmanagerConfiguration to DBStore
* add method ApplyConfig to AlertManager
* update multiorg alert manager to load all alertmanager configs at once
* pass url parameters through context.Context
* fix url param names without colon prefix
* change context params to vars
* replace url vars in tests using new api
* rename vars to params
* add some comments
* rename seturlvars to seturlparams
* Chore: GetDashboardQuery should be dispatched using DispatchCtx
* Fix after merge
* Changes after review
* Various fixes
* Use GetDashboardCtx function instead of GetDashboard
* Alerting: Refactor & fix unified alerting metrics structure
Fixes and refactors the metrics structure we have for the ngalert service. Now, each component has its own metric struct that includes the JUST the metrics it uses. Additionally, I have fixed the configuration metrics and added new metrics to determine if we have discovered and started all the necessary configurations of an instance.
This allows us to alert on `grafana_alerting_discovered_configurations - grafana_alerting_active_configurations != 0` to know whether an alertmanager instance did not start successfully.
* Alerting: Persist notification log and silences to the database
This removes the dependency of having persistent disk to run grafana alerting. Instead of regularly flushing the notification log and silences to disk we now flush the binary content of those files to the database encoded as a base64 string.
* Revert "Prometheus: add functionality to specify desired step interval in dashboards panels (#36422)"
This reverts commit ddf5b65c51.
Co-authored-by: Ivana Huckova <ivana.huckova@gmail.com>
* Revert "Explore: add functionality for supporting different step modes in prometheus (#37829)"
This reverts commit f433cfd8d9.
Co-authored-by: Ivana Huckova <ivana.huckova@gmail.com>
* Revert stepMode BE implementation from #36796
Co-authored-by: "Ivana Huckova" <ivana.huckova@gmail.com>
* Change templateCaptureValue to support using template functions
This commit changes templateCaptureValue to use float64 for the value
instead of *float64. This change means that annotations and labels can
use the float64 value with functions such as printf and avoid having to
check for nil. It also means that absent values are now printed as 0.
* Use math.NaN() instead of 0 for absent value
* Alerting: Fix alert flapping in the alertmanager
fixes a bug that caused Alerts that are evaluated at low intervals (sub 1 minute), to flap in the Alertmanager.
Mostly due to a combination of `EndsAt` and resend delay.
The Alertmanager uses `EndsAt` as a heuristic to know whenever it should resolve a firing alert, in the case that it hasn't heard
back from the alert generation system.
Because grafana sent the alert with an `EndsAt` which is equal to the `For` of the alert itself,
and we had a hard-coded 1 minute re-send delay (only applicable to firing alerts) this meant that a firing alert would resolve in the Alertmanager before we re-notify that it still firing.
This commit, increases the `EndsAt` by 3x the the resend delay or alert interval (depending on which one is higher). The resendDelay has been decreased to 30 seconds.
* LibraryPanels: Separates name from panel title
* WIP
* Chore: fixes update for duplicate lib panels
* Chore: reverts implementation
* Chore: show library options only for library panels
* Chore: ui fixes after PR comments
* Chore: fixes issue when creating library panels
* Add encryption service
* Add tests for encryption service
* Inject encryption service into http server
* Replace encryption global function usage in login tests
* Migrate to Wire
* Move Encryption bindings to OSS Wire set
* Chore: Refactor securedata to remove global encryption calls from dashboard snapshots
* Fix dashboard snapshot tests
* Remove no longer user test
* Add dashboard snapshots service tests
* Refactor service initialization
* Set up dashboard snapshots service as a background service
Co-authored-by: Tania B <yalyna.ts@gmail.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* add key/value store service
* don't export kvStoreSQL, consumers should interact with KVStore & NamespacedKVStore
* add del method, avoid ErrNotFound (#38627)
* switch value column to medium text
Co-authored-by: Alexander Emelin <frvzmb@gmail.com>
* Add encryption service
* Add tests for encryption service
* Inject encryption service into http server
* Replace encryption global function usage in login tests
* Refactor UpdatePluginSetting
* Refactor EncryptSecureSettings
* Fix wire.go
* Refactor service initialization
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
Co-authored-by: Joan López de la Franca Beltran <5459617+joanlopez@users.noreply.github.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Add encryption service
* Add tests for encryption service
* Inject encryption service into http server
* Replace encryption global function usage in login tests
* Migrate to Wire
* Refactor authinfoservice to use encryption service
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
Co-authored-by: Joan López de la Franca Beltran <5459617+joanlopez@users.noreply.github.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Add encryption service
* Add tests for encryption service
* Inject encryption service into http server
* Replace encryption global function usage in login tests
* Apply suggestions from code review
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Migrate to Wire
* Undo non-desired changes
* Move Encryption bindings to OSS Wire set
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
Co-authored-by: Joan López de la Franca Beltran <5459617+joanlopez@users.noreply.github.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Fixes#30144
Co-authored-by: dsotirakis <sotirakis.dim@gmail.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: Ida Furjesova <ida.furjesova@grafana.com>
Co-authored-by: Jack Westbrook <jack.westbrook@gmail.com>
Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
Co-authored-by: Leon Sorokin <leeoniya@gmail.com>
Co-authored-by: Andrej Ocenas <mr.ocenas@gmail.com>
Co-authored-by: spinillos <selenepinillos@gmail.com>
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: Leonard Gram <leo@xlson.com>
* Provide correct link for AGPL license
* Change LicenseURL to point go Grafana OSS page
* Keep utm_source query parameter
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Introduces org-level isolation for the Alertmanager and its components.
Silences, Alerts and Contact points are not separated by org and are not shared between them.
Co-authored with @davidmparrott and @papagian
* add a more flexible way to create permissions
* update interface for accesscontrol to use new eval interface
* use new eval interface
* update middleware to use new eval interface
* remove evaluator function and move metrics to service
* add tests for accesscontrol middleware
* Remove failed function from interface and update inejct to create a new
evaluator
* Change name
* Support Several sopes for a permission
* use evaluator and update fakeAccessControl
* Implement String that will return string representation of permissions
for an evaluator
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Make the evaluator prefix match only
* Handle empty scopes
* Bump version of settings read role
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Even without the ability to control the sort order or to filter, this notably improves usability for long lists of notification channels.
Partially fixes#20067.
This commit adds contact point testing to ngalerts via a new API
endpoint. This endpoint accepts JSON containing a list of
receiver configurations which are validated and then tested
with a notification for a test alert. The endpoint returns JSON
for each receiver with a status and error message. It accepts
a configurable timeout via the Request-Timeout header (in seconds)
up to a maximum of 30 seconds.
* Alerting: Expose discovered and dropped Alertmanagers
Exposes the API for discovered and dropped Alertmanagers.
* make admin config poll interval configurable
* update after rebase
* wordsmith
* More wordsmithing
* change name of the config
* settings package too
* Alerting: modify table and accessors to limit org access appropriately
* Update migration to create multiple Alertmanager configs
* Apply suggestions from code review
Co-authored-by: gotjosh <josue@grafana.com>
* replace mg.ClearMigrationEntry()
mg.ClearMigrationEntry() would create a new session.
This commit introduces a new migration for clearing an entry from migration log for replacing mg.ClearMigrationEntry() so that all dashboard alert migration operations will run inside the same transaction.
It adds also `SkipMigrationLog()` in Migrator interface for skipping adding an entry in the migration_log.
Co-authored-by: gotjosh <josue@grafana.com>
* Alerting: Send alerts to external Alertmanager(s)
Within this PR we're adding support for registering or unregistering
sending to a set of external alertmanagers. A few of the things that are
going are:
- Introduce a new table to hold "admin" (either org or global)
configuration we can change at runtime.
- A new periodic check that polls for this configuration and adjusts the
"senders" accordingly.
- Introduces a new concept of "senders" that are responsible for
shipping the alerts to the external Alertmanager(s). In a nutshell,
this is the Prometheus notifier (the one in charge of sending the alert)
mapped to a multi-tenant map.
There are a few code movements here and there but those are minor, I
tried to keep things intact as much as possible so that we could have an
easier diff.
* simplify toggle + add link to server admin
* feat(catalog): org admins can configure plugin apps, cannot install/uninstall plugins
* fix(catalog): dont show buttons if user doesn't have install permissions
* feat(catalog): cater for accessing catalog via /plugins and /admin/plugins
* feat(catalog): use location for list links and match.url to define breadcrumb links
* test(catalog): mock isGrafanaAdmin for PluginDetails tests
* test(catalog): preserve default bootdata in PluginDetails mock
* refactor(catalog): move orgAdmin check out of state and make easier to reason with
Co-authored-by: Will Browne <will.browne@grafana.com>
* AccessControl: Implement a way to register fixed roles
* Add context to register func
* Use FixedRoleGrantsMap instead of FixedRoleGrants
* Removed FixedRoles map to sync.map
* Wrote test for accesscontrol and provisioning
* Use mutexes+map instead of sync maps
* Create a sync map struct out of a Map and a Mutex
* Create a sync map struct for grants as well
* Validate builtin roles
* Make validation public to access control
* Handle errors consistently with what seeder does
* Keep errors consistant amongst accesscontrol impl
* Handle registration error
* Reverse the registration direction thanks to a RoleRegistrant interface
* Removed sync map in favor for simple maps since registration now happens during init
* Work on the Registrant interface
* Remove the Register Role from the interface to have services returning their registrations instead
* Adding context to RegisterRegistrantsRoles and update descriptions
* little bit of cosmetics
* Making sure provisioning is ran after role registration
* test for role registration
* Change the accesscontrol interface to use a variadic
* check if accesscontrol is enabled
* Add a new test for RegisterFixedRoles and fix assign which was buggy
* Moved RegistrationList def to roles.go
* Change provisioning role's description
* Better comment on RegisterFixedRoles
* Correct comment on ValidateFixedRole
* Simplify helper func to removeRoleHelper
* Add log to saveFixedRole and assignFixedRole
Co-authored-by: Vardan Torosyan <vardants@gmail.com>
Co-authored-by: Jeremy Price <Jeremy.price@grafana.com>
* wip
* Auth Info: refactored out into it's own service
* Auth: adds extension point where users are being mapped
* Update pkg/services/login/authinfoservice/service.go
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
* Update pkg/services/login/authinfoservice/service.go
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
* Auth: simplified code
* moved most authinfo stuff to its own package
* added back code
* linter
* simplified
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
* Alerting: Refactor `Run` of the scheduler
A bit of a refactor to make the diff easier to read for supporting
external Alertmanagers.
We'll introduce another routine that checks the database for
configuration and spawns other routines accordingly.
* Block the wait.
* Fix test
* initial attempt at automatic removal of stale states
* test case, need espected states
* finish unit test
* PR feedback
* still multiply by time.second
* pr feedback
* Pass role to Grafana using auth proxy
By default, the role will be applied to the default org of the user.
If the request uses the standard header "X-Grafana-Org-Id", the role will be applied to the specified org
Tested in both unit test and manually E2E
* Address comment: only allow the user role to be applied to the default org
Co-authored-by: Leonard Gram <leo@xlson.com>
