CloneRequest creates request copy including request body.

CopyRequestBody returns copy of request body and keeps the original one to prevent error when reading closed body.

Declare OSS roles to the accesscontrol service.

EvalAll returns evaluator that requires all passed evaluators to evaluate to true.

EvalAny returns evaluator that requires at least one of passed evaluators to evaluate to true.

EvalPermission returns an evaluator that will require at least one of passed scopes to match.

Field returns an injectable scope part for selected fields from the request's context available in accesscontrol.ScopeParams.

Filter creates a where clause to restrict the view of a query based on a users permissions Scopes that exists for all actions will be parsed and compared against the supplied sqlID Prefix parameter is the prefix of the scope that we support (e.g.

GetOrgRoles returns legacy org roles for a user.

GetResourcesMetadata returns a map of accesscontrol metadata, listing for each resource, users available actions.

GroupScopesByAction will group scopes on action Deprecated: use GroupScopesByActionContext instead.

GroupScopesByAction will group scopes on action.

HasGlobalAccess checks user access with globally assigned permissions only.

MergeMeta will merge actions matching prefix of second metadata into first.

NewScopeProvider creates a new ScopeProvider that is configured with specific root scope.

Parameter returns injectable scope part, based on URL parameters.

PermissionsForActions generate Permissions for all actions provided scoped to provided scope.

PrefixedRoleUID generates a uid from name with the same prefix.

Reduce will reduce a list of permissions to its minimal form, grouping scopes by action.

ReqHasRole generates a fallback to check whether the user has a role ReqHasRole(org.RoleAdmin) will always return true for Grafana server admins, eg, a Grafana Admin / Viewer role combination.

Scope builds scope from parts e.g.

ScopePrefix returns the prefix associated to a given scope we assume prefixes are all in the form <resource>:<attribute>:<value> ex: "datasources:name:test" returns "datasources:name:".

SetAcceptListForTest allow us to mutate the list for blackbox testing.

SplitScope returns kind, attribute and Identifier.

UseGlobalOrgFromRequestData returns global org if `global` flag is set or the org where user is logged in.

UseGlobalOrgFromRequestParams returns global org if `global` flag is set or the org where user is logged in.

UseGlobalOrSingleOrg returns the global organization or the current organization in a single organization setup.

UseOrgFromRequestData returns the organization from the request data.

ValidateBuiltInRoles errors when a built-in role does not match expected pattern.

ValidateFixedRole errors when a fixed role does not match expected pattern.

WildcardsFromPrefixes generates valid wildcards from prefixes datasource:uid: => "*", "datasource:*", "datasource:uid:*".

Alerting instances (+silences) actions.

External alerting instances actions.

External alerting notifications actions.

Alerting Notification actions (legacy).

Alerting notifications template actions.

Alerting notifications time interval actions.

Alerting provisioning actions.

ActionAlertingProvisioningSetStatus Gives access to set provisioning status to alerting resources.

Alerting receiver actions.

Alerting routes policies actions.

Alerting rules actions.

External alerting rule actions.

Annotations related actions.

Datasources actions.

Feature Management actions.

LDAP actions.

Library Panel actions.

Org actions.

Server actions.

Settings actions.

Team related actions.

Usage stats actions.

We can ignore gosec G101 since this does not contain any credentials.

We can ignore gosec G101 since this does not contain any credentials.

We can ignore gosec G101 since this does not contain any credentials.

Users actions.

APIKeys scope.

Global Scopes.

Settings scope.

Team related scopes.

Users scope.

ApiKeyAccessEvaluator is used to protect the "Configuration > API keys" page access.

Note: these are intended to be replaced by equivalent errutil implementations.

OrgPreferencesAccessEvaluator is used to protect the "Configure > Preferences" page access.

OrgsAccessEvaluator is used to protect the "Server Admin > Orgs" page access (you need to have read access to update or delete orgs; read is the minimum).

OrgsCreateAccessEvaluator is used to protect the "Server Admin > Orgs > New Org" page access.

Annotation scopes.

Team scope.

Roles definition.

TeamsAccessEvaluator is used to protect the "Configuration > Teams" page access grants access to a user when they can either create teams or can read and update a team.

TeamsEditAccessEvaluator is used to protect the "Configuration > Teams > edit" page access.

Permission is the model for access control permissions.

ResourcePermission is structure that holds all actions that either a team / user / builtin-role can perform against specific resource.

Role is the model for Role in RBAC.

swagger:ignore.

swagger:model RoleDTO.

RoleRegistration stores a role and its assignments to built-in roles (Viewer, Editor, Admin, Grafana Admin).

ResourceResolver is called before authorization is performed.

ScopeAttributeResolver is used to resolve attributes in scopes to one or more scopes that are evaluated by logical or.

ScopeProvider provides methods that construct scopes.

go:generate mockery --name Store --structname MockStore --outpkg actest --filename store_mock.go --output ./actest/.

Metadata contains user accesses for a given resource Ex: map[string]bool{"create":true, "delete": true}.

ResourceResolverFunc is an adapter so that functions can implement ResourceResolver.

ScopeAttributeResolverFunc is an adapter to allow functions to implement ScopeAttributeResolver interface.