diff --git a/pkg/services/accesscontrol/pluginutils/utils.go b/pkg/services/accesscontrol/pluginutils/utils.go
index 0fe7a46b199..8b7500a97cd 100644
--- a/pkg/services/accesscontrol/pluginutils/utils.go
+++ b/pkg/services/accesscontrol/pluginutils/utils.go
@@ -12,6 +12,7 @@ import (
 
 var (
 	allowedCoreActions = map[string]string{
+		"plugins:write":             "plugins:id:",
 		"plugins.app:access":        "plugins:id:",
 		"folders:create":            "folders:uid:",
 		"folders:read":              "folders:uid:",
diff --git a/pkg/services/accesscontrol/pluginutils/utils_test.go b/pkg/services/accesscontrol/pluginutils/utils_test.go
index 80289ec77e7..746d92289f4 100644
--- a/pkg/services/accesscontrol/pluginutils/utils_test.go
+++ b/pkg/services/accesscontrol/pluginutils/utils_test.go
@@ -172,6 +172,29 @@ func TestValidatePluginRole(t *testing.T) {
 			},
 			wantErr: &ac.ErrorInvalidRole{},
 		},
+		{
+			name:     "valid core plugin permission targets plugin",
+			pluginID: "test-app",
+			role: ac.RoleDTO{
+				Name:        "plugins:test-app:reader",
+				DisplayName: "Plugin Configurator",
+				Permissions: []ac.Permission{
+					{Action: "plugins:write", Scope: "plugins:id:test-app"},
+				},
+			},
+		},
+		{
+			name:     "invalid core plugin permission targets other plugin",
+			pluginID: "test-app",
+			role: ac.RoleDTO{
+				Name:        "plugins:test-app:reader",
+				DisplayName: "Plugin Configurator",
+				Permissions: []ac.Permission{
+					{Action: "plugins:write", Scope: "plugins:id:other-app"},
+				},
+			},
+			wantErr: &ac.ErrorInvalidRole{},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {