From 0e5d7633f7c886df12aa6c8d110d92d5fb02c7f8 Mon Sep 17 00:00:00 2001
From: Alexander Zobnin <alexanderzobnin@gmail.com>
Date: Thu, 8 Aug 2024 14:11:17 +0200
Subject: [PATCH] Access Control: Make it possible to exclude role grants
 (#91647)

---
 pkg/api/accesscontrol.go             | 2 ++
 pkg/services/accesscontrol/models.go | 5 +++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/pkg/api/accesscontrol.go b/pkg/api/accesscontrol.go
index eb4fadbd79b..0b1cac3cc2b 100644
--- a/pkg/api/accesscontrol.go
+++ b/pkg/api/accesscontrol.go
@@ -442,6 +442,8 @@ func (hs *HTTPServer) declareFixedRoles() error {
 			},
 		},
 		Grants: []string{"Editor"},
+		// Don't grant fixed:folders:creator to Admin
+		Exclude: []string{"Admin"},
 	}
 
 	foldersReaderRole := ac.RoleRegistration{
diff --git a/pkg/services/accesscontrol/models.go b/pkg/services/accesscontrol/models.go
index bac02e9096c..87c30e1abbb 100644
--- a/pkg/services/accesscontrol/models.go
+++ b/pkg/services/accesscontrol/models.go
@@ -26,8 +26,9 @@ var (
 // RoleRegistration stores a role and its assignments to built-in roles
 // (Viewer, Editor, Admin, Grafana Admin)
 type RoleRegistration struct {
-	Role   RoleDTO
-	Grants []string
+	Role    RoleDTO
+	Grants  []string
+	Exclude []string
 }
 
 // Role is the model for Role in RBAC.