Authz: Define app resources (#105050)

* Authz: Define app resources

* Add coreroles and cluster roles

* Restore CODEOWNERS from main

* ManagedPermissions -> ResourcePermissions

* Rework changes

* Update apps/authz/kinds/v0alpha1/rolebindingspec.cue

Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>

* Update apps/authz/kinds/v0alpha1/rolespec.cue

Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>

* Make

* WIP first set of comments

* typox

* Copy folder Makefile

* Remove uid

* Rename authz -> iam

* Rename to iam

* Dockerfile

* Remove name

* Mv up

* Try with postprocess

* linting

* Use same version

* apimachinery v0.32.3

* update-workspace

---------

Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>

.github/CODEOWNERS

@@ -79,6 +79,7 @@
 /apps/playlist/ @grafana/grafana-app-platform-squad
 /apps/investigations/ @fcjack @matryer @svennergr
 /apps/advisor/ @grafana/plugins-platform-backend
+/apps/iam/ @grafana/access-squad
 /pkg/api/ @grafana/grafana-backend-group
 /pkg/apis/ @grafana/grafana-app-platform-squad
 /pkg/apis/query @grafana/grafana-datasources-core-services

Dockerfile

@@ -80,6 +80,7 @@ COPY apps/investigations apps/investigations
 COPY apps/advisor apps/advisor
 COPY apps/dashboard apps/dashboard
 COPY apps/folder apps/folder
+COPY apps/iam apps/iam
 COPY apps apps
 COPY kindsv2 kindsv2
 COPY apps/alerting/notifications apps/alerting/notifications

apps/iam/Makefile

@@ -0,0 +1,29 @@
+APP_SDK_VERSION := v0.35.1
+APP_SDK_DIR     := $(shell go env GOPATH)/bin/app-sdk-$(APP_SDK_VERSION)
+APP_SDK_BIN     := $(APP_SDK_DIR)/grafana-app-sdk
+
+.PHONY: install-app-sdk
+install-app-sdk: $(APP_SDK_BIN) ## Install the Grafana App SDK
+
+$(APP_SDK_BIN):
+	@echo "Installing Grafana App SDK version $(APP_SDK_VERSION)"
+	@mkdir -p $(APP_SDK_DIR)
+	# The only way to install specific versions of binaries using `go install`
+	# is by setting GOBIN to the directory you want to install the binary to.
+	GOBIN=$(APP_SDK_DIR) go install github.com/grafana/grafana-app-sdk/cmd/grafana-app-sdk@$(APP_SDK_VERSION)
+	@touch $@
+
+.PHONY: update-app-sdk
+update-app-sdk: ## Update the Grafana App SDK dependency in go.mod
+	go get github.com/grafana/grafana-app-sdk@$(APP_SDK_VERSION)
+	go mod tidy
+
+.PHONY: generate
+generate: install-app-sdk update-app-sdk ## Run Grafana App SDK code generation
+	@$(APP_SDK_BIN) generate \
+		--source=./kinds/ \
+		--gogenpath=./pkg/apis \
+		--grouping=group \
+		--defencoding=none \
+		--noschemasinmanifest \
+		--postprocess

apps/iam/go.mod

@@ -0,0 +1,60 @@
+module github.com/grafana/grafana/apps/iam
+
+go 1.24.3
+
+require (
+	github.com/grafana/grafana-app-sdk v0.35.1
+	k8s.io/apimachinery v0.32.3
+	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff
+)
+
+require (
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/getkin/kin-openapi v0.132.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/gnostic-models v0.6.9 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/grafana/grafana-app-sdk/logging v0.35.1 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 // indirect
+	github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 // indirect
+	github.com/perimeterx/marshmallow v1.1.5 // indirect
+	github.com/prometheus/client_golang v1.22.0 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.63.0 // indirect
+	github.com/prometheus/procfs v0.16.0 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/oauth2 v0.29.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/time v0.11.0 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/client-go v0.32.3 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
+)

apps/iam/go.sum

@@ -0,0 +1,173 @@
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
+github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/getkin/kin-openapi v0.132.0 h1:3ISeLMsQzcb5v26yeJrBcdTCEQTag36ZjaGk7MIRUwk=
+github.com/getkin/kin-openapi v0.132.0/go.mod h1:3OlG51PCYNsPByuiMB0t4fjnNlIDnaEDsjiKUV8nL58=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
+github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
+github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
+github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4=
+github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
+github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
+github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM=
+github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw=
+github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/grafana/grafana-app-sdk v0.35.1 h1:zEXubzsQrxGBOzXJJMBwhEClC/tvPi0sfK7NGmlX3RI=
+github.com/grafana/grafana-app-sdk v0.35.1/go.mod h1:Zx5MkVppYK+ElSDUAR6+fjzOVo6I/cIgk+ty+LmNOxI=
+github.com/grafana/grafana-app-sdk/logging v0.35.1 h1:taVpl+RoixTYl0JBJGhH+fPVmwA9wvdwdzJTZsv9buM=
+github.com/grafana/grafana-app-sdk/logging v0.35.1/go.mod h1:Y/bvbDhBiV/tkIle9RW49pgfSPIPSON8Q4qjx3pyqDk=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw=
+github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 h1:G7ERwszslrBzRxj//JalHPu/3yz+De2J+4aLtSRlHiY=
+github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037/go.mod h1:2bpvgLBZEtENV5scfDFEtB/5+1M4hkQhDQrccEJ/qGw=
+github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 h1:bQx3WeLcUWy+RletIKwUIt4x3t8n2SxavmoclizMb8c=
+github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90/go.mod h1:y5+oSEHCPT/DGrS++Wc/479ERge0zTFxaF8PbGKcg2o=
+github.com/perimeterx/marshmallow v1.1.5 h1:a2LALqQ1BlHM8PZblsDdidgv1mWi1DgC2UmX50IvK2s=
+github.com/perimeterx/marshmallow v1.1.5/go.mod h1:dsXbUu8CRzfYP5a87xpp0xq9S3u0Vchtcl8we9tYaXw=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
+github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
+github.com/prometheus/common v0.63.0 h1:YR/EIY1o3mEFP/kZCD7iDMnLPlGyuU2Gb3HIcXnA98k=
+github.com/prometheus/common v0.63.0/go.mod h1:VVFF/fBIoToEnWRVkYoXEkq3R3paCoxG9PXP74SnV18=
+github.com/prometheus/procfs v0.16.0 h1:xh6oHhKwnOJKMYiYBDWmkHqQPyiY40sny36Cmx2bbsM=
+github.com/prometheus/procfs v0.16.0/go.mod h1:8veyXUu3nGP7oaCxhX6yeaM5u4stL2FeMXnCqhDthZg=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/ugorji/go/codec v1.2.11 h1:BMaWp1Bb6fHwEtbplGBGJ498wD+LKlNSl25MjdZY4dU=
+github.com/ugorji/go/codec v1.2.11/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
+go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98=
+golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
+golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
+golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
+golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
+gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/api v0.32.3 h1:Hw7KqxRusq+6QSplE3NYG4MBxZw1BZnq4aP4cJVINls=
+k8s.io/api v0.32.3/go.mod h1:2wEDTXADtm/HA7CCMD8D8bK4yuBUptzaRhYcYEEYA3k=
+k8s.io/apimachinery v0.32.3 h1:JmDuDarhDmA/Li7j3aPrwhpNBA94Nvk5zLeOge9HH1U=
+k8s.io/apimachinery v0.32.3/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
+k8s.io/client-go v0.32.3 h1:RKPVltzopkSgHS7aS98QdscAgtgah/+zmpAogooIqVU=
+k8s.io/client-go v0.32.3/go.mod h1:3v0+3k4IcT9bXTc4V2rt+d2ZPPG700Xy6Oi0Gdl2PaY=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4=
+k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
+sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc=
+sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=

apps/iam/kinds/cue.mod/module.cue

@@ -0,0 +1,4 @@
+module: "github.com/grafana/grafana/apps/iam/kinds"
+language: {
+	version: "v0.9.0"
+}

apps/iam/kinds/manifest.cue

@@ -0,0 +1,7 @@
+package kinds
+
+manifest: {
+	appName:       "iam"
+	groupOverride: "iam.grafana.app"
+	kinds: [ globalrole, globalrolebinding, corerole, role, rolebinding, resourcepermission ]
+}

apps/iam/kinds/resourcepermission.cue

@@ -0,0 +1,24 @@
+package kinds
+
+import (
+	"github.com/grafana/grafana/apps/iam/kinds/v0alpha1"
+)
+
+resourcepermission: {
+	kind:       "ResourcePermission"
+	pluralName: "ResourcePermissions"
+	current:    "v0alpha1"
+
+	codegen: {
+		ts: { enabled: false }
+		go: { enabled: true }
+	}
+
+	versions: {
+		"v0alpha1": {
+			schema: {
+				spec:   v0alpha1.ResourcePermission
+			}
+		}
+	}
+}

apps/iam/kinds/role.cue

@@ -0,0 +1,62 @@
+package kinds
+
+import (
+	"github.com/grafana/grafana/apps/iam/kinds/v0alpha1"
+)
+
+role: {
+	kind:       "Role"
+	pluralName: "Roles"
+	current:    "v0alpha1"
+
+	codegen: {
+		ts: { enabled: false }
+		go: { enabled: true }
+	}
+
+	versions: {
+		"v0alpha1": {
+			schema: {
+				spec:   v0alpha1.RoleSpec
+			}
+		}
+	}
+}
+
+corerole: {
+	kind:       "CoreRole"
+	pluralName: "CoreRoles"
+	current:    "v0alpha1"
+
+	codegen: {
+		ts: { enabled: false }
+		go: { enabled: true }
+	}
+
+	versions: {
+		"v0alpha1": {
+			schema: {
+				spec:   v0alpha1.RoleSpec
+			}
+		}
+	}
+}
+
+globalrole: {
+	kind:       "GlobalRole"
+	pluralName: "GlobalRoles"
+	current:    "v0alpha1"
+
+	codegen: {
+		ts: { enabled: false }
+		go: { enabled: true }
+	}
+
+	versions: {
+		"v0alpha1": {
+			schema: {
+				spec:   v0alpha1.RoleSpec
+			}
+		}
+	}
+}

apps/iam/kinds/rolebinding.cue

@@ -0,0 +1,43 @@
+package kinds
+
+import (
+	"github.com/grafana/grafana/apps/iam/kinds/v0alpha1"
+)
+
+rolebinding: {
+	kind:       "RoleBinding"
+	pluralName: "RoleBindings"
+	current:    "v0alpha1"
+
+	codegen: {
+		ts: { enabled: false }
+		go: { enabled: true }
+	}
+
+	versions: {
+		"v0alpha1": {
+			schema: {
+				spec:   v0alpha1.RoleBindingSpec
+			}
+		}
+	}
+}
+
+globalrolebinding: {
+	kind:       "GlobalRoleBinding"
+	pluralName: "GlobalRoleBindings"
+	current:    "v0alpha1"
+
+	codegen: {
+		ts: { enabled: false }
+		go: { enabled: true }
+	}
+
+	versions: {
+		"v0alpha1": {
+			schema: {
+				spec:   v0alpha1.GlobalRoleBindingSpec
+			}
+		}
+	}
+}

apps/iam/kinds/v0alpha1/resourcepermission.cue

@@ -0,0 +1,25 @@
+package v0alpha1
+
+ResourcePermission: {
+	#Resource: {
+		// api group of the resource (e.g: "folder.grafana.app")
+		apiGroup: string
+		// kind of the resource (e.g: "folders")
+		resource: string
+		// uid of the resource (e.g: "fold1")
+		name: string
+	}
+	#Permission: {
+		// kind of the identity getting the permission
+		kind: "User" | "ServiceAccount" | "Team" | "BasicRole" 
+		// uid of the identity getting the permission
+		name: string
+		// list of actions granted to the user (e.g. "admin" or "get", "update")
+		verbs: [...string]
+	}
+	
+	resource: #Resource
+	permissions: [...#Permission]
+}
+
+

apps/iam/kinds/v0alpha1/rolebindingspec.cue

@@ -0,0 +1,37 @@
+package v0alpha1
+
+RoleBindingSpec: {
+	#Subject: {
+		// kind of the identity getting the permission
+		kind: "User" | "ServiceAccount" | "Team" | "BasicRole"
+		// uid of the identity
+		name: string
+	}
+	#RoleRef: {
+		// kind of role
+		kind: "Role" | "CoreRole" | "GlobalRole"
+		// uid of the role
+		name: string
+	}
+
+	subjects: [...#Subject]
+	roleRef: #RoleRef
+}
+
+GlobalRoleBindingSpec: {
+	#Subject: {
+		// kind of the identity getting the permission
+		kind: "User" | "ServiceAccount" | "Team" | "BasicRole"
+		// uid of the identity
+		name: string
+	}
+	#RoleRef: {
+		// kind of role
+		kind: "CoreRole" | "GlobalRole"
+		// uid of the role
+		name: string
+	}
+
+	subjects: [...#Subject]
+	roleRef: #RoleRef
+}

apps/iam/kinds/v0alpha1/rolespec.cue

@@ -0,0 +1,23 @@
+package v0alpha1
+
+RoleSpec: {
+	#Permission: {
+		// RBAC action (e.g: "dashbaords:read")
+		action: string
+		// RBAC scope (e.g: "dashboards:uid:dash1")
+		scope: string
+	}
+	
+	// Display name of the role
+	title: string
+	
+	version: int
+	group: string
+	permissions: [...#Permission]
+
+	// TODO:
+	// delegatable?: bool
+	// created?
+	// updated?
+}
+

apps/iam/pkg/apis/iam/v0alpha1/constants.go

@@ -0,0 +1,18 @@
+package v0alpha1
+
+import "k8s.io/apimachinery/pkg/runtime/schema"
+
+const (
+	// Group is the API group used by all kinds in this package
+	Group = "iam.grafana.app"
+	// Version is the API version used by all kinds in this package
+	Version = "v0alpha1"
+)
+
+var (
+	// GroupVersion is a schema.GroupVersion consisting of the Group and Version constants for this package
+	GroupVersion = schema.GroupVersion{
+		Group:   Group,
+		Version: Version,
+	}
+)

apps/iam/pkg/apis/iam/v0alpha1/corerole_codec_gen.go

@@ -0,0 +1,28 @@
+//
+// Code generated by grafana-app-sdk. DO NOT EDIT.
+//
+
+package v0alpha1
+
+import (
+	"encoding/json"
+	"io"
+
+	"github.com/grafana/grafana-app-sdk/resource"
+)
+
+// CoreRoleJSONCodec is an implementation of resource.Codec for kubernetes JSON encoding
+type CoreRoleJSONCodec struct{}
+
+// Read reads JSON-encoded bytes from `reader` and unmarshals them into `into`
+func (*CoreRoleJSONCodec) Read(reader io.Reader, into resource.Object) error {
+	return json.NewDecoder(reader).Decode(into)
+}
+
+// Write writes JSON-encoded bytes into `writer` marshaled from `from`
+func (*CoreRoleJSONCodec) Write(writer io.Writer, from resource.Object) error {
+	return json.NewEncoder(writer).Encode(from)
+}
+
+// Interface compliance checks
+var _ resource.Codec = &CoreRoleJSONCodec{}

apps/iam/pkg/apis/iam/v0alpha1/corerole_metadata_gen.go

@@ -0,0 +1,28 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+import (
+	time "time"
+)
+
+// metadata contains embedded CommonMetadata and can be extended with custom string fields
+// TODO: use CommonMetadata instead of redefining here; currently needs to be defined here
+// without external reference as using the CommonMetadata reference breaks thema codegen.
+type CoreRoleMetadata struct {
+	UpdateTimestamp   time.Time         `json:"updateTimestamp"`
+	CreatedBy         string            `json:"createdBy"`
+	Uid               string            `json:"uid"`
+	CreationTimestamp time.Time         `json:"creationTimestamp"`
+	DeletionTimestamp *time.Time        `json:"deletionTimestamp,omitempty"`
+	Finalizers        []string          `json:"finalizers"`
+	ResourceVersion   string            `json:"resourceVersion"`
+	Generation        int64             `json:"generation"`
+	UpdatedBy         string            `json:"updatedBy"`
+	Labels            map[string]string `json:"labels"`
+}
+
+// NewCoreRoleMetadata creates a new CoreRoleMetadata object.
+func NewCoreRoleMetadata() *CoreRoleMetadata {
+	return &CoreRoleMetadata{}
+}

apps/iam/pkg/apis/iam/v0alpha1/corerole_object_gen.go

@@ -0,0 +1,319 @@
+//
+// Code generated by grafana-app-sdk. DO NOT EDIT.
+//
+
+package v0alpha1
+
+import (
+	"fmt"
+	"github.com/grafana/grafana-app-sdk/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"time"
+)
+
+// +k8s:openapi-gen=true
+type CoreRole struct {
+	metav1.TypeMeta   `json:",inline" yaml:",inline"`
+	metav1.ObjectMeta `json:"metadata" yaml:"metadata"`
+
+	// Spec is the spec of the CoreRole
+	Spec CoreRoleSpec `json:"spec" yaml:"spec"`
+
+	Status CoreRoleStatus `json:"status" yaml:"status"`
+}
+
+func (o *CoreRole) GetSpec() any {
+	return o.Spec
+}
+
+func (o *CoreRole) SetSpec(spec any) error {
+	cast, ok := spec.(CoreRoleSpec)
+	if !ok {
+		return fmt.Errorf("cannot set spec type %#v, not of type Spec", spec)
+	}
+	o.Spec = cast
+	return nil
+}
+
+func (o *CoreRole) GetSubresources() map[string]any {
+	return map[string]any{
+		"status": o.Status,
+	}
+}
+
+func (o *CoreRole) GetSubresource(name string) (any, bool) {
+	switch name {
+	case "status":
+		return o.Status, true
+	default:
+		return nil, false
+	}
+}
+
+func (o *CoreRole) SetSubresource(name string, value any) error {
+	switch name {
+	case "status":
+		cast, ok := value.(CoreRoleStatus)
+		if !ok {
+			return fmt.Errorf("cannot set status type %#v, not of type CoreRoleStatus", value)
+		}
+		o.Status = cast
+		return nil
+	default:
+		return fmt.Errorf("subresource '%s' does not exist", name)
+	}
+}
+
+func (o *CoreRole) GetStaticMetadata() resource.StaticMetadata {
+	gvk := o.GroupVersionKind()
+	return resource.StaticMetadata{
+		Name:      o.ObjectMeta.Name,
+		Namespace: o.ObjectMeta.Namespace,
+		Group:     gvk.Group,
+		Version:   gvk.Version,
+		Kind:      gvk.Kind,
+	}
+}
+
+func (o *CoreRole) SetStaticMetadata(metadata resource.StaticMetadata) {
+	o.Name = metadata.Name
+	o.Namespace = metadata.Namespace
+	o.SetGroupVersionKind(schema.GroupVersionKind{
+		Group:   metadata.Group,
+		Version: metadata.Version,
+		Kind:    metadata.Kind,
+	})
+}
+
+func (o *CoreRole) GetCommonMetadata() resource.CommonMetadata {
+	dt := o.DeletionTimestamp
+	var deletionTimestamp *time.Time
+	if dt != nil {
+		deletionTimestamp = &dt.Time
+	}
+	// Legacy ExtraFields support
+	extraFields := make(map[string]any)
+	if o.Annotations != nil {
+		extraFields["annotations"] = o.Annotations
+	}
+	if o.ManagedFields != nil {
+		extraFields["managedFields"] = o.ManagedFields
+	}
+	if o.OwnerReferences != nil {
+		extraFields["ownerReferences"] = o.OwnerReferences
+	}
+	return resource.CommonMetadata{
+		UID:               string(o.UID),
+		ResourceVersion:   o.ResourceVersion,
+		Generation:        o.Generation,
+		Labels:            o.Labels,
+		CreationTimestamp: o.CreationTimestamp.Time,
+		DeletionTimestamp: deletionTimestamp,
+		Finalizers:        o.Finalizers,
+		UpdateTimestamp:   o.GetUpdateTimestamp(),
+		CreatedBy:         o.GetCreatedBy(),
+		UpdatedBy:         o.GetUpdatedBy(),
+		ExtraFields:       extraFields,
+	}
+}
+
+func (o *CoreRole) SetCommonMetadata(metadata resource.CommonMetadata) {
+	o.UID = types.UID(metadata.UID)
+	o.ResourceVersion = metadata.ResourceVersion
+	o.Generation = metadata.Generation
+	o.Labels = metadata.Labels
+	o.CreationTimestamp = metav1.NewTime(metadata.CreationTimestamp)
+	if metadata.DeletionTimestamp != nil {
+		dt := metav1.NewTime(*metadata.DeletionTimestamp)
+		o.DeletionTimestamp = &dt
+	} else {
+		o.DeletionTimestamp = nil
+	}
+	o.Finalizers = metadata.Finalizers
+	if o.Annotations == nil {
+		o.Annotations = make(map[string]string)
+	}
+	if !metadata.UpdateTimestamp.IsZero() {
+		o.SetUpdateTimestamp(metadata.UpdateTimestamp)
+	}
+	if metadata.CreatedBy != "" {
+		o.SetCreatedBy(metadata.CreatedBy)
+	}
+	if metadata.UpdatedBy != "" {
+		o.SetUpdatedBy(metadata.UpdatedBy)
+	}
+	// Legacy support for setting Annotations, ManagedFields, and OwnerReferences via ExtraFields
+	if metadata.ExtraFields != nil {
+		if annotations, ok := metadata.ExtraFields["annotations"]; ok {
+			if cast, ok := annotations.(map[string]string); ok {
+				o.Annotations = cast
+			}
+		}
+		if managedFields, ok := metadata.ExtraFields["managedFields"]; ok {
+			if cast, ok := managedFields.([]metav1.ManagedFieldsEntry); ok {
+				o.ManagedFields = cast
+			}
+		}
+		if ownerReferences, ok := metadata.ExtraFields["ownerReferences"]; ok {
+			if cast, ok := ownerReferences.([]metav1.OwnerReference); ok {
+				o.OwnerReferences = cast
+			}
+		}
+	}
+}
+
+func (o *CoreRole) GetCreatedBy() string {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	return o.ObjectMeta.Annotations["grafana.com/createdBy"]
+}
+
+func (o *CoreRole) SetCreatedBy(createdBy string) {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	o.ObjectMeta.Annotations["grafana.com/createdBy"] = createdBy
+}
+
+func (o *CoreRole) GetUpdateTimestamp() time.Time {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	parsed, _ := time.Parse(time.RFC3339, o.ObjectMeta.Annotations["grafana.com/updateTimestamp"])
+	return parsed
+}
+
+func (o *CoreRole) SetUpdateTimestamp(updateTimestamp time.Time) {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	o.ObjectMeta.Annotations["grafana.com/updateTimestamp"] = updateTimestamp.Format(time.RFC3339)
+}
+
+func (o *CoreRole) GetUpdatedBy() string {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	return o.ObjectMeta.Annotations["grafana.com/updatedBy"]
+}
+
+func (o *CoreRole) SetUpdatedBy(updatedBy string) {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	o.ObjectMeta.Annotations["grafana.com/updatedBy"] = updatedBy
+}
+
+func (o *CoreRole) Copy() resource.Object {
+	return resource.CopyObject(o)
+}
+
+func (o *CoreRole) DeepCopyObject() runtime.Object {
+	return o.Copy()
+}
+
+func (o *CoreRole) DeepCopy() *CoreRole {
+	cpy := &CoreRole{}
+	o.DeepCopyInto(cpy)
+	return cpy
+}
+
+func (o *CoreRole) DeepCopyInto(dst *CoreRole) {
+	dst.TypeMeta.APIVersion = o.TypeMeta.APIVersion
+	dst.TypeMeta.Kind = o.TypeMeta.Kind
+	o.ObjectMeta.DeepCopyInto(&dst.ObjectMeta)
+	o.Spec.DeepCopyInto(&dst.Spec)
+	o.Status.DeepCopyInto(&dst.Status)
+}
+
+// Interface compliance compile-time check
+var _ resource.Object = &CoreRole{}
+
+// +k8s:openapi-gen=true
+type CoreRoleList struct {
+	metav1.TypeMeta `json:",inline" yaml:",inline"`
+	metav1.ListMeta `json:"metadata" yaml:"metadata"`
+	Items           []CoreRole `json:"items" yaml:"items"`
+}
+
+func (o *CoreRoleList) DeepCopyObject() runtime.Object {
+	return o.Copy()
+}
+
+func (o *CoreRoleList) Copy() resource.ListObject {
+	cpy := &CoreRoleList{
+		TypeMeta: o.TypeMeta,
+		Items:    make([]CoreRole, len(o.Items)),
+	}
+	o.ListMeta.DeepCopyInto(&cpy.ListMeta)
+	for i := 0; i < len(o.Items); i++ {
+		if item, ok := o.Items[i].Copy().(*CoreRole); ok {
+			cpy.Items[i] = *item
+		}
+	}
+	return cpy
+}
+
+func (o *CoreRoleList) GetItems() []resource.Object {
+	items := make([]resource.Object, len(o.Items))
+	for i := 0; i < len(o.Items); i++ {
+		items[i] = &o.Items[i]
+	}
+	return items
+}
+
+func (o *CoreRoleList) SetItems(items []resource.Object) {
+	o.Items = make([]CoreRole, len(items))
+	for i := 0; i < len(items); i++ {
+		o.Items[i] = *items[i].(*CoreRole)
+	}
+}
+
+func (o *CoreRoleList) DeepCopy() *CoreRoleList {
+	cpy := &CoreRoleList{}
+	o.DeepCopyInto(cpy)
+	return cpy
+}
+
+func (o *CoreRoleList) DeepCopyInto(dst *CoreRoleList) {
+	resource.CopyObjectInto(dst, o)
+}
+
+// Interface compliance compile-time check
+var _ resource.ListObject = &CoreRoleList{}
+
+// Copy methods for all subresource types
+
+// DeepCopy creates a full deep copy of Spec
+func (s *CoreRoleSpec) DeepCopy() *CoreRoleSpec {
+	cpy := &CoreRoleSpec{}
+	s.DeepCopyInto(cpy)
+	return cpy
+}
+
+// DeepCopyInto deep copies Spec into another Spec object
+func (s *CoreRoleSpec) DeepCopyInto(dst *CoreRoleSpec) {
+	resource.CopyObjectInto(dst, s)
+}
+
+// DeepCopy creates a full deep copy of CoreRoleStatus
+func (s *CoreRoleStatus) DeepCopy() *CoreRoleStatus {
+	cpy := &CoreRoleStatus{}
+	s.DeepCopyInto(cpy)
+	return cpy
+}
+
+// DeepCopyInto deep copies CoreRoleStatus into another CoreRoleStatus object
+func (s *CoreRoleStatus) DeepCopyInto(dst *CoreRoleStatus) {
+	resource.CopyObjectInto(dst, s)
+}

apps/iam/pkg/apis/iam/v0alpha1/corerole_schema_gen.go

@@ -0,0 +1,34 @@
+//
+// Code generated by grafana-app-sdk. DO NOT EDIT.
+//
+
+package v0alpha1
+
+import (
+	"github.com/grafana/grafana-app-sdk/resource"
+)
+
+// schema is unexported to prevent accidental overwrites
+var (
+	schemaCoreRole = resource.NewSimpleSchema("iam.grafana.app", "v0alpha1", &CoreRole{}, &CoreRoleList{}, resource.WithKind("CoreRole"),
+		resource.WithPlural("coreroles"), resource.WithScope(resource.NamespacedScope))
+	kindCoreRole = resource.Kind{
+		Schema: schemaCoreRole,
+		Codecs: map[resource.KindEncoding]resource.Codec{
+			resource.KindEncodingJSON: &CoreRoleJSONCodec{},
+		},
+	}
+)
+
+// Kind returns a resource.Kind for this Schema with a JSON codec
+func CoreRoleKind() resource.Kind {
+	return kindCoreRole
+}
+
+// Schema returns a resource.SimpleSchema representation of CoreRole
+func CoreRoleSchema() *resource.SimpleSchema {
+	return schemaCoreRole
+}
+
+// Interface compliance checks
+var _ resource.Schema = kindCoreRole

apps/iam/pkg/apis/iam/v0alpha1/corerole_spec_gen.go

@@ -0,0 +1,34 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+// +k8s:openapi-gen=true
+type CoreRolespecPermission struct {
+	// RBAC action (e.g: "dashbaords:read")
+	Action string `json:"action"`
+	// RBAC scope (e.g: "dashboards:uid:dash1")
+	Scope string `json:"scope"`
+}
+
+// NewCoreRolespecPermission creates a new CoreRolespecPermission object.
+func NewCoreRolespecPermission() *CoreRolespecPermission {
+	return &CoreRolespecPermission{}
+}
+
+// +k8s:openapi-gen=true
+type CoreRoleSpec struct {
+	// Display name of the role
+	Title   string `json:"title"`
+	Version int64  `json:"version"`
+	Group   string `json:"group"`
+	// TODO:
+	// delegatable?: bool
+	// created?
+	// updated?
+	Permissions []CoreRolespecPermission `json:"permissions"`
+}
+
+// NewCoreRoleSpec creates a new CoreRoleSpec object.
+func NewCoreRoleSpec() *CoreRoleSpec {
+	return &CoreRoleSpec{}
+}

apps/iam/pkg/apis/iam/v0alpha1/corerole_status_gen.go

@@ -0,0 +1,44 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+// +k8s:openapi-gen=true
+type CoreRolestatusOperatorState struct {
+	// lastEvaluation is the ResourceVersion last evaluated
+	LastEvaluation string `json:"lastEvaluation"`
+	// state describes the state of the lastEvaluation.
+	// It is limited to three possible states for machine evaluation.
+	State CoreRoleStatusOperatorStateState `json:"state"`
+	// descriptiveState is an optional more descriptive state field which has no requirements on format
+	DescriptiveState *string `json:"descriptiveState,omitempty"`
+	// details contains any extra information that is operator-specific
+	Details map[string]interface{} `json:"details,omitempty"`
+}
+
+// NewCoreRolestatusOperatorState creates a new CoreRolestatusOperatorState object.
+func NewCoreRolestatusOperatorState() *CoreRolestatusOperatorState {
+	return &CoreRolestatusOperatorState{}
+}
+
+// +k8s:openapi-gen=true
+type CoreRoleStatus struct {
+	// operatorStates is a map of operator ID to operator state evaluations.
+	// Any operator which consumes this kind SHOULD add its state evaluation information to this field.
+	OperatorStates map[string]CoreRolestatusOperatorState `json:"operatorStates,omitempty"`
+	// additionalFields is reserved for future use
+	AdditionalFields map[string]interface{} `json:"additionalFields,omitempty"`
+}
+
+// NewCoreRoleStatus creates a new CoreRoleStatus object.
+func NewCoreRoleStatus() *CoreRoleStatus {
+	return &CoreRoleStatus{}
+}
+
+// +k8s:openapi-gen=true
+type CoreRoleStatusOperatorStateState string
+
+const (
+	CoreRoleStatusOperatorStateStateSuccess    CoreRoleStatusOperatorStateState = "success"
+	CoreRoleStatusOperatorStateStateInProgress CoreRoleStatusOperatorStateState = "in_progress"
+	CoreRoleStatusOperatorStateStateFailed     CoreRoleStatusOperatorStateState = "failed"
+)

apps/iam/pkg/apis/iam/v0alpha1/globalrole_codec_gen.go

@@ -0,0 +1,28 @@
+//
+// Code generated by grafana-app-sdk. DO NOT EDIT.
+//
+
+package v0alpha1
+
+import (
+	"encoding/json"
+	"io"
+
+	"github.com/grafana/grafana-app-sdk/resource"
+)
+
+// GlobalRoleJSONCodec is an implementation of resource.Codec for kubernetes JSON encoding
+type GlobalRoleJSONCodec struct{}
+
+// Read reads JSON-encoded bytes from `reader` and unmarshals them into `into`
+func (*GlobalRoleJSONCodec) Read(reader io.Reader, into resource.Object) error {
+	return json.NewDecoder(reader).Decode(into)
+}
+
+// Write writes JSON-encoded bytes into `writer` marshaled from `from`
+func (*GlobalRoleJSONCodec) Write(writer io.Writer, from resource.Object) error {
+	return json.NewEncoder(writer).Encode(from)
+}
+
+// Interface compliance checks
+var _ resource.Codec = &GlobalRoleJSONCodec{}

apps/iam/pkg/apis/iam/v0alpha1/globalrole_metadata_gen.go

@@ -0,0 +1,28 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+import (
+	time "time"
+)
+
+// metadata contains embedded CommonMetadata and can be extended with custom string fields
+// TODO: use CommonMetadata instead of redefining here; currently needs to be defined here
+// without external reference as using the CommonMetadata reference breaks thema codegen.
+type GlobalRoleMetadata struct {
+	UpdateTimestamp   time.Time         `json:"updateTimestamp"`
+	CreatedBy         string            `json:"createdBy"`
+	Uid               string            `json:"uid"`
+	CreationTimestamp time.Time         `json:"creationTimestamp"`
+	DeletionTimestamp *time.Time        `json:"deletionTimestamp,omitempty"`
+	Finalizers        []string          `json:"finalizers"`
+	ResourceVersion   string            `json:"resourceVersion"`
+	Generation        int64             `json:"generation"`
+	UpdatedBy         string            `json:"updatedBy"`
+	Labels            map[string]string `json:"labels"`
+}
+
+// NewGlobalRoleMetadata creates a new GlobalRoleMetadata object.
+func NewGlobalRoleMetadata() *GlobalRoleMetadata {
+	return &GlobalRoleMetadata{}
+}

apps/iam/pkg/apis/iam/v0alpha1/globalrole_object_gen.go

@@ -0,0 +1,319 @@
+//
+// Code generated by grafana-app-sdk. DO NOT EDIT.
+//
+
+package v0alpha1
+
+import (
+	"fmt"
+	"github.com/grafana/grafana-app-sdk/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"time"
+)
+
+// +k8s:openapi-gen=true
+type GlobalRole struct {
+	metav1.TypeMeta   `json:",inline" yaml:",inline"`
+	metav1.ObjectMeta `json:"metadata" yaml:"metadata"`
+
+	// Spec is the spec of the GlobalRole
+	Spec GlobalRoleSpec `json:"spec" yaml:"spec"`
+
+	Status GlobalRoleStatus `json:"status" yaml:"status"`
+}
+
+func (o *GlobalRole) GetSpec() any {
+	return o.Spec
+}
+
+func (o *GlobalRole) SetSpec(spec any) error {
+	cast, ok := spec.(GlobalRoleSpec)
+	if !ok {
+		return fmt.Errorf("cannot set spec type %#v, not of type Spec", spec)
+	}
+	o.Spec = cast
+	return nil
+}
+
+func (o *GlobalRole) GetSubresources() map[string]any {
+	return map[string]any{
+		"status": o.Status,
+	}
+}
+
+func (o *GlobalRole) GetSubresource(name string) (any, bool) {
+	switch name {
+	case "status":
+		return o.Status, true
+	default:
+		return nil, false
+	}
+}
+
+func (o *GlobalRole) SetSubresource(name string, value any) error {
+	switch name {
+	case "status":
+		cast, ok := value.(GlobalRoleStatus)
+		if !ok {
+			return fmt.Errorf("cannot set status type %#v, not of type GlobalRoleStatus", value)
+		}
+		o.Status = cast
+		return nil
+	default:
+		return fmt.Errorf("subresource '%s' does not exist", name)
+	}
+}
+
+func (o *GlobalRole) GetStaticMetadata() resource.StaticMetadata {
+	gvk := o.GroupVersionKind()
+	return resource.StaticMetadata{
+		Name:      o.ObjectMeta.Name,
+		Namespace: o.ObjectMeta.Namespace,
+		Group:     gvk.Group,
+		Version:   gvk.Version,
+		Kind:      gvk.Kind,
+	}
+}
+
+func (o *GlobalRole) SetStaticMetadata(metadata resource.StaticMetadata) {
+	o.Name = metadata.Name
+	o.Namespace = metadata.Namespace
+	o.SetGroupVersionKind(schema.GroupVersionKind{
+		Group:   metadata.Group,
+		Version: metadata.Version,
+		Kind:    metadata.Kind,
+	})
+}
+
+func (o *GlobalRole) GetCommonMetadata() resource.CommonMetadata {
+	dt := o.DeletionTimestamp
+	var deletionTimestamp *time.Time
+	if dt != nil {
+		deletionTimestamp = &dt.Time
+	}
+	// Legacy ExtraFields support
+	extraFields := make(map[string]any)
+	if o.Annotations != nil {
+		extraFields["annotations"] = o.Annotations
+	}
+	if o.ManagedFields != nil {
+		extraFields["managedFields"] = o.ManagedFields
+	}
+	if o.OwnerReferences != nil {
+		extraFields["ownerReferences"] = o.OwnerReferences
+	}
+	return resource.CommonMetadata{
+		UID:               string(o.UID),
+		ResourceVersion:   o.ResourceVersion,
+		Generation:        o.Generation,
+		Labels:            o.Labels,
+		CreationTimestamp: o.CreationTimestamp.Time,
+		DeletionTimestamp: deletionTimestamp,
+		Finalizers:        o.Finalizers,
+		UpdateTimestamp:   o.GetUpdateTimestamp(),
+		CreatedBy:         o.GetCreatedBy(),
+		UpdatedBy:         o.GetUpdatedBy(),
+		ExtraFields:       extraFields,
+	}
+}
+
+func (o *GlobalRole) SetCommonMetadata(metadata resource.CommonMetadata) {
+	o.UID = types.UID(metadata.UID)
+	o.ResourceVersion = metadata.ResourceVersion
+	o.Generation = metadata.Generation
+	o.Labels = metadata.Labels
+	o.CreationTimestamp = metav1.NewTime(metadata.CreationTimestamp)
+	if metadata.DeletionTimestamp != nil {
+		dt := metav1.NewTime(*metadata.DeletionTimestamp)
+		o.DeletionTimestamp = &dt
+	} else {
+		o.DeletionTimestamp = nil
+	}
+	o.Finalizers = metadata.Finalizers
+	if o.Annotations == nil {
+		o.Annotations = make(map[string]string)
+	}
+	if !metadata.UpdateTimestamp.IsZero() {
+		o.SetUpdateTimestamp(metadata.UpdateTimestamp)
+	}
+	if metadata.CreatedBy != "" {
+		o.SetCreatedBy(metadata.CreatedBy)
+	}
+	if metadata.UpdatedBy != "" {
+		o.SetUpdatedBy(metadata.UpdatedBy)
+	}
+	// Legacy support for setting Annotations, ManagedFields, and OwnerReferences via ExtraFields
+	if metadata.ExtraFields != nil {
+		if annotations, ok := metadata.ExtraFields["annotations"]; ok {
+			if cast, ok := annotations.(map[string]string); ok {
+				o.Annotations = cast
+			}
+		}
+		if managedFields, ok := metadata.ExtraFields["managedFields"]; ok {
+			if cast, ok := managedFields.([]metav1.ManagedFieldsEntry); ok {
+				o.ManagedFields = cast
+			}
+		}
+		if ownerReferences, ok := metadata.ExtraFields["ownerReferences"]; ok {
+			if cast, ok := ownerReferences.([]metav1.OwnerReference); ok {
+				o.OwnerReferences = cast
+			}
+		}
+	}
+}
+
+func (o *GlobalRole) GetCreatedBy() string {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	return o.ObjectMeta.Annotations["grafana.com/createdBy"]
+}
+
+func (o *GlobalRole) SetCreatedBy(createdBy string) {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	o.ObjectMeta.Annotations["grafana.com/createdBy"] = createdBy
+}
+
+func (o *GlobalRole) GetUpdateTimestamp() time.Time {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	parsed, _ := time.Parse(time.RFC3339, o.ObjectMeta.Annotations["grafana.com/updateTimestamp"])
+	return parsed
+}
+
+func (o *GlobalRole) SetUpdateTimestamp(updateTimestamp time.Time) {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	o.ObjectMeta.Annotations["grafana.com/updateTimestamp"] = updateTimestamp.Format(time.RFC3339)
+}
+
+func (o *GlobalRole) GetUpdatedBy() string {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	return o.ObjectMeta.Annotations["grafana.com/updatedBy"]
+}
+
+func (o *GlobalRole) SetUpdatedBy(updatedBy string) {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	o.ObjectMeta.Annotations["grafana.com/updatedBy"] = updatedBy
+}
+
+func (o *GlobalRole) Copy() resource.Object {
+	return resource.CopyObject(o)
+}
+
+func (o *GlobalRole) DeepCopyObject() runtime.Object {
+	return o.Copy()
+}
+
+func (o *GlobalRole) DeepCopy() *GlobalRole {
+	cpy := &GlobalRole{}
+	o.DeepCopyInto(cpy)
+	return cpy
+}
+
+func (o *GlobalRole) DeepCopyInto(dst *GlobalRole) {
+	dst.TypeMeta.APIVersion = o.TypeMeta.APIVersion
+	dst.TypeMeta.Kind = o.TypeMeta.Kind
+	o.ObjectMeta.DeepCopyInto(&dst.ObjectMeta)
+	o.Spec.DeepCopyInto(&dst.Spec)
+	o.Status.DeepCopyInto(&dst.Status)
+}
+
+// Interface compliance compile-time check
+var _ resource.Object = &GlobalRole{}
+
+// +k8s:openapi-gen=true
+type GlobalRoleList struct {
+	metav1.TypeMeta `json:",inline" yaml:",inline"`
+	metav1.ListMeta `json:"metadata" yaml:"metadata"`
+	Items           []GlobalRole `json:"items" yaml:"items"`
+}
+
+func (o *GlobalRoleList) DeepCopyObject() runtime.Object {
+	return o.Copy()
+}
+
+func (o *GlobalRoleList) Copy() resource.ListObject {
+	cpy := &GlobalRoleList{
+		TypeMeta: o.TypeMeta,
+		Items:    make([]GlobalRole, len(o.Items)),
+	}
+	o.ListMeta.DeepCopyInto(&cpy.ListMeta)
+	for i := 0; i < len(o.Items); i++ {
+		if item, ok := o.Items[i].Copy().(*GlobalRole); ok {
+			cpy.Items[i] = *item
+		}
+	}
+	return cpy
+}
+
+func (o *GlobalRoleList) GetItems() []resource.Object {
+	items := make([]resource.Object, len(o.Items))
+	for i := 0; i < len(o.Items); i++ {
+		items[i] = &o.Items[i]
+	}
+	return items
+}
+
+func (o *GlobalRoleList) SetItems(items []resource.Object) {
+	o.Items = make([]GlobalRole, len(items))
+	for i := 0; i < len(items); i++ {
+		o.Items[i] = *items[i].(*GlobalRole)
+	}
+}
+
+func (o *GlobalRoleList) DeepCopy() *GlobalRoleList {
+	cpy := &GlobalRoleList{}
+	o.DeepCopyInto(cpy)
+	return cpy
+}
+
+func (o *GlobalRoleList) DeepCopyInto(dst *GlobalRoleList) {
+	resource.CopyObjectInto(dst, o)
+}
+
+// Interface compliance compile-time check
+var _ resource.ListObject = &GlobalRoleList{}
+
+// Copy methods for all subresource types
+
+// DeepCopy creates a full deep copy of Spec
+func (s *GlobalRoleSpec) DeepCopy() *GlobalRoleSpec {
+	cpy := &GlobalRoleSpec{}
+	s.DeepCopyInto(cpy)
+	return cpy
+}
+
+// DeepCopyInto deep copies Spec into another Spec object
+func (s *GlobalRoleSpec) DeepCopyInto(dst *GlobalRoleSpec) {
+	resource.CopyObjectInto(dst, s)
+}
+
+// DeepCopy creates a full deep copy of GlobalRoleStatus
+func (s *GlobalRoleStatus) DeepCopy() *GlobalRoleStatus {
+	cpy := &GlobalRoleStatus{}
+	s.DeepCopyInto(cpy)
+	return cpy
+}
+
+// DeepCopyInto deep copies GlobalRoleStatus into another GlobalRoleStatus object
+func (s *GlobalRoleStatus) DeepCopyInto(dst *GlobalRoleStatus) {
+	resource.CopyObjectInto(dst, s)
+}

apps/iam/pkg/apis/iam/v0alpha1/globalrole_schema_gen.go

@@ -0,0 +1,34 @@
+//
+// Code generated by grafana-app-sdk. DO NOT EDIT.
+//
+
+package v0alpha1
+
+import (
+	"github.com/grafana/grafana-app-sdk/resource"
+)
+
+// schema is unexported to prevent accidental overwrites
+var (
+	schemaGlobalRole = resource.NewSimpleSchema("iam.grafana.app", "v0alpha1", &GlobalRole{}, &GlobalRoleList{}, resource.WithKind("GlobalRole"),
+		resource.WithPlural("globalroles"), resource.WithScope(resource.NamespacedScope))
+	kindGlobalRole = resource.Kind{
+		Schema: schemaGlobalRole,
+		Codecs: map[resource.KindEncoding]resource.Codec{
+			resource.KindEncodingJSON: &GlobalRoleJSONCodec{},
+		},
+	}
+)
+
+// Kind returns a resource.Kind for this Schema with a JSON codec
+func GlobalRoleKind() resource.Kind {
+	return kindGlobalRole
+}
+
+// Schema returns a resource.SimpleSchema representation of GlobalRole
+func GlobalRoleSchema() *resource.SimpleSchema {
+	return schemaGlobalRole
+}
+
+// Interface compliance checks
+var _ resource.Schema = kindGlobalRole

apps/iam/pkg/apis/iam/v0alpha1/globalrole_spec_gen.go

@@ -0,0 +1,34 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+// +k8s:openapi-gen=true
+type GlobalRolespecPermission struct {
+	// RBAC action (e.g: "dashbaords:read")
+	Action string `json:"action"`
+	// RBAC scope (e.g: "dashboards:uid:dash1")
+	Scope string `json:"scope"`
+}
+
+// NewGlobalRolespecPermission creates a new GlobalRolespecPermission object.
+func NewGlobalRolespecPermission() *GlobalRolespecPermission {
+	return &GlobalRolespecPermission{}
+}
+
+// +k8s:openapi-gen=true
+type GlobalRoleSpec struct {
+	// Display name of the role
+	Title   string `json:"title"`
+	Version int64  `json:"version"`
+	Group   string `json:"group"`
+	// TODO:
+	// delegatable?: bool
+	// created?
+	// updated?
+	Permissions []GlobalRolespecPermission `json:"permissions"`
+}
+
+// NewGlobalRoleSpec creates a new GlobalRoleSpec object.
+func NewGlobalRoleSpec() *GlobalRoleSpec {
+	return &GlobalRoleSpec{}
+}

apps/iam/pkg/apis/iam/v0alpha1/globalrole_status_gen.go

@@ -0,0 +1,44 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+// +k8s:openapi-gen=true
+type GlobalRolestatusOperatorState struct {
+	// lastEvaluation is the ResourceVersion last evaluated
+	LastEvaluation string `json:"lastEvaluation"`
+	// state describes the state of the lastEvaluation.
+	// It is limited to three possible states for machine evaluation.
+	State GlobalRoleStatusOperatorStateState `json:"state"`
+	// descriptiveState is an optional more descriptive state field which has no requirements on format
+	DescriptiveState *string `json:"descriptiveState,omitempty"`
+	// details contains any extra information that is operator-specific
+	Details map[string]interface{} `json:"details,omitempty"`
+}
+
+// NewGlobalRolestatusOperatorState creates a new GlobalRolestatusOperatorState object.
+func NewGlobalRolestatusOperatorState() *GlobalRolestatusOperatorState {
+	return &GlobalRolestatusOperatorState{}
+}
+
+// +k8s:openapi-gen=true
+type GlobalRoleStatus struct {
+	// operatorStates is a map of operator ID to operator state evaluations.
+	// Any operator which consumes this kind SHOULD add its state evaluation information to this field.
+	OperatorStates map[string]GlobalRolestatusOperatorState `json:"operatorStates,omitempty"`
+	// additionalFields is reserved for future use
+	AdditionalFields map[string]interface{} `json:"additionalFields,omitempty"`
+}
+
+// NewGlobalRoleStatus creates a new GlobalRoleStatus object.
+func NewGlobalRoleStatus() *GlobalRoleStatus {
+	return &GlobalRoleStatus{}
+}
+
+// +k8s:openapi-gen=true
+type GlobalRoleStatusOperatorStateState string
+
+const (
+	GlobalRoleStatusOperatorStateStateSuccess    GlobalRoleStatusOperatorStateState = "success"
+	GlobalRoleStatusOperatorStateStateInProgress GlobalRoleStatusOperatorStateState = "in_progress"
+	GlobalRoleStatusOperatorStateStateFailed     GlobalRoleStatusOperatorStateState = "failed"
+)

apps/iam/pkg/apis/iam/v0alpha1/globalrolebinding_codec_gen.go

@@ -0,0 +1,28 @@
+//
+// Code generated by grafana-app-sdk. DO NOT EDIT.
+//
+
+package v0alpha1
+
+import (
+	"encoding/json"
+	"io"
+
+	"github.com/grafana/grafana-app-sdk/resource"
+)
+
+// GlobalRoleBindingJSONCodec is an implementation of resource.Codec for kubernetes JSON encoding
+type GlobalRoleBindingJSONCodec struct{}
+
+// Read reads JSON-encoded bytes from `reader` and unmarshals them into `into`
+func (*GlobalRoleBindingJSONCodec) Read(reader io.Reader, into resource.Object) error {
+	return json.NewDecoder(reader).Decode(into)
+}
+
+// Write writes JSON-encoded bytes into `writer` marshaled from `from`
+func (*GlobalRoleBindingJSONCodec) Write(writer io.Writer, from resource.Object) error {
+	return json.NewEncoder(writer).Encode(from)
+}
+
+// Interface compliance checks
+var _ resource.Codec = &GlobalRoleBindingJSONCodec{}

apps/iam/pkg/apis/iam/v0alpha1/globalrolebinding_metadata_gen.go

@@ -0,0 +1,28 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+import (
+	time "time"
+)
+
+// metadata contains embedded CommonMetadata and can be extended with custom string fields
+// TODO: use CommonMetadata instead of redefining here; currently needs to be defined here
+// without external reference as using the CommonMetadata reference breaks thema codegen.
+type GlobalRoleBindingMetadata struct {
+	UpdateTimestamp   time.Time         `json:"updateTimestamp"`
+	CreatedBy         string            `json:"createdBy"`
+	Uid               string            `json:"uid"`
+	CreationTimestamp time.Time         `json:"creationTimestamp"`
+	DeletionTimestamp *time.Time        `json:"deletionTimestamp,omitempty"`
+	Finalizers        []string          `json:"finalizers"`
+	ResourceVersion   string            `json:"resourceVersion"`
+	Generation        int64             `json:"generation"`
+	UpdatedBy         string            `json:"updatedBy"`
+	Labels            map[string]string `json:"labels"`
+}
+
+// NewGlobalRoleBindingMetadata creates a new GlobalRoleBindingMetadata object.
+func NewGlobalRoleBindingMetadata() *GlobalRoleBindingMetadata {
+	return &GlobalRoleBindingMetadata{}
+}

apps/iam/pkg/apis/iam/v0alpha1/globalrolebinding_object_gen.go

@@ -0,0 +1,319 @@
+//
+// Code generated by grafana-app-sdk. DO NOT EDIT.
+//
+
+package v0alpha1
+
+import (
+	"fmt"
+	"github.com/grafana/grafana-app-sdk/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"time"
+)
+
+// +k8s:openapi-gen=true
+type GlobalRoleBinding struct {
+	metav1.TypeMeta   `json:",inline" yaml:",inline"`
+	metav1.ObjectMeta `json:"metadata" yaml:"metadata"`
+
+	// Spec is the spec of the GlobalRoleBinding
+	Spec GlobalRoleBindingSpec `json:"spec" yaml:"spec"`
+
+	Status GlobalRoleBindingStatus `json:"status" yaml:"status"`
+}
+
+func (o *GlobalRoleBinding) GetSpec() any {
+	return o.Spec
+}
+
+func (o *GlobalRoleBinding) SetSpec(spec any) error {
+	cast, ok := spec.(GlobalRoleBindingSpec)
+	if !ok {
+		return fmt.Errorf("cannot set spec type %#v, not of type Spec", spec)
+	}
+	o.Spec = cast
+	return nil
+}
+
+func (o *GlobalRoleBinding) GetSubresources() map[string]any {
+	return map[string]any{
+		"status": o.Status,
+	}
+}
+
+func (o *GlobalRoleBinding) GetSubresource(name string) (any, bool) {
+	switch name {
+	case "status":
+		return o.Status, true
+	default:
+		return nil, false
+	}
+}
+
+func (o *GlobalRoleBinding) SetSubresource(name string, value any) error {
+	switch name {
+	case "status":
+		cast, ok := value.(GlobalRoleBindingStatus)
+		if !ok {
+			return fmt.Errorf("cannot set status type %#v, not of type GlobalRoleBindingStatus", value)
+		}
+		o.Status = cast
+		return nil
+	default:
+		return fmt.Errorf("subresource '%s' does not exist", name)
+	}
+}
+
+func (o *GlobalRoleBinding) GetStaticMetadata() resource.StaticMetadata {
+	gvk := o.GroupVersionKind()
+	return resource.StaticMetadata{
+		Name:      o.ObjectMeta.Name,
+		Namespace: o.ObjectMeta.Namespace,
+		Group:     gvk.Group,
+		Version:   gvk.Version,
+		Kind:      gvk.Kind,
+	}
+}
+
+func (o *GlobalRoleBinding) SetStaticMetadata(metadata resource.StaticMetadata) {
+	o.Name = metadata.Name
+	o.Namespace = metadata.Namespace
+	o.SetGroupVersionKind(schema.GroupVersionKind{
+		Group:   metadata.Group,
+		Version: metadata.Version,
+		Kind:    metadata.Kind,
+	})
+}
+
+func (o *GlobalRoleBinding) GetCommonMetadata() resource.CommonMetadata {
+	dt := o.DeletionTimestamp
+	var deletionTimestamp *time.Time
+	if dt != nil {
+		deletionTimestamp = &dt.Time
+	}
+	// Legacy ExtraFields support
+	extraFields := make(map[string]any)
+	if o.Annotations != nil {
+		extraFields["annotations"] = o.Annotations
+	}
+	if o.ManagedFields != nil {
+		extraFields["managedFields"] = o.ManagedFields
+	}
+	if o.OwnerReferences != nil {
+		extraFields["ownerReferences"] = o.OwnerReferences
+	}
+	return resource.CommonMetadata{
+		UID:               string(o.UID),
+		ResourceVersion:   o.ResourceVersion,
+		Generation:        o.Generation,
+		Labels:            o.Labels,
+		CreationTimestamp: o.CreationTimestamp.Time,
+		DeletionTimestamp: deletionTimestamp,
+		Finalizers:        o.Finalizers,
+		UpdateTimestamp:   o.GetUpdateTimestamp(),
+		CreatedBy:         o.GetCreatedBy(),
+		UpdatedBy:         o.GetUpdatedBy(),
+		ExtraFields:       extraFields,
+	}
+}
+
+func (o *GlobalRoleBinding) SetCommonMetadata(metadata resource.CommonMetadata) {
+	o.UID = types.UID(metadata.UID)
+	o.ResourceVersion = metadata.ResourceVersion
+	o.Generation = metadata.Generation
+	o.Labels = metadata.Labels
+	o.CreationTimestamp = metav1.NewTime(metadata.CreationTimestamp)
+	if metadata.DeletionTimestamp != nil {
+		dt := metav1.NewTime(*metadata.DeletionTimestamp)
+		o.DeletionTimestamp = &dt
+	} else {
+		o.DeletionTimestamp = nil
+	}
+	o.Finalizers = metadata.Finalizers
+	if o.Annotations == nil {
+		o.Annotations = make(map[string]string)
+	}
+	if !metadata.UpdateTimestamp.IsZero() {
+		o.SetUpdateTimestamp(metadata.UpdateTimestamp)
+	}
+	if metadata.CreatedBy != "" {
+		o.SetCreatedBy(metadata.CreatedBy)
+	}
+	if metadata.UpdatedBy != "" {
+		o.SetUpdatedBy(metadata.UpdatedBy)
+	}
+	// Legacy support for setting Annotations, ManagedFields, and OwnerReferences via ExtraFields
+	if metadata.ExtraFields != nil {
+		if annotations, ok := metadata.ExtraFields["annotations"]; ok {
+			if cast, ok := annotations.(map[string]string); ok {
+				o.Annotations = cast
+			}
+		}
+		if managedFields, ok := metadata.ExtraFields["managedFields"]; ok {
+			if cast, ok := managedFields.([]metav1.ManagedFieldsEntry); ok {
+				o.ManagedFields = cast
+			}
+		}
+		if ownerReferences, ok := metadata.ExtraFields["ownerReferences"]; ok {
+			if cast, ok := ownerReferences.([]metav1.OwnerReference); ok {
+				o.OwnerReferences = cast
+			}
+		}
+	}
+}
+
+func (o *GlobalRoleBinding) GetCreatedBy() string {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	return o.ObjectMeta.Annotations["grafana.com/createdBy"]
+}
+
+func (o *GlobalRoleBinding) SetCreatedBy(createdBy string) {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	o.ObjectMeta.Annotations["grafana.com/createdBy"] = createdBy
+}
+
+func (o *GlobalRoleBinding) GetUpdateTimestamp() time.Time {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	parsed, _ := time.Parse(time.RFC3339, o.ObjectMeta.Annotations["grafana.com/updateTimestamp"])
+	return parsed
+}
+
+func (o *GlobalRoleBinding) SetUpdateTimestamp(updateTimestamp time.Time) {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	o.ObjectMeta.Annotations["grafana.com/updateTimestamp"] = updateTimestamp.Format(time.RFC3339)
+}
+
+func (o *GlobalRoleBinding) GetUpdatedBy() string {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	return o.ObjectMeta.Annotations["grafana.com/updatedBy"]
+}
+
+func (o *GlobalRoleBinding) SetUpdatedBy(updatedBy string) {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	o.ObjectMeta.Annotations["grafana.com/updatedBy"] = updatedBy
+}
+
+func (o *GlobalRoleBinding) Copy() resource.Object {
+	return resource.CopyObject(o)
+}
+
+func (o *GlobalRoleBinding) DeepCopyObject() runtime.Object {
+	return o.Copy()
+}
+
+func (o *GlobalRoleBinding) DeepCopy() *GlobalRoleBinding {
+	cpy := &GlobalRoleBinding{}
+	o.DeepCopyInto(cpy)
+	return cpy
+}
+
+func (o *GlobalRoleBinding) DeepCopyInto(dst *GlobalRoleBinding) {
+	dst.TypeMeta.APIVersion = o.TypeMeta.APIVersion
+	dst.TypeMeta.Kind = o.TypeMeta.Kind
+	o.ObjectMeta.DeepCopyInto(&dst.ObjectMeta)
+	o.Spec.DeepCopyInto(&dst.Spec)
+	o.Status.DeepCopyInto(&dst.Status)
+}
+
+// Interface compliance compile-time check
+var _ resource.Object = &GlobalRoleBinding{}
+
+// +k8s:openapi-gen=true
+type GlobalRoleBindingList struct {
+	metav1.TypeMeta `json:",inline" yaml:",inline"`
+	metav1.ListMeta `json:"metadata" yaml:"metadata"`
+	Items           []GlobalRoleBinding `json:"items" yaml:"items"`
+}
+
+func (o *GlobalRoleBindingList) DeepCopyObject() runtime.Object {
+	return o.Copy()
+}
+
+func (o *GlobalRoleBindingList) Copy() resource.ListObject {
+	cpy := &GlobalRoleBindingList{
+		TypeMeta: o.TypeMeta,
+		Items:    make([]GlobalRoleBinding, len(o.Items)),
+	}
+	o.ListMeta.DeepCopyInto(&cpy.ListMeta)
+	for i := 0; i < len(o.Items); i++ {
+		if item, ok := o.Items[i].Copy().(*GlobalRoleBinding); ok {
+			cpy.Items[i] = *item
+		}
+	}
+	return cpy
+}
+
+func (o *GlobalRoleBindingList) GetItems() []resource.Object {
+	items := make([]resource.Object, len(o.Items))
+	for i := 0; i < len(o.Items); i++ {
+		items[i] = &o.Items[i]
+	}
+	return items
+}
+
+func (o *GlobalRoleBindingList) SetItems(items []resource.Object) {
+	o.Items = make([]GlobalRoleBinding, len(items))
+	for i := 0; i < len(items); i++ {
+		o.Items[i] = *items[i].(*GlobalRoleBinding)
+	}
+}
+
+func (o *GlobalRoleBindingList) DeepCopy() *GlobalRoleBindingList {
+	cpy := &GlobalRoleBindingList{}
+	o.DeepCopyInto(cpy)
+	return cpy
+}
+
+func (o *GlobalRoleBindingList) DeepCopyInto(dst *GlobalRoleBindingList) {
+	resource.CopyObjectInto(dst, o)
+}
+
+// Interface compliance compile-time check
+var _ resource.ListObject = &GlobalRoleBindingList{}
+
+// Copy methods for all subresource types
+
+// DeepCopy creates a full deep copy of Spec
+func (s *GlobalRoleBindingSpec) DeepCopy() *GlobalRoleBindingSpec {
+	cpy := &GlobalRoleBindingSpec{}
+	s.DeepCopyInto(cpy)
+	return cpy
+}
+
+// DeepCopyInto deep copies Spec into another Spec object
+func (s *GlobalRoleBindingSpec) DeepCopyInto(dst *GlobalRoleBindingSpec) {
+	resource.CopyObjectInto(dst, s)
+}
+
+// DeepCopy creates a full deep copy of GlobalRoleBindingStatus
+func (s *GlobalRoleBindingStatus) DeepCopy() *GlobalRoleBindingStatus {
+	cpy := &GlobalRoleBindingStatus{}
+	s.DeepCopyInto(cpy)
+	return cpy
+}
+
+// DeepCopyInto deep copies GlobalRoleBindingStatus into another GlobalRoleBindingStatus object
+func (s *GlobalRoleBindingStatus) DeepCopyInto(dst *GlobalRoleBindingStatus) {
+	resource.CopyObjectInto(dst, s)
+}

apps/iam/pkg/apis/iam/v0alpha1/globalrolebinding_schema_gen.go

@@ -0,0 +1,34 @@
+//
+// Code generated by grafana-app-sdk. DO NOT EDIT.
+//
+
+package v0alpha1
+
+import (
+	"github.com/grafana/grafana-app-sdk/resource"
+)
+
+// schema is unexported to prevent accidental overwrites
+var (
+	schemaGlobalRoleBinding = resource.NewSimpleSchema("iam.grafana.app", "v0alpha1", &GlobalRoleBinding{}, &GlobalRoleBindingList{}, resource.WithKind("GlobalRoleBinding"),
+		resource.WithPlural("globalrolebindings"), resource.WithScope(resource.NamespacedScope))
+	kindGlobalRoleBinding = resource.Kind{
+		Schema: schemaGlobalRoleBinding,
+		Codecs: map[resource.KindEncoding]resource.Codec{
+			resource.KindEncodingJSON: &GlobalRoleBindingJSONCodec{},
+		},
+	}
+)
+
+// Kind returns a resource.Kind for this Schema with a JSON codec
+func GlobalRoleBindingKind() resource.Kind {
+	return kindGlobalRoleBinding
+}
+
+// Schema returns a resource.SimpleSchema representation of GlobalRoleBinding
+func GlobalRoleBindingSchema() *resource.SimpleSchema {
+	return schemaGlobalRoleBinding
+}
+
+// Interface compliance checks
+var _ resource.Schema = kindGlobalRoleBinding

apps/iam/pkg/apis/iam/v0alpha1/globalrolebinding_spec_gen.go

@@ -0,0 +1,60 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+// +k8s:openapi-gen=true
+type GlobalRoleBindingspecSubject struct {
+	// kind of the identity getting the permission
+	Kind GlobalRoleBindingSpecSubjectKind `json:"kind"`
+	// uid of the identity
+	Name string `json:"name"`
+}
+
+// NewGlobalRoleBindingspecSubject creates a new GlobalRoleBindingspecSubject object.
+func NewGlobalRoleBindingspecSubject() *GlobalRoleBindingspecSubject {
+	return &GlobalRoleBindingspecSubject{}
+}
+
+// +k8s:openapi-gen=true
+type GlobalRoleBindingspecRoleRef struct {
+	// kind of role
+	Kind GlobalRoleBindingSpecRoleRefKind `json:"kind"`
+	// uid of the role
+	Name string `json:"name"`
+}
+
+// NewGlobalRoleBindingspecRoleRef creates a new GlobalRoleBindingspecRoleRef object.
+func NewGlobalRoleBindingspecRoleRef() *GlobalRoleBindingspecRoleRef {
+	return &GlobalRoleBindingspecRoleRef{}
+}
+
+// +k8s:openapi-gen=true
+type GlobalRoleBindingSpec struct {
+	Subjects []GlobalRoleBindingspecSubject `json:"subjects"`
+	RoleRef  GlobalRoleBindingspecRoleRef   `json:"roleRef"`
+}
+
+// NewGlobalRoleBindingSpec creates a new GlobalRoleBindingSpec object.
+func NewGlobalRoleBindingSpec() *GlobalRoleBindingSpec {
+	return &GlobalRoleBindingSpec{
+		RoleRef: *NewGlobalRoleBindingspecRoleRef(),
+	}
+}
+
+// +k8s:openapi-gen=true
+type GlobalRoleBindingSpecSubjectKind string
+
+const (
+	GlobalRoleBindingSpecSubjectKindUser           GlobalRoleBindingSpecSubjectKind = "User"
+	GlobalRoleBindingSpecSubjectKindServiceAccount GlobalRoleBindingSpecSubjectKind = "ServiceAccount"
+	GlobalRoleBindingSpecSubjectKindTeam           GlobalRoleBindingSpecSubjectKind = "Team"
+	GlobalRoleBindingSpecSubjectKindBasicRole      GlobalRoleBindingSpecSubjectKind = "BasicRole"
+)
+
+// +k8s:openapi-gen=true
+type GlobalRoleBindingSpecRoleRefKind string
+
+const (
+	GlobalRoleBindingSpecRoleRefKindCoreRole   GlobalRoleBindingSpecRoleRefKind = "CoreRole"
+	GlobalRoleBindingSpecRoleRefKindGlobalRole GlobalRoleBindingSpecRoleRefKind = "GlobalRole"
+)

apps/iam/pkg/apis/iam/v0alpha1/globalrolebinding_status_gen.go

@@ -0,0 +1,44 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+// +k8s:openapi-gen=true
+type GlobalRoleBindingstatusOperatorState struct {
+	// lastEvaluation is the ResourceVersion last evaluated
+	LastEvaluation string `json:"lastEvaluation"`
+	// state describes the state of the lastEvaluation.
+	// It is limited to three possible states for machine evaluation.
+	State GlobalRoleBindingStatusOperatorStateState `json:"state"`
+	// descriptiveState is an optional more descriptive state field which has no requirements on format
+	DescriptiveState *string `json:"descriptiveState,omitempty"`
+	// details contains any extra information that is operator-specific
+	Details map[string]interface{} `json:"details,omitempty"`
+}
+
+// NewGlobalRoleBindingstatusOperatorState creates a new GlobalRoleBindingstatusOperatorState object.
+func NewGlobalRoleBindingstatusOperatorState() *GlobalRoleBindingstatusOperatorState {
+	return &GlobalRoleBindingstatusOperatorState{}
+}
+
+// +k8s:openapi-gen=true
+type GlobalRoleBindingStatus struct {
+	// operatorStates is a map of operator ID to operator state evaluations.
+	// Any operator which consumes this kind SHOULD add its state evaluation information to this field.
+	OperatorStates map[string]GlobalRoleBindingstatusOperatorState `json:"operatorStates,omitempty"`
+	// additionalFields is reserved for future use
+	AdditionalFields map[string]interface{} `json:"additionalFields,omitempty"`
+}
+
+// NewGlobalRoleBindingStatus creates a new GlobalRoleBindingStatus object.
+func NewGlobalRoleBindingStatus() *GlobalRoleBindingStatus {
+	return &GlobalRoleBindingStatus{}
+}
+
+// +k8s:openapi-gen=true
+type GlobalRoleBindingStatusOperatorStateState string
+
+const (
+	GlobalRoleBindingStatusOperatorStateStateSuccess    GlobalRoleBindingStatusOperatorStateState = "success"
+	GlobalRoleBindingStatusOperatorStateStateInProgress GlobalRoleBindingStatusOperatorStateState = "in_progress"
+	GlobalRoleBindingStatusOperatorStateStateFailed     GlobalRoleBindingStatusOperatorStateState = "failed"
+)

apps/iam/pkg/apis/iam/v0alpha1/resourcepermission_codec_gen.go

@@ -0,0 +1,28 @@
+//
+// Code generated by grafana-app-sdk. DO NOT EDIT.
+//
+
+package v0alpha1
+
+import (
+	"encoding/json"
+	"io"
+
+	"github.com/grafana/grafana-app-sdk/resource"
+)
+
+// ResourcePermissionJSONCodec is an implementation of resource.Codec for kubernetes JSON encoding
+type ResourcePermissionJSONCodec struct{}
+
+// Read reads JSON-encoded bytes from `reader` and unmarshals them into `into`
+func (*ResourcePermissionJSONCodec) Read(reader io.Reader, into resource.Object) error {
+	return json.NewDecoder(reader).Decode(into)
+}
+
+// Write writes JSON-encoded bytes into `writer` marshaled from `from`
+func (*ResourcePermissionJSONCodec) Write(writer io.Writer, from resource.Object) error {
+	return json.NewEncoder(writer).Encode(from)
+}
+
+// Interface compliance checks
+var _ resource.Codec = &ResourcePermissionJSONCodec{}

apps/iam/pkg/apis/iam/v0alpha1/resourcepermission_metadata_gen.go

@@ -0,0 +1,28 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+import (
+	time "time"
+)
+
+// metadata contains embedded CommonMetadata and can be extended with custom string fields
+// TODO: use CommonMetadata instead of redefining here; currently needs to be defined here
+// without external reference as using the CommonMetadata reference breaks thema codegen.
+type ResourcePermissionMetadata struct {
+	UpdateTimestamp   time.Time         `json:"updateTimestamp"`
+	CreatedBy         string            `json:"createdBy"`
+	Uid               string            `json:"uid"`
+	CreationTimestamp time.Time         `json:"creationTimestamp"`
+	DeletionTimestamp *time.Time        `json:"deletionTimestamp,omitempty"`
+	Finalizers        []string          `json:"finalizers"`
+	ResourceVersion   string            `json:"resourceVersion"`
+	Generation        int64             `json:"generation"`
+	UpdatedBy         string            `json:"updatedBy"`
+	Labels            map[string]string `json:"labels"`
+}
+
+// NewResourcePermissionMetadata creates a new ResourcePermissionMetadata object.
+func NewResourcePermissionMetadata() *ResourcePermissionMetadata {
+	return &ResourcePermissionMetadata{}
+}

apps/iam/pkg/apis/iam/v0alpha1/resourcepermission_object_gen.go

@@ -0,0 +1,319 @@
+//
+// Code generated by grafana-app-sdk. DO NOT EDIT.
+//
+
+package v0alpha1
+
+import (
+	"fmt"
+	"github.com/grafana/grafana-app-sdk/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"time"
+)
+
+// +k8s:openapi-gen=true
+type ResourcePermission struct {
+	metav1.TypeMeta   `json:",inline" yaml:",inline"`
+	metav1.ObjectMeta `json:"metadata" yaml:"metadata"`
+
+	// Spec is the spec of the ResourcePermission
+	Spec ResourcePermissionSpec `json:"spec" yaml:"spec"`
+
+	Status ResourcePermissionStatus `json:"status" yaml:"status"`
+}
+
+func (o *ResourcePermission) GetSpec() any {
+	return o.Spec
+}
+
+func (o *ResourcePermission) SetSpec(spec any) error {
+	cast, ok := spec.(ResourcePermissionSpec)
+	if !ok {
+		return fmt.Errorf("cannot set spec type %#v, not of type Spec", spec)
+	}
+	o.Spec = cast
+	return nil
+}
+
+func (o *ResourcePermission) GetSubresources() map[string]any {
+	return map[string]any{
+		"status": o.Status,
+	}
+}
+
+func (o *ResourcePermission) GetSubresource(name string) (any, bool) {
+	switch name {
+	case "status":
+		return o.Status, true
+	default:
+		return nil, false
+	}
+}
+
+func (o *ResourcePermission) SetSubresource(name string, value any) error {
+	switch name {
+	case "status":
+		cast, ok := value.(ResourcePermissionStatus)
+		if !ok {
+			return fmt.Errorf("cannot set status type %#v, not of type ResourcePermissionStatus", value)
+		}
+		o.Status = cast
+		return nil
+	default:
+		return fmt.Errorf("subresource '%s' does not exist", name)
+	}
+}
+
+func (o *ResourcePermission) GetStaticMetadata() resource.StaticMetadata {
+	gvk := o.GroupVersionKind()
+	return resource.StaticMetadata{
+		Name:      o.ObjectMeta.Name,
+		Namespace: o.ObjectMeta.Namespace,
+		Group:     gvk.Group,
+		Version:   gvk.Version,
+		Kind:      gvk.Kind,
+	}
+}
+
+func (o *ResourcePermission) SetStaticMetadata(metadata resource.StaticMetadata) {
+	o.Name = metadata.Name
+	o.Namespace = metadata.Namespace
+	o.SetGroupVersionKind(schema.GroupVersionKind{
+		Group:   metadata.Group,
+		Version: metadata.Version,
+		Kind:    metadata.Kind,
+	})
+}
+
+func (o *ResourcePermission) GetCommonMetadata() resource.CommonMetadata {
+	dt := o.DeletionTimestamp
+	var deletionTimestamp *time.Time
+	if dt != nil {
+		deletionTimestamp = &dt.Time
+	}
+	// Legacy ExtraFields support
+	extraFields := make(map[string]any)
+	if o.Annotations != nil {
+		extraFields["annotations"] = o.Annotations
+	}
+	if o.ManagedFields != nil {
+		extraFields["managedFields"] = o.ManagedFields
+	}
+	if o.OwnerReferences != nil {
+		extraFields["ownerReferences"] = o.OwnerReferences
+	}
+	return resource.CommonMetadata{
+		UID:               string(o.UID),
+		ResourceVersion:   o.ResourceVersion,
+		Generation:        o.Generation,
+		Labels:            o.Labels,
+		CreationTimestamp: o.CreationTimestamp.Time,
+		DeletionTimestamp: deletionTimestamp,
+		Finalizers:        o.Finalizers,
+		UpdateTimestamp:   o.GetUpdateTimestamp(),
+		CreatedBy:         o.GetCreatedBy(),
+		UpdatedBy:         o.GetUpdatedBy(),
+		ExtraFields:       extraFields,
+	}
+}
+
+func (o *ResourcePermission) SetCommonMetadata(metadata resource.CommonMetadata) {
+	o.UID = types.UID(metadata.UID)
+	o.ResourceVersion = metadata.ResourceVersion
+	o.Generation = metadata.Generation
+	o.Labels = metadata.Labels
+	o.CreationTimestamp = metav1.NewTime(metadata.CreationTimestamp)
+	if metadata.DeletionTimestamp != nil {
+		dt := metav1.NewTime(*metadata.DeletionTimestamp)
+		o.DeletionTimestamp = &dt
+	} else {
+		o.DeletionTimestamp = nil
+	}
+	o.Finalizers = metadata.Finalizers
+	if o.Annotations == nil {
+		o.Annotations = make(map[string]string)
+	}
+	if !metadata.UpdateTimestamp.IsZero() {
+		o.SetUpdateTimestamp(metadata.UpdateTimestamp)
+	}
+	if metadata.CreatedBy != "" {
+		o.SetCreatedBy(metadata.CreatedBy)
+	}
+	if metadata.UpdatedBy != "" {
+		o.SetUpdatedBy(metadata.UpdatedBy)
+	}
+	// Legacy support for setting Annotations, ManagedFields, and OwnerReferences via ExtraFields
+	if metadata.ExtraFields != nil {
+		if annotations, ok := metadata.ExtraFields["annotations"]; ok {
+			if cast, ok := annotations.(map[string]string); ok {
+				o.Annotations = cast
+			}
+		}
+		if managedFields, ok := metadata.ExtraFields["managedFields"]; ok {
+			if cast, ok := managedFields.([]metav1.ManagedFieldsEntry); ok {
+				o.ManagedFields = cast
+			}
+		}
+		if ownerReferences, ok := metadata.ExtraFields["ownerReferences"]; ok {
+			if cast, ok := ownerReferences.([]metav1.OwnerReference); ok {
+				o.OwnerReferences = cast
+			}
+		}
+	}
+}
+
+func (o *ResourcePermission) GetCreatedBy() string {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	return o.ObjectMeta.Annotations["grafana.com/createdBy"]
+}
+
+func (o *ResourcePermission) SetCreatedBy(createdBy string) {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	o.ObjectMeta.Annotations["grafana.com/createdBy"] = createdBy
+}
+
+func (o *ResourcePermission) GetUpdateTimestamp() time.Time {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	parsed, _ := time.Parse(time.RFC3339, o.ObjectMeta.Annotations["grafana.com/updateTimestamp"])
+	return parsed
+}
+
+func (o *ResourcePermission) SetUpdateTimestamp(updateTimestamp time.Time) {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	o.ObjectMeta.Annotations["grafana.com/updateTimestamp"] = updateTimestamp.Format(time.RFC3339)
+}
+
+func (o *ResourcePermission) GetUpdatedBy() string {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	return o.ObjectMeta.Annotations["grafana.com/updatedBy"]
+}
+
+func (o *ResourcePermission) SetUpdatedBy(updatedBy string) {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	o.ObjectMeta.Annotations["grafana.com/updatedBy"] = updatedBy
+}
+
+func (o *ResourcePermission) Copy() resource.Object {
+	return resource.CopyObject(o)
+}
+
+func (o *ResourcePermission) DeepCopyObject() runtime.Object {
+	return o.Copy()
+}
+
+func (o *ResourcePermission) DeepCopy() *ResourcePermission {
+	cpy := &ResourcePermission{}
+	o.DeepCopyInto(cpy)
+	return cpy
+}
+
+func (o *ResourcePermission) DeepCopyInto(dst *ResourcePermission) {
+	dst.TypeMeta.APIVersion = o.TypeMeta.APIVersion
+	dst.TypeMeta.Kind = o.TypeMeta.Kind
+	o.ObjectMeta.DeepCopyInto(&dst.ObjectMeta)
+	o.Spec.DeepCopyInto(&dst.Spec)
+	o.Status.DeepCopyInto(&dst.Status)
+}
+
+// Interface compliance compile-time check
+var _ resource.Object = &ResourcePermission{}
+
+// +k8s:openapi-gen=true
+type ResourcePermissionList struct {
+	metav1.TypeMeta `json:",inline" yaml:",inline"`
+	metav1.ListMeta `json:"metadata" yaml:"metadata"`
+	Items           []ResourcePermission `json:"items" yaml:"items"`
+}
+
+func (o *ResourcePermissionList) DeepCopyObject() runtime.Object {
+	return o.Copy()
+}
+
+func (o *ResourcePermissionList) Copy() resource.ListObject {
+	cpy := &ResourcePermissionList{
+		TypeMeta: o.TypeMeta,
+		Items:    make([]ResourcePermission, len(o.Items)),
+	}
+	o.ListMeta.DeepCopyInto(&cpy.ListMeta)
+	for i := 0; i < len(o.Items); i++ {
+		if item, ok := o.Items[i].Copy().(*ResourcePermission); ok {
+			cpy.Items[i] = *item
+		}
+	}
+	return cpy
+}
+
+func (o *ResourcePermissionList) GetItems() []resource.Object {
+	items := make([]resource.Object, len(o.Items))
+	for i := 0; i < len(o.Items); i++ {
+		items[i] = &o.Items[i]
+	}
+	return items
+}
+
+func (o *ResourcePermissionList) SetItems(items []resource.Object) {
+	o.Items = make([]ResourcePermission, len(items))
+	for i := 0; i < len(items); i++ {
+		o.Items[i] = *items[i].(*ResourcePermission)
+	}
+}
+
+func (o *ResourcePermissionList) DeepCopy() *ResourcePermissionList {
+	cpy := &ResourcePermissionList{}
+	o.DeepCopyInto(cpy)
+	return cpy
+}
+
+func (o *ResourcePermissionList) DeepCopyInto(dst *ResourcePermissionList) {
+	resource.CopyObjectInto(dst, o)
+}
+
+// Interface compliance compile-time check
+var _ resource.ListObject = &ResourcePermissionList{}
+
+// Copy methods for all subresource types
+
+// DeepCopy creates a full deep copy of Spec
+func (s *ResourcePermissionSpec) DeepCopy() *ResourcePermissionSpec {
+	cpy := &ResourcePermissionSpec{}
+	s.DeepCopyInto(cpy)
+	return cpy
+}
+
+// DeepCopyInto deep copies Spec into another Spec object
+func (s *ResourcePermissionSpec) DeepCopyInto(dst *ResourcePermissionSpec) {
+	resource.CopyObjectInto(dst, s)
+}
+
+// DeepCopy creates a full deep copy of ResourcePermissionStatus
+func (s *ResourcePermissionStatus) DeepCopy() *ResourcePermissionStatus {
+	cpy := &ResourcePermissionStatus{}
+	s.DeepCopyInto(cpy)
+	return cpy
+}
+
+// DeepCopyInto deep copies ResourcePermissionStatus into another ResourcePermissionStatus object
+func (s *ResourcePermissionStatus) DeepCopyInto(dst *ResourcePermissionStatus) {
+	resource.CopyObjectInto(dst, s)
+}

apps/iam/pkg/apis/iam/v0alpha1/resourcepermission_schema_gen.go

@@ -0,0 +1,34 @@
+//
+// Code generated by grafana-app-sdk. DO NOT EDIT.
+//
+
+package v0alpha1
+
+import (
+	"github.com/grafana/grafana-app-sdk/resource"
+)
+
+// schema is unexported to prevent accidental overwrites
+var (
+	schemaResourcePermission = resource.NewSimpleSchema("iam.grafana.app", "v0alpha1", &ResourcePermission{}, &ResourcePermissionList{}, resource.WithKind("ResourcePermission"),
+		resource.WithPlural("resourcepermissions"), resource.WithScope(resource.NamespacedScope))
+	kindResourcePermission = resource.Kind{
+		Schema: schemaResourcePermission,
+		Codecs: map[resource.KindEncoding]resource.Codec{
+			resource.KindEncodingJSON: &ResourcePermissionJSONCodec{},
+		},
+	}
+)
+
+// Kind returns a resource.Kind for this Schema with a JSON codec
+func ResourcePermissionKind() resource.Kind {
+	return kindResourcePermission
+}
+
+// Schema returns a resource.SimpleSchema representation of ResourcePermission
+func ResourcePermissionSchema() *resource.SimpleSchema {
+	return schemaResourcePermission
+}
+
+// Interface compliance checks
+var _ resource.Schema = kindResourcePermission

apps/iam/pkg/apis/iam/v0alpha1/resourcepermission_spec_gen.go

@@ -0,0 +1,56 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+// +k8s:openapi-gen=true
+type ResourcePermissionspecResource struct {
+	// api group of the resource (e.g: "folder.grafana.app")
+	ApiGroup string `json:"apiGroup"`
+	// kind of the resource (e.g: "folders")
+	Resource string `json:"resource"`
+	// uid of the resource (e.g: "fold1")
+	Name string `json:"name"`
+}
+
+// NewResourcePermissionspecResource creates a new ResourcePermissionspecResource object.
+func NewResourcePermissionspecResource() *ResourcePermissionspecResource {
+	return &ResourcePermissionspecResource{}
+}
+
+// +k8s:openapi-gen=true
+type ResourcePermissionspecPermission struct {
+	// kind of the identity getting the permission
+	Kind ResourcePermissionSpecPermissionKind `json:"kind"`
+	// uid of the identity getting the permission
+	Name string `json:"name"`
+	// list of actions granted to the user (e.g. "admin" or "get", "update")
+	Verbs []string `json:"verbs"`
+}
+
+// NewResourcePermissionspecPermission creates a new ResourcePermissionspecPermission object.
+func NewResourcePermissionspecPermission() *ResourcePermissionspecPermission {
+	return &ResourcePermissionspecPermission{}
+}
+
+// +k8s:openapi-gen=true
+type ResourcePermissionSpec struct {
+	Resource    ResourcePermissionspecResource     `json:"resource"`
+	Permissions []ResourcePermissionspecPermission `json:"permissions"`
+}
+
+// NewResourcePermissionSpec creates a new ResourcePermissionSpec object.
+func NewResourcePermissionSpec() *ResourcePermissionSpec {
+	return &ResourcePermissionSpec{
+		Resource: *NewResourcePermissionspecResource(),
+	}
+}
+
+// +k8s:openapi-gen=true
+type ResourcePermissionSpecPermissionKind string
+
+const (
+	ResourcePermissionSpecPermissionKindUser           ResourcePermissionSpecPermissionKind = "User"
+	ResourcePermissionSpecPermissionKindServiceAccount ResourcePermissionSpecPermissionKind = "ServiceAccount"
+	ResourcePermissionSpecPermissionKindTeam           ResourcePermissionSpecPermissionKind = "Team"
+	ResourcePermissionSpecPermissionKindBasicRole      ResourcePermissionSpecPermissionKind = "BasicRole"
+)

apps/iam/pkg/apis/iam/v0alpha1/resourcepermission_status_gen.go

@@ -0,0 +1,44 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+// +k8s:openapi-gen=true
+type ResourcePermissionstatusOperatorState struct {
+	// lastEvaluation is the ResourceVersion last evaluated
+	LastEvaluation string `json:"lastEvaluation"`
+	// state describes the state of the lastEvaluation.
+	// It is limited to three possible states for machine evaluation.
+	State ResourcePermissionStatusOperatorStateState `json:"state"`
+	// descriptiveState is an optional more descriptive state field which has no requirements on format
+	DescriptiveState *string `json:"descriptiveState,omitempty"`
+	// details contains any extra information that is operator-specific
+	Details map[string]interface{} `json:"details,omitempty"`
+}
+
+// NewResourcePermissionstatusOperatorState creates a new ResourcePermissionstatusOperatorState object.
+func NewResourcePermissionstatusOperatorState() *ResourcePermissionstatusOperatorState {
+	return &ResourcePermissionstatusOperatorState{}
+}
+
+// +k8s:openapi-gen=true
+type ResourcePermissionStatus struct {
+	// operatorStates is a map of operator ID to operator state evaluations.
+	// Any operator which consumes this kind SHOULD add its state evaluation information to this field.
+	OperatorStates map[string]ResourcePermissionstatusOperatorState `json:"operatorStates,omitempty"`
+	// additionalFields is reserved for future use
+	AdditionalFields map[string]interface{} `json:"additionalFields,omitempty"`
+}
+
+// NewResourcePermissionStatus creates a new ResourcePermissionStatus object.
+func NewResourcePermissionStatus() *ResourcePermissionStatus {
+	return &ResourcePermissionStatus{}
+}
+
+// +k8s:openapi-gen=true
+type ResourcePermissionStatusOperatorStateState string
+
+const (
+	ResourcePermissionStatusOperatorStateStateSuccess    ResourcePermissionStatusOperatorStateState = "success"
+	ResourcePermissionStatusOperatorStateStateInProgress ResourcePermissionStatusOperatorStateState = "in_progress"
+	ResourcePermissionStatusOperatorStateStateFailed     ResourcePermissionStatusOperatorStateState = "failed"
+)

apps/iam/pkg/apis/iam/v0alpha1/role_codec_gen.go

@@ -0,0 +1,28 @@
+//
+// Code generated by grafana-app-sdk. DO NOT EDIT.
+//
+
+package v0alpha1
+
+import (
+	"encoding/json"
+	"io"
+
+	"github.com/grafana/grafana-app-sdk/resource"
+)
+
+// RoleJSONCodec is an implementation of resource.Codec for kubernetes JSON encoding
+type RoleJSONCodec struct{}
+
+// Read reads JSON-encoded bytes from `reader` and unmarshals them into `into`
+func (*RoleJSONCodec) Read(reader io.Reader, into resource.Object) error {
+	return json.NewDecoder(reader).Decode(into)
+}
+
+// Write writes JSON-encoded bytes into `writer` marshaled from `from`
+func (*RoleJSONCodec) Write(writer io.Writer, from resource.Object) error {
+	return json.NewEncoder(writer).Encode(from)
+}
+
+// Interface compliance checks
+var _ resource.Codec = &RoleJSONCodec{}

apps/iam/pkg/apis/iam/v0alpha1/role_metadata_gen.go

@@ -0,0 +1,28 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+import (
+	time "time"
+)
+
+// metadata contains embedded CommonMetadata and can be extended with custom string fields
+// TODO: use CommonMetadata instead of redefining here; currently needs to be defined here
+// without external reference as using the CommonMetadata reference breaks thema codegen.
+type RoleMetadata struct {
+	UpdateTimestamp   time.Time         `json:"updateTimestamp"`
+	CreatedBy         string            `json:"createdBy"`
+	Uid               string            `json:"uid"`
+	CreationTimestamp time.Time         `json:"creationTimestamp"`
+	DeletionTimestamp *time.Time        `json:"deletionTimestamp,omitempty"`
+	Finalizers        []string          `json:"finalizers"`
+	ResourceVersion   string            `json:"resourceVersion"`
+	Generation        int64             `json:"generation"`
+	UpdatedBy         string            `json:"updatedBy"`
+	Labels            map[string]string `json:"labels"`
+}
+
+// NewRoleMetadata creates a new RoleMetadata object.
+func NewRoleMetadata() *RoleMetadata {
+	return &RoleMetadata{}
+}

apps/iam/pkg/apis/iam/v0alpha1/role_object_gen.go

@@ -0,0 +1,319 @@
+//
+// Code generated by grafana-app-sdk. DO NOT EDIT.
+//
+
+package v0alpha1
+
+import (
+	"fmt"
+	"github.com/grafana/grafana-app-sdk/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"time"
+)
+
+// +k8s:openapi-gen=true
+type Role struct {
+	metav1.TypeMeta   `json:",inline" yaml:",inline"`
+	metav1.ObjectMeta `json:"metadata" yaml:"metadata"`
+
+	// Spec is the spec of the Role
+	Spec RoleSpec `json:"spec" yaml:"spec"`
+
+	Status RoleStatus `json:"status" yaml:"status"`
+}
+
+func (o *Role) GetSpec() any {
+	return o.Spec
+}
+
+func (o *Role) SetSpec(spec any) error {
+	cast, ok := spec.(RoleSpec)
+	if !ok {
+		return fmt.Errorf("cannot set spec type %#v, not of type Spec", spec)
+	}
+	o.Spec = cast
+	return nil
+}
+
+func (o *Role) GetSubresources() map[string]any {
+	return map[string]any{
+		"status": o.Status,
+	}
+}
+
+func (o *Role) GetSubresource(name string) (any, bool) {
+	switch name {
+	case "status":
+		return o.Status, true
+	default:
+		return nil, false
+	}
+}
+
+func (o *Role) SetSubresource(name string, value any) error {
+	switch name {
+	case "status":
+		cast, ok := value.(RoleStatus)
+		if !ok {
+			return fmt.Errorf("cannot set status type %#v, not of type RoleStatus", value)
+		}
+		o.Status = cast
+		return nil
+	default:
+		return fmt.Errorf("subresource '%s' does not exist", name)
+	}
+}
+
+func (o *Role) GetStaticMetadata() resource.StaticMetadata {
+	gvk := o.GroupVersionKind()
+	return resource.StaticMetadata{
+		Name:      o.ObjectMeta.Name,
+		Namespace: o.ObjectMeta.Namespace,
+		Group:     gvk.Group,
+		Version:   gvk.Version,
+		Kind:      gvk.Kind,
+	}
+}
+
+func (o *Role) SetStaticMetadata(metadata resource.StaticMetadata) {
+	o.Name = metadata.Name
+	o.Namespace = metadata.Namespace
+	o.SetGroupVersionKind(schema.GroupVersionKind{
+		Group:   metadata.Group,
+		Version: metadata.Version,
+		Kind:    metadata.Kind,
+	})
+}
+
+func (o *Role) GetCommonMetadata() resource.CommonMetadata {
+	dt := o.DeletionTimestamp
+	var deletionTimestamp *time.Time
+	if dt != nil {
+		deletionTimestamp = &dt.Time
+	}
+	// Legacy ExtraFields support
+	extraFields := make(map[string]any)
+	if o.Annotations != nil {
+		extraFields["annotations"] = o.Annotations
+	}
+	if o.ManagedFields != nil {
+		extraFields["managedFields"] = o.ManagedFields
+	}
+	if o.OwnerReferences != nil {
+		extraFields["ownerReferences"] = o.OwnerReferences
+	}
+	return resource.CommonMetadata{
+		UID:               string(o.UID),
+		ResourceVersion:   o.ResourceVersion,
+		Generation:        o.Generation,
+		Labels:            o.Labels,
+		CreationTimestamp: o.CreationTimestamp.Time,
+		DeletionTimestamp: deletionTimestamp,
+		Finalizers:        o.Finalizers,
+		UpdateTimestamp:   o.GetUpdateTimestamp(),
+		CreatedBy:         o.GetCreatedBy(),
+		UpdatedBy:         o.GetUpdatedBy(),
+		ExtraFields:       extraFields,
+	}
+}
+
+func (o *Role) SetCommonMetadata(metadata resource.CommonMetadata) {
+	o.UID = types.UID(metadata.UID)
+	o.ResourceVersion = metadata.ResourceVersion
+	o.Generation = metadata.Generation
+	o.Labels = metadata.Labels
+	o.CreationTimestamp = metav1.NewTime(metadata.CreationTimestamp)
+	if metadata.DeletionTimestamp != nil {
+		dt := metav1.NewTime(*metadata.DeletionTimestamp)
+		o.DeletionTimestamp = &dt
+	} else {
+		o.DeletionTimestamp = nil
+	}
+	o.Finalizers = metadata.Finalizers
+	if o.Annotations == nil {
+		o.Annotations = make(map[string]string)
+	}
+	if !metadata.UpdateTimestamp.IsZero() {
+		o.SetUpdateTimestamp(metadata.UpdateTimestamp)
+	}
+	if metadata.CreatedBy != "" {
+		o.SetCreatedBy(metadata.CreatedBy)
+	}
+	if metadata.UpdatedBy != "" {
+		o.SetUpdatedBy(metadata.UpdatedBy)
+	}
+	// Legacy support for setting Annotations, ManagedFields, and OwnerReferences via ExtraFields
+	if metadata.ExtraFields != nil {
+		if annotations, ok := metadata.ExtraFields["annotations"]; ok {
+			if cast, ok := annotations.(map[string]string); ok {
+				o.Annotations = cast
+			}
+		}
+		if managedFields, ok := metadata.ExtraFields["managedFields"]; ok {
+			if cast, ok := managedFields.([]metav1.ManagedFieldsEntry); ok {
+				o.ManagedFields = cast
+			}
+		}
+		if ownerReferences, ok := metadata.ExtraFields["ownerReferences"]; ok {
+			if cast, ok := ownerReferences.([]metav1.OwnerReference); ok {
+				o.OwnerReferences = cast
+			}
+		}
+	}
+}
+
+func (o *Role) GetCreatedBy() string {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	return o.ObjectMeta.Annotations["grafana.com/createdBy"]
+}
+
+func (o *Role) SetCreatedBy(createdBy string) {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	o.ObjectMeta.Annotations["grafana.com/createdBy"] = createdBy
+}
+
+func (o *Role) GetUpdateTimestamp() time.Time {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	parsed, _ := time.Parse(time.RFC3339, o.ObjectMeta.Annotations["grafana.com/updateTimestamp"])
+	return parsed
+}
+
+func (o *Role) SetUpdateTimestamp(updateTimestamp time.Time) {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	o.ObjectMeta.Annotations["grafana.com/updateTimestamp"] = updateTimestamp.Format(time.RFC3339)
+}
+
+func (o *Role) GetUpdatedBy() string {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	return o.ObjectMeta.Annotations["grafana.com/updatedBy"]
+}
+
+func (o *Role) SetUpdatedBy(updatedBy string) {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	o.ObjectMeta.Annotations["grafana.com/updatedBy"] = updatedBy
+}
+
+func (o *Role) Copy() resource.Object {
+	return resource.CopyObject(o)
+}
+
+func (o *Role) DeepCopyObject() runtime.Object {
+	return o.Copy()
+}
+
+func (o *Role) DeepCopy() *Role {
+	cpy := &Role{}
+	o.DeepCopyInto(cpy)
+	return cpy
+}
+
+func (o *Role) DeepCopyInto(dst *Role) {
+	dst.TypeMeta.APIVersion = o.TypeMeta.APIVersion
+	dst.TypeMeta.Kind = o.TypeMeta.Kind
+	o.ObjectMeta.DeepCopyInto(&dst.ObjectMeta)
+	o.Spec.DeepCopyInto(&dst.Spec)
+	o.Status.DeepCopyInto(&dst.Status)
+}
+
+// Interface compliance compile-time check
+var _ resource.Object = &Role{}
+
+// +k8s:openapi-gen=true
+type RoleList struct {
+	metav1.TypeMeta `json:",inline" yaml:",inline"`
+	metav1.ListMeta `json:"metadata" yaml:"metadata"`
+	Items           []Role `json:"items" yaml:"items"`
+}
+
+func (o *RoleList) DeepCopyObject() runtime.Object {
+	return o.Copy()
+}
+
+func (o *RoleList) Copy() resource.ListObject {
+	cpy := &RoleList{
+		TypeMeta: o.TypeMeta,
+		Items:    make([]Role, len(o.Items)),
+	}
+	o.ListMeta.DeepCopyInto(&cpy.ListMeta)
+	for i := 0; i < len(o.Items); i++ {
+		if item, ok := o.Items[i].Copy().(*Role); ok {
+			cpy.Items[i] = *item
+		}
+	}
+	return cpy
+}
+
+func (o *RoleList) GetItems() []resource.Object {
+	items := make([]resource.Object, len(o.Items))
+	for i := 0; i < len(o.Items); i++ {
+		items[i] = &o.Items[i]
+	}
+	return items
+}
+
+func (o *RoleList) SetItems(items []resource.Object) {
+	o.Items = make([]Role, len(items))
+	for i := 0; i < len(items); i++ {
+		o.Items[i] = *items[i].(*Role)
+	}
+}
+
+func (o *RoleList) DeepCopy() *RoleList {
+	cpy := &RoleList{}
+	o.DeepCopyInto(cpy)
+	return cpy
+}
+
+func (o *RoleList) DeepCopyInto(dst *RoleList) {
+	resource.CopyObjectInto(dst, o)
+}
+
+// Interface compliance compile-time check
+var _ resource.ListObject = &RoleList{}
+
+// Copy methods for all subresource types
+
+// DeepCopy creates a full deep copy of Spec
+func (s *RoleSpec) DeepCopy() *RoleSpec {
+	cpy := &RoleSpec{}
+	s.DeepCopyInto(cpy)
+	return cpy
+}
+
+// DeepCopyInto deep copies Spec into another Spec object
+func (s *RoleSpec) DeepCopyInto(dst *RoleSpec) {
+	resource.CopyObjectInto(dst, s)
+}
+
+// DeepCopy creates a full deep copy of RoleStatus
+func (s *RoleStatus) DeepCopy() *RoleStatus {
+	cpy := &RoleStatus{}
+	s.DeepCopyInto(cpy)
+	return cpy
+}
+
+// DeepCopyInto deep copies RoleStatus into another RoleStatus object
+func (s *RoleStatus) DeepCopyInto(dst *RoleStatus) {
+	resource.CopyObjectInto(dst, s)
+}

apps/iam/pkg/apis/iam/v0alpha1/role_schema_gen.go

@@ -0,0 +1,34 @@
+//
+// Code generated by grafana-app-sdk. DO NOT EDIT.
+//
+
+package v0alpha1
+
+import (
+	"github.com/grafana/grafana-app-sdk/resource"
+)
+
+// schema is unexported to prevent accidental overwrites
+var (
+	schemaRole = resource.NewSimpleSchema("iam.grafana.app", "v0alpha1", &Role{}, &RoleList{}, resource.WithKind("Role"),
+		resource.WithPlural("roles"), resource.WithScope(resource.NamespacedScope))
+	kindRole = resource.Kind{
+		Schema: schemaRole,
+		Codecs: map[resource.KindEncoding]resource.Codec{
+			resource.KindEncodingJSON: &RoleJSONCodec{},
+		},
+	}
+)
+
+// Kind returns a resource.Kind for this Schema with a JSON codec
+func RoleKind() resource.Kind {
+	return kindRole
+}
+
+// Schema returns a resource.SimpleSchema representation of Role
+func RoleSchema() *resource.SimpleSchema {
+	return schemaRole
+}
+
+// Interface compliance checks
+var _ resource.Schema = kindRole

apps/iam/pkg/apis/iam/v0alpha1/role_spec_gen.go

@@ -0,0 +1,34 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+// +k8s:openapi-gen=true
+type RolespecPermission struct {
+	// RBAC action (e.g: "dashbaords:read")
+	Action string `json:"action"`
+	// RBAC scope (e.g: "dashboards:uid:dash1")
+	Scope string `json:"scope"`
+}
+
+// NewRolespecPermission creates a new RolespecPermission object.
+func NewRolespecPermission() *RolespecPermission {
+	return &RolespecPermission{}
+}
+
+// +k8s:openapi-gen=true
+type RoleSpec struct {
+	// Display name of the role
+	Title   string `json:"title"`
+	Version int64  `json:"version"`
+	Group   string `json:"group"`
+	// TODO:
+	// delegatable?: bool
+	// created?
+	// updated?
+	Permissions []RolespecPermission `json:"permissions"`
+}
+
+// NewRoleSpec creates a new RoleSpec object.
+func NewRoleSpec() *RoleSpec {
+	return &RoleSpec{}
+}

apps/iam/pkg/apis/iam/v0alpha1/role_status_gen.go

@@ -0,0 +1,44 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+// +k8s:openapi-gen=true
+type RolestatusOperatorState struct {
+	// lastEvaluation is the ResourceVersion last evaluated
+	LastEvaluation string `json:"lastEvaluation"`
+	// state describes the state of the lastEvaluation.
+	// It is limited to three possible states for machine evaluation.
+	State RoleStatusOperatorStateState `json:"state"`
+	// descriptiveState is an optional more descriptive state field which has no requirements on format
+	DescriptiveState *string `json:"descriptiveState,omitempty"`
+	// details contains any extra information that is operator-specific
+	Details map[string]interface{} `json:"details,omitempty"`
+}
+
+// NewRolestatusOperatorState creates a new RolestatusOperatorState object.
+func NewRolestatusOperatorState() *RolestatusOperatorState {
+	return &RolestatusOperatorState{}
+}
+
+// +k8s:openapi-gen=true
+type RoleStatus struct {
+	// operatorStates is a map of operator ID to operator state evaluations.
+	// Any operator which consumes this kind SHOULD add its state evaluation information to this field.
+	OperatorStates map[string]RolestatusOperatorState `json:"operatorStates,omitempty"`
+	// additionalFields is reserved for future use
+	AdditionalFields map[string]interface{} `json:"additionalFields,omitempty"`
+}
+
+// NewRoleStatus creates a new RoleStatus object.
+func NewRoleStatus() *RoleStatus {
+	return &RoleStatus{}
+}
+
+// +k8s:openapi-gen=true
+type RoleStatusOperatorStateState string
+
+const (
+	RoleStatusOperatorStateStateSuccess    RoleStatusOperatorStateState = "success"
+	RoleStatusOperatorStateStateInProgress RoleStatusOperatorStateState = "in_progress"
+	RoleStatusOperatorStateStateFailed     RoleStatusOperatorStateState = "failed"
+)

apps/iam/pkg/apis/iam/v0alpha1/rolebinding_codec_gen.go

@@ -0,0 +1,28 @@
+//
+// Code generated by grafana-app-sdk. DO NOT EDIT.
+//
+
+package v0alpha1
+
+import (
+	"encoding/json"
+	"io"
+
+	"github.com/grafana/grafana-app-sdk/resource"
+)
+
+// RoleBindingJSONCodec is an implementation of resource.Codec for kubernetes JSON encoding
+type RoleBindingJSONCodec struct{}
+
+// Read reads JSON-encoded bytes from `reader` and unmarshals them into `into`
+func (*RoleBindingJSONCodec) Read(reader io.Reader, into resource.Object) error {
+	return json.NewDecoder(reader).Decode(into)
+}
+
+// Write writes JSON-encoded bytes into `writer` marshaled from `from`
+func (*RoleBindingJSONCodec) Write(writer io.Writer, from resource.Object) error {
+	return json.NewEncoder(writer).Encode(from)
+}
+
+// Interface compliance checks
+var _ resource.Codec = &RoleBindingJSONCodec{}

apps/iam/pkg/apis/iam/v0alpha1/rolebinding_metadata_gen.go

@@ -0,0 +1,28 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+import (
+	time "time"
+)
+
+// metadata contains embedded CommonMetadata and can be extended with custom string fields
+// TODO: use CommonMetadata instead of redefining here; currently needs to be defined here
+// without external reference as using the CommonMetadata reference breaks thema codegen.
+type RoleBindingMetadata struct {
+	UpdateTimestamp   time.Time         `json:"updateTimestamp"`
+	CreatedBy         string            `json:"createdBy"`
+	Uid               string            `json:"uid"`
+	CreationTimestamp time.Time         `json:"creationTimestamp"`
+	DeletionTimestamp *time.Time        `json:"deletionTimestamp,omitempty"`
+	Finalizers        []string          `json:"finalizers"`
+	ResourceVersion   string            `json:"resourceVersion"`
+	Generation        int64             `json:"generation"`
+	UpdatedBy         string            `json:"updatedBy"`
+	Labels            map[string]string `json:"labels"`
+}
+
+// NewRoleBindingMetadata creates a new RoleBindingMetadata object.
+func NewRoleBindingMetadata() *RoleBindingMetadata {
+	return &RoleBindingMetadata{}
+}

apps/iam/pkg/apis/iam/v0alpha1/rolebinding_object_gen.go

@@ -0,0 +1,319 @@
+//
+// Code generated by grafana-app-sdk. DO NOT EDIT.
+//
+
+package v0alpha1
+
+import (
+	"fmt"
+	"github.com/grafana/grafana-app-sdk/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"time"
+)
+
+// +k8s:openapi-gen=true
+type RoleBinding struct {
+	metav1.TypeMeta   `json:",inline" yaml:",inline"`
+	metav1.ObjectMeta `json:"metadata" yaml:"metadata"`
+
+	// Spec is the spec of the RoleBinding
+	Spec RoleBindingSpec `json:"spec" yaml:"spec"`
+
+	Status RoleBindingStatus `json:"status" yaml:"status"`
+}
+
+func (o *RoleBinding) GetSpec() any {
+	return o.Spec
+}
+
+func (o *RoleBinding) SetSpec(spec any) error {
+	cast, ok := spec.(RoleBindingSpec)
+	if !ok {
+		return fmt.Errorf("cannot set spec type %#v, not of type Spec", spec)
+	}
+	o.Spec = cast
+	return nil
+}
+
+func (o *RoleBinding) GetSubresources() map[string]any {
+	return map[string]any{
+		"status": o.Status,
+	}
+}
+
+func (o *RoleBinding) GetSubresource(name string) (any, bool) {
+	switch name {
+	case "status":
+		return o.Status, true
+	default:
+		return nil, false
+	}
+}
+
+func (o *RoleBinding) SetSubresource(name string, value any) error {
+	switch name {
+	case "status":
+		cast, ok := value.(RoleBindingStatus)
+		if !ok {
+			return fmt.Errorf("cannot set status type %#v, not of type RoleBindingStatus", value)
+		}
+		o.Status = cast
+		return nil
+	default:
+		return fmt.Errorf("subresource '%s' does not exist", name)
+	}
+}
+
+func (o *RoleBinding) GetStaticMetadata() resource.StaticMetadata {
+	gvk := o.GroupVersionKind()
+	return resource.StaticMetadata{
+		Name:      o.ObjectMeta.Name,
+		Namespace: o.ObjectMeta.Namespace,
+		Group:     gvk.Group,
+		Version:   gvk.Version,
+		Kind:      gvk.Kind,
+	}
+}
+
+func (o *RoleBinding) SetStaticMetadata(metadata resource.StaticMetadata) {
+	o.Name = metadata.Name
+	o.Namespace = metadata.Namespace
+	o.SetGroupVersionKind(schema.GroupVersionKind{
+		Group:   metadata.Group,
+		Version: metadata.Version,
+		Kind:    metadata.Kind,
+	})
+}
+
+func (o *RoleBinding) GetCommonMetadata() resource.CommonMetadata {
+	dt := o.DeletionTimestamp
+	var deletionTimestamp *time.Time
+	if dt != nil {
+		deletionTimestamp = &dt.Time
+	}
+	// Legacy ExtraFields support
+	extraFields := make(map[string]any)
+	if o.Annotations != nil {
+		extraFields["annotations"] = o.Annotations
+	}
+	if o.ManagedFields != nil {
+		extraFields["managedFields"] = o.ManagedFields
+	}
+	if o.OwnerReferences != nil {
+		extraFields["ownerReferences"] = o.OwnerReferences
+	}
+	return resource.CommonMetadata{
+		UID:               string(o.UID),
+		ResourceVersion:   o.ResourceVersion,
+		Generation:        o.Generation,
+		Labels:            o.Labels,
+		CreationTimestamp: o.CreationTimestamp.Time,
+		DeletionTimestamp: deletionTimestamp,
+		Finalizers:        o.Finalizers,
+		UpdateTimestamp:   o.GetUpdateTimestamp(),
+		CreatedBy:         o.GetCreatedBy(),
+		UpdatedBy:         o.GetUpdatedBy(),
+		ExtraFields:       extraFields,
+	}
+}
+
+func (o *RoleBinding) SetCommonMetadata(metadata resource.CommonMetadata) {
+	o.UID = types.UID(metadata.UID)
+	o.ResourceVersion = metadata.ResourceVersion
+	o.Generation = metadata.Generation
+	o.Labels = metadata.Labels
+	o.CreationTimestamp = metav1.NewTime(metadata.CreationTimestamp)
+	if metadata.DeletionTimestamp != nil {
+		dt := metav1.NewTime(*metadata.DeletionTimestamp)
+		o.DeletionTimestamp = &dt
+	} else {
+		o.DeletionTimestamp = nil
+	}
+	o.Finalizers = metadata.Finalizers
+	if o.Annotations == nil {
+		o.Annotations = make(map[string]string)
+	}
+	if !metadata.UpdateTimestamp.IsZero() {
+		o.SetUpdateTimestamp(metadata.UpdateTimestamp)
+	}
+	if metadata.CreatedBy != "" {
+		o.SetCreatedBy(metadata.CreatedBy)
+	}
+	if metadata.UpdatedBy != "" {
+		o.SetUpdatedBy(metadata.UpdatedBy)
+	}
+	// Legacy support for setting Annotations, ManagedFields, and OwnerReferences via ExtraFields
+	if metadata.ExtraFields != nil {
+		if annotations, ok := metadata.ExtraFields["annotations"]; ok {
+			if cast, ok := annotations.(map[string]string); ok {
+				o.Annotations = cast
+			}
+		}
+		if managedFields, ok := metadata.ExtraFields["managedFields"]; ok {
+			if cast, ok := managedFields.([]metav1.ManagedFieldsEntry); ok {
+				o.ManagedFields = cast
+			}
+		}
+		if ownerReferences, ok := metadata.ExtraFields["ownerReferences"]; ok {
+			if cast, ok := ownerReferences.([]metav1.OwnerReference); ok {
+				o.OwnerReferences = cast
+			}
+		}
+	}
+}
+
+func (o *RoleBinding) GetCreatedBy() string {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	return o.ObjectMeta.Annotations["grafana.com/createdBy"]
+}
+
+func (o *RoleBinding) SetCreatedBy(createdBy string) {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	o.ObjectMeta.Annotations["grafana.com/createdBy"] = createdBy
+}
+
+func (o *RoleBinding) GetUpdateTimestamp() time.Time {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	parsed, _ := time.Parse(time.RFC3339, o.ObjectMeta.Annotations["grafana.com/updateTimestamp"])
+	return parsed
+}
+
+func (o *RoleBinding) SetUpdateTimestamp(updateTimestamp time.Time) {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	o.ObjectMeta.Annotations["grafana.com/updateTimestamp"] = updateTimestamp.Format(time.RFC3339)
+}
+
+func (o *RoleBinding) GetUpdatedBy() string {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	return o.ObjectMeta.Annotations["grafana.com/updatedBy"]
+}
+
+func (o *RoleBinding) SetUpdatedBy(updatedBy string) {
+	if o.ObjectMeta.Annotations == nil {
+		o.ObjectMeta.Annotations = make(map[string]string)
+	}
+
+	o.ObjectMeta.Annotations["grafana.com/updatedBy"] = updatedBy
+}
+
+func (o *RoleBinding) Copy() resource.Object {
+	return resource.CopyObject(o)
+}
+
+func (o *RoleBinding) DeepCopyObject() runtime.Object {
+	return o.Copy()
+}
+
+func (o *RoleBinding) DeepCopy() *RoleBinding {
+	cpy := &RoleBinding{}
+	o.DeepCopyInto(cpy)
+	return cpy
+}
+
+func (o *RoleBinding) DeepCopyInto(dst *RoleBinding) {
+	dst.TypeMeta.APIVersion = o.TypeMeta.APIVersion
+	dst.TypeMeta.Kind = o.TypeMeta.Kind
+	o.ObjectMeta.DeepCopyInto(&dst.ObjectMeta)
+	o.Spec.DeepCopyInto(&dst.Spec)
+	o.Status.DeepCopyInto(&dst.Status)
+}
+
+// Interface compliance compile-time check
+var _ resource.Object = &RoleBinding{}
+
+// +k8s:openapi-gen=true
+type RoleBindingList struct {
+	metav1.TypeMeta `json:",inline" yaml:",inline"`
+	metav1.ListMeta `json:"metadata" yaml:"metadata"`
+	Items           []RoleBinding `json:"items" yaml:"items"`
+}
+
+func (o *RoleBindingList) DeepCopyObject() runtime.Object {
+	return o.Copy()
+}
+
+func (o *RoleBindingList) Copy() resource.ListObject {
+	cpy := &RoleBindingList{
+		TypeMeta: o.TypeMeta,
+		Items:    make([]RoleBinding, len(o.Items)),
+	}
+	o.ListMeta.DeepCopyInto(&cpy.ListMeta)
+	for i := 0; i < len(o.Items); i++ {
+		if item, ok := o.Items[i].Copy().(*RoleBinding); ok {
+			cpy.Items[i] = *item
+		}
+	}
+	return cpy
+}
+
+func (o *RoleBindingList) GetItems() []resource.Object {
+	items := make([]resource.Object, len(o.Items))
+	for i := 0; i < len(o.Items); i++ {
+		items[i] = &o.Items[i]
+	}
+	return items
+}
+
+func (o *RoleBindingList) SetItems(items []resource.Object) {
+	o.Items = make([]RoleBinding, len(items))
+	for i := 0; i < len(items); i++ {
+		o.Items[i] = *items[i].(*RoleBinding)
+	}
+}
+
+func (o *RoleBindingList) DeepCopy() *RoleBindingList {
+	cpy := &RoleBindingList{}
+	o.DeepCopyInto(cpy)
+	return cpy
+}
+
+func (o *RoleBindingList) DeepCopyInto(dst *RoleBindingList) {
+	resource.CopyObjectInto(dst, o)
+}
+
+// Interface compliance compile-time check
+var _ resource.ListObject = &RoleBindingList{}
+
+// Copy methods for all subresource types
+
+// DeepCopy creates a full deep copy of Spec
+func (s *RoleBindingSpec) DeepCopy() *RoleBindingSpec {
+	cpy := &RoleBindingSpec{}
+	s.DeepCopyInto(cpy)
+	return cpy
+}
+
+// DeepCopyInto deep copies Spec into another Spec object
+func (s *RoleBindingSpec) DeepCopyInto(dst *RoleBindingSpec) {
+	resource.CopyObjectInto(dst, s)
+}
+
+// DeepCopy creates a full deep copy of RoleBindingStatus
+func (s *RoleBindingStatus) DeepCopy() *RoleBindingStatus {
+	cpy := &RoleBindingStatus{}
+	s.DeepCopyInto(cpy)
+	return cpy
+}
+
+// DeepCopyInto deep copies RoleBindingStatus into another RoleBindingStatus object
+func (s *RoleBindingStatus) DeepCopyInto(dst *RoleBindingStatus) {
+	resource.CopyObjectInto(dst, s)
+}

apps/iam/pkg/apis/iam/v0alpha1/rolebinding_schema_gen.go

@@ -0,0 +1,34 @@
+//
+// Code generated by grafana-app-sdk. DO NOT EDIT.
+//
+
+package v0alpha1
+
+import (
+	"github.com/grafana/grafana-app-sdk/resource"
+)
+
+// schema is unexported to prevent accidental overwrites
+var (
+	schemaRoleBinding = resource.NewSimpleSchema("iam.grafana.app", "v0alpha1", &RoleBinding{}, &RoleBindingList{}, resource.WithKind("RoleBinding"),
+		resource.WithPlural("rolebindings"), resource.WithScope(resource.NamespacedScope))
+	kindRoleBinding = resource.Kind{
+		Schema: schemaRoleBinding,
+		Codecs: map[resource.KindEncoding]resource.Codec{
+			resource.KindEncodingJSON: &RoleBindingJSONCodec{},
+		},
+	}
+)
+
+// Kind returns a resource.Kind for this Schema with a JSON codec
+func RoleBindingKind() resource.Kind {
+	return kindRoleBinding
+}
+
+// Schema returns a resource.SimpleSchema representation of RoleBinding
+func RoleBindingSchema() *resource.SimpleSchema {
+	return schemaRoleBinding
+}
+
+// Interface compliance checks
+var _ resource.Schema = kindRoleBinding

apps/iam/pkg/apis/iam/v0alpha1/rolebinding_spec_gen.go

@@ -0,0 +1,61 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+// +k8s:openapi-gen=true
+type RoleBindingspecSubject struct {
+	// kind of the identity getting the permission
+	Kind RoleBindingSpecSubjectKind `json:"kind"`
+	// uid of the identity
+	Name string `json:"name"`
+}
+
+// NewRoleBindingspecSubject creates a new RoleBindingspecSubject object.
+func NewRoleBindingspecSubject() *RoleBindingspecSubject {
+	return &RoleBindingspecSubject{}
+}
+
+// +k8s:openapi-gen=true
+type RoleBindingspecRoleRef struct {
+	// kind of role
+	Kind RoleBindingSpecRoleRefKind `json:"kind"`
+	// uid of the role
+	Name string `json:"name"`
+}
+
+// NewRoleBindingspecRoleRef creates a new RoleBindingspecRoleRef object.
+func NewRoleBindingspecRoleRef() *RoleBindingspecRoleRef {
+	return &RoleBindingspecRoleRef{}
+}
+
+// +k8s:openapi-gen=true
+type RoleBindingSpec struct {
+	Subjects []RoleBindingspecSubject `json:"subjects"`
+	RoleRef  RoleBindingspecRoleRef   `json:"roleRef"`
+}
+
+// NewRoleBindingSpec creates a new RoleBindingSpec object.
+func NewRoleBindingSpec() *RoleBindingSpec {
+	return &RoleBindingSpec{
+		RoleRef: *NewRoleBindingspecRoleRef(),
+	}
+}
+
+// +k8s:openapi-gen=true
+type RoleBindingSpecSubjectKind string
+
+const (
+	RoleBindingSpecSubjectKindUser           RoleBindingSpecSubjectKind = "User"
+	RoleBindingSpecSubjectKindServiceAccount RoleBindingSpecSubjectKind = "ServiceAccount"
+	RoleBindingSpecSubjectKindTeam           RoleBindingSpecSubjectKind = "Team"
+	RoleBindingSpecSubjectKindBasicRole      RoleBindingSpecSubjectKind = "BasicRole"
+)
+
+// +k8s:openapi-gen=true
+type RoleBindingSpecRoleRefKind string
+
+const (
+	RoleBindingSpecRoleRefKindRole       RoleBindingSpecRoleRefKind = "Role"
+	RoleBindingSpecRoleRefKindCoreRole   RoleBindingSpecRoleRefKind = "CoreRole"
+	RoleBindingSpecRoleRefKindGlobalRole RoleBindingSpecRoleRefKind = "GlobalRole"
+)

apps/iam/pkg/apis/iam/v0alpha1/rolebinding_status_gen.go

@@ -0,0 +1,44 @@
+// Code generated - EDITING IS FUTILE. DO NOT EDIT.
+
+package v0alpha1
+
+// +k8s:openapi-gen=true
+type RoleBindingstatusOperatorState struct {
+	// lastEvaluation is the ResourceVersion last evaluated
+	LastEvaluation string `json:"lastEvaluation"`
+	// state describes the state of the lastEvaluation.
+	// It is limited to three possible states for machine evaluation.
+	State RoleBindingStatusOperatorStateState `json:"state"`
+	// descriptiveState is an optional more descriptive state field which has no requirements on format
+	DescriptiveState *string `json:"descriptiveState,omitempty"`
+	// details contains any extra information that is operator-specific
+	Details map[string]interface{} `json:"details,omitempty"`
+}
+
+// NewRoleBindingstatusOperatorState creates a new RoleBindingstatusOperatorState object.
+func NewRoleBindingstatusOperatorState() *RoleBindingstatusOperatorState {
+	return &RoleBindingstatusOperatorState{}
+}
+
+// +k8s:openapi-gen=true
+type RoleBindingStatus struct {
+	// operatorStates is a map of operator ID to operator state evaluations.
+	// Any operator which consumes this kind SHOULD add its state evaluation information to this field.
+	OperatorStates map[string]RoleBindingstatusOperatorState `json:"operatorStates,omitempty"`
+	// additionalFields is reserved for future use
+	AdditionalFields map[string]interface{} `json:"additionalFields,omitempty"`
+}
+
+// NewRoleBindingStatus creates a new RoleBindingStatus object.
+func NewRoleBindingStatus() *RoleBindingStatus {
+	return &RoleBindingStatus{}
+}
+
+// +k8s:openapi-gen=true
+type RoleBindingStatusOperatorStateState string
+
+const (
+	RoleBindingStatusOperatorStateStateSuccess    RoleBindingStatusOperatorStateState = "success"
+	RoleBindingStatusOperatorStateStateInProgress RoleBindingStatusOperatorStateState = "in_progress"
+	RoleBindingStatusOperatorStateStateFailed     RoleBindingStatusOperatorStateState = "failed"
+)

apps/iam/pkg/apis/iam_manifest.go

@@ -0,0 +1,100 @@
+//
+// This file is generated by grafana-app-sdk
+// DO NOT EDIT
+//
+
+package apis
+
+import (
+	"encoding/json"
+
+	"github.com/grafana/grafana-app-sdk/app"
+)
+
+var ()
+
+var appManifestData = app.ManifestData{
+	AppName: "iam",
+	Group:   "iam.grafana.app",
+	Kinds: []app.ManifestKind{
+		{
+			Kind:       "GlobalRole",
+			Scope:      "Namespaced",
+			Conversion: false,
+			Versions: []app.ManifestKindVersion{
+				{
+					Name: "v0alpha1",
+				},
+			},
+		},
+
+		{
+			Kind:       "GlobalRoleBinding",
+			Scope:      "Namespaced",
+			Conversion: false,
+			Versions: []app.ManifestKindVersion{
+				{
+					Name: "v0alpha1",
+				},
+			},
+		},
+
+		{
+			Kind:       "CoreRole",
+			Scope:      "Namespaced",
+			Conversion: false,
+			Versions: []app.ManifestKindVersion{
+				{
+					Name: "v0alpha1",
+				},
+			},
+		},
+
+		{
+			Kind:       "Role",
+			Scope:      "Namespaced",
+			Conversion: false,
+			Versions: []app.ManifestKindVersion{
+				{
+					Name: "v0alpha1",
+				},
+			},
+		},
+
+		{
+			Kind:       "RoleBinding",
+			Scope:      "Namespaced",
+			Conversion: false,
+			Versions: []app.ManifestKindVersion{
+				{
+					Name: "v0alpha1",
+				},
+			},
+		},
+
+		{
+			Kind:       "ResourcePermission",
+			Scope:      "Namespaced",
+			Conversion: false,
+			Versions: []app.ManifestKindVersion{
+				{
+					Name: "v0alpha1",
+				},
+			},
+		},
+	},
+}
+
+func jsonToMap(j string) map[string]any {
+	m := make(map[string]any)
+	json.Unmarshal([]byte(j), &j)
+	return m
+}
+
+func LocalManifest() app.Manifest {
+	return app.NewEmbeddedManifest(appManifestData)
+}
+
+func RemoteManifest() app.Manifest {
+	return app.NewAPIServerManifest("iam")
+}

go.work

@@ -9,6 +9,7 @@ use (
 	./apps/alerting/notifications
 	./apps/dashboard
 	./apps/folder
+	./apps/iam
 	./apps/investigations
 	./apps/playlist
 	./pkg/aggregator

go.work.sum

@@ -1992,6 +1992,7 @@ golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
 golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCAM=
 golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8=
 golang.org/x/oauth2 v0.19.0/go.mod h1:vYi7skDa1x015PmRRYZ7+s1cWyPgrPiSYRe4rnsexc8=