Prohibit editor to delete, modify settings and create swaps and overrides in schedules of other teams.

[omalko394]

What would you like to see!

Hello! We are currently using an OSS setup of Grafana with Grafana OnCall integrated. One of our teams, which is included in the escalation chains for all other teams, faces an issue where team members are unable to view and access to alerts that belong to other teams. To address this, we attempted to modify the Teams and Access Settings to allow all users to see team names and access team resources. However, this led to an unintended consequence where every user with editor rights (all our users had such role to be able to manipulate with alerts) gained the ability to delete, modify settings, and create or modify swaps and overrides in the schedules of other teams. Is it possible to prohibit editor role to delete, modify settings and create swaps and overrides in schedules of other teams?

Product Area

Auth, Schedules

Anything else to add?

Grafana OSS 9.5.7 Grafana OnCall OSS 1.3.117

Steps to Reproduce:

• Set up an OSS Grafana instance with Grafana OnCall.
• Create 2 teams and users with editor role. Create schedule that will belongs to not your team.
• Change Access Settings to "allow access to all users".
• Observe that user with editor rights can now modify schedules of other teams. Expected Behavior:
• Users should be able to view team resources without having permissions to edit or modify schedules and settings of teams they do not belong to.

[github-actions[bot]]

The current version of Grafana OnCall, at the time this issue was opened, is v1.4.0. If your issue pertains to an older version of Grafana OnCall, please be sure to list it in the PR description. Thank you :smile:!