diff --git a/pkg/api/pluginproxy/ds_proxy.go b/pkg/api/pluginproxy/ds_proxy.go
index ac50243cd1d..8037c79a123 100644
--- a/pkg/api/pluginproxy/ds_proxy.go
+++ b/pkg/api/pluginproxy/ds_proxy.go
@@ -19,7 +19,6 @@ import (
 	glog "github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/infra/tracing"
 	"github.com/grafana/grafana/pkg/plugins"
-	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
 	"github.com/grafana/grafana/pkg/services/datasources"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
@@ -305,8 +304,10 @@ func (proxy *DataSourceProxy) validateRequest() error {
 			continue
 		}
 
-		if !proxy.hasAccessToRoute(route) {
-			return errors.New("plugin proxy route access denied")
+		if route.ReqRole.IsValid() {
+			if !proxy.ctx.HasUserRole(route.ReqRole) {
+				return errors.New("plugin proxy route access denied")
+			}
 		}
 
 		proxy.matchedRoute = route
@@ -329,22 +330,6 @@ func (proxy *DataSourceProxy) validateRequest() error {
 	return nil
 }
 
-func (proxy *DataSourceProxy) hasAccessToRoute(route *plugins.Route) bool {
-	useRBAC := proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagAccessControlOnCall) && route.ReqAction != ""
-	if useRBAC {
-		routeEval := accesscontrol.EvalPermission(route.ReqAction)
-		ok := routeEval.Evaluate(proxy.ctx.GetPermissions())
-		if !ok {
-			proxy.ctx.Logger.Debug("plugin route is covered by RBAC, user doesn't have access", "route", proxy.ctx.Req.URL.Path)
-		}
-		return ok
-	}
-	if route.ReqRole.IsValid() {
-		return proxy.ctx.HasUserRole(route.ReqRole)
-	}
-	return true
-}
-
 func (proxy *DataSourceProxy) logRequest() {
 	if !proxy.cfg.DataProxyLogging {
 		return
diff --git a/pkg/api/pluginproxy/pluginproxy.go b/pkg/api/pluginproxy/pluginproxy.go
index 5a959d97ab6..c61a6a284b9 100644
--- a/pkg/api/pluginproxy/pluginproxy.go
+++ b/pkg/api/pluginproxy/pluginproxy.go
@@ -122,7 +122,7 @@ func (proxy *PluginProxy) HandleRequest() {
 }
 
 func (proxy *PluginProxy) hasAccessToRoute(route *plugins.Route) bool {
-	useRBAC := proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagAccessControlOnCall) && route.ReqAction != ""
+	useRBAC := proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagAccessControlOnCall) && route.RequiresRBACAction()
 	if useRBAC {
 		hasAccess := ac.HasAccess(proxy.accessControl, proxy.ctx)(ac.EvalPermission(route.ReqAction))
 		if !hasAccess {
diff --git a/pkg/plugins/plugins.go b/pkg/plugins/plugins.go
index 3c281ee86bf..1a045651277 100644
--- a/pkg/plugins/plugins.go
+++ b/pkg/plugins/plugins.go
@@ -204,6 +204,10 @@ type Route struct {
 	Body         json.RawMessage `json:"body"`
 }
 
+func (r *Route) RequiresRBACAction() bool {
+	return r.ReqAction != ""
+}
+
 // Header describes an HTTP header that is forwarded with
 // the proxied request for a plugin route
 type Header struct {