Access Control: Move dashboard actions and create scope provider (#48618)

* Move dashboard actions and create scope provider
2025-07-29 19:12:12 +08:00 · 2022-05-04 16:12:09 +02:00
parent 00dbea91ea
commit 2738d1c557
15 changed files with 135 additions and 142 deletions
--- a/pkg/api/accesscontrol.go
+++ b/pkg/api/accesscontrol.go
@ -328,7 +328,7 @@ func (hs *HTTPServer) declareFixedRoles() error {
 			Group:       "Dashboards",
 			Permissions: []ac.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
-				{Action: ac.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
+				{Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
 			},
 		},
 		Grants: []string{"Editor"},
@ -342,7 +342,7 @@ func (hs *HTTPServer) declareFixedRoles() error {
 			Description: "Read all dashboards.",
 			Group:       "Dashboards",
 			Permissions: []ac.Permission{
-				{Action: ac.ActionDashboardsRead, Scope: ac.ScopeDashboardsAll},
+				{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeDashboardsAll},
 			},
 		},
 		Grants: []string{"Admin"},
@ -356,11 +356,11 @@ func (hs *HTTPServer) declareFixedRoles() error {
 			Group:       "Dashboards",
 			Description: "Create, read, write or delete all dashboards and their permissions.",
 			Permissions: ac.ConcatPermissions(dashboardsReaderRole.Role.Permissions, []ac.Permission{
-				{Action: ac.ActionDashboardsWrite, Scope: ac.ScopeDashboardsAll},
+				{Action: dashboards.ActionDashboardsWrite, Scope: dashboards.ScopeDashboardsAll},
-				{Action: ac.ActionDashboardsDelete, Scope: ac.ScopeDashboardsAll},
+				{Action: dashboards.ActionDashboardsDelete, Scope: dashboards.ScopeDashboardsAll},
-				{Action: ac.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll},
+				{Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll},
-				{Action: ac.ActionDashboardsPermissionsRead, Scope: ac.ScopeDashboardsAll},
+				{Action: dashboards.ActionDashboardsPermissionsRead, Scope: dashboards.ScopeDashboardsAll},
-				{Action: ac.ActionDashboardsPermissionsWrite, Scope: ac.ScopeDashboardsAll},
+				{Action: dashboards.ActionDashboardsPermissionsWrite, Scope: dashboards.ScopeDashboardsAll},
 			}),
 		},
 		Grants: []string{"Admin"},
@ -389,7 +389,7 @@ func (hs *HTTPServer) declareFixedRoles() error {
 			Group:       "Folders",
 			Permissions: []ac.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: dashboards.ScopeFoldersAll},
-				{Action: ac.ActionDashboardsRead, Scope: dashboards.ScopeFoldersAll},
+				{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersAll},
 			},
 		},
 		Grants: []string{"Admin"},
@ -408,11 +408,11 @@ func (hs *HTTPServer) declareFixedRoles() error {
 					{Action: dashboards.ActionFoldersCreate},
 					{Action: dashboards.ActionFoldersWrite, Scope: dashboards.ScopeFoldersAll},
 					{Action: dashboards.ActionFoldersDelete, Scope: dashboards.ScopeFoldersAll},
-					{Action: ac.ActionDashboardsWrite, Scope: dashboards.ScopeFoldersAll},
+					{Action: dashboards.ActionDashboardsWrite, Scope: dashboards.ScopeFoldersAll},
-					{Action: ac.ActionDashboardsDelete, Scope: dashboards.ScopeFoldersAll},
+					{Action: dashboards.ActionDashboardsDelete, Scope: dashboards.ScopeFoldersAll},
-					{Action: ac.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll},
+					{Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll},
-					{Action: ac.ActionDashboardsPermissionsRead, Scope: dashboards.ScopeFoldersAll},
+					{Action: dashboards.ActionDashboardsPermissionsRead, Scope: dashboards.ScopeFoldersAll},
-					{Action: ac.ActionDashboardsPermissionsWrite, Scope: dashboards.ScopeFoldersAll},
+					{Action: dashboards.ActionDashboardsPermissionsWrite, Scope: dashboards.ScopeFoldersAll},
 				}),
 		},
 		Grants: []string{"Admin"},
--- a/pkg/api/annotations.go
+++ b/pkg/api/annotations.go
@ -12,6 +12,7 @@ import (
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/annotations"
 	"github.com/grafana/grafana/pkg/services/dashboards"
 	"github.com/grafana/grafana/pkg/services/guardian"
 	"github.com/grafana/grafana/pkg/util"
 	"github.com/grafana/grafana/pkg/web"
@ -456,7 +457,7 @@ func AnnotationTypeScopeResolver() (string, accesscontrol.ScopeAttributeResolver
 			OrgId: orgID,
 			Permissions: map[int64]map[string][]string{
 				orgID: {
-					accesscontrol.ActionDashboardsRead:  {accesscontrol.ScopeDashboardsAll},
+					dashboards.ActionDashboardsRead:     {dashboards.ScopeDashboardsAll},
 					accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsAll},
 				},
 			},
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@ -354,12 +354,12 @@ func (hs *HTTPServer) registerRoutes() {
 		// Dashboard
 		apiRoute.Group("/dashboards", func(dashboardRoute routing.RouteRegister) {
-			dashboardRoute.Get("/uid/:uid", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsRead)), routing.Wrap(hs.GetDashboard))
+			dashboardRoute.Get("/uid/:uid", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsRead)), routing.Wrap(hs.GetDashboard))
-			dashboardRoute.Delete("/uid/:uid", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsDelete)), routing.Wrap(hs.DeleteDashboardByUID))
+			dashboardRoute.Delete("/uid/:uid", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsDelete)), routing.Wrap(hs.DeleteDashboardByUID))
 			dashboardRoute.Group("/uid/:uid", func(dashUidRoute routing.RouteRegister) {
 				dashUidRoute.Group("/permissions", func(dashboardPermissionRoute routing.RouteRegister) {
-					dashboardPermissionRoute.Get("/", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsPermissionsRead)), routing.Wrap(hs.GetDashboardPermissionList))
+					dashboardPermissionRoute.Get("/", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsPermissionsRead)), routing.Wrap(hs.GetDashboardPermissionList))
-					dashboardPermissionRoute.Post("/", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsPermissionsWrite)), routing.Wrap(hs.UpdateDashboardPermissions))
+					dashboardPermissionRoute.Post("/", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsPermissionsWrite)), routing.Wrap(hs.UpdateDashboardPermissions))
 				})
 			})
@ -372,22 +372,22 @@ func (hs *HTTPServer) registerRoutes() {
 				}
 			}
-			dashboardRoute.Post("/calculate-diff", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsWrite)), routing.Wrap(hs.CalculateDashboardDiff))
+			dashboardRoute.Post("/calculate-diff", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.CalculateDashboardDiff))
 			dashboardRoute.Post("/trim", routing.Wrap(hs.TrimDashboard))
-			dashboardRoute.Post("/db", authorize(reqSignedIn, ac.EvalAny(ac.EvalPermission(ac.ActionDashboardsCreate), ac.EvalPermission(ac.ActionDashboardsWrite))), routing.Wrap(hs.PostDashboard))
+			dashboardRoute.Post("/db", authorize(reqSignedIn, ac.EvalAny(ac.EvalPermission(dashboards.ActionDashboardsCreate), ac.EvalPermission(dashboards.ActionDashboardsWrite))), routing.Wrap(hs.PostDashboard))
 			dashboardRoute.Get("/home", routing.Wrap(hs.GetHomeDashboard))
 			dashboardRoute.Get("/tags", hs.GetDashboardTags)
 			// Deprecated: use /uid/:uid API instead.
 			dashboardRoute.Group("/id/:dashboardId", func(dashIdRoute routing.RouteRegister) {
-				dashIdRoute.Get("/versions", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersions))
+				dashIdRoute.Get("/versions", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersions))
-				dashIdRoute.Get("/versions/:id", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersion))
+				dashIdRoute.Get("/versions/:id", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersion))
-				dashIdRoute.Post("/restore", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsWrite)), routing.Wrap(hs.RestoreDashboardVersion))
+				dashIdRoute.Post("/restore", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.RestoreDashboardVersion))
 				dashIdRoute.Group("/permissions", func(dashboardPermissionRoute routing.RouteRegister) {
-					dashboardPermissionRoute.Get("/", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsPermissionsRead)), routing.Wrap(hs.GetDashboardPermissionList))
+					dashboardPermissionRoute.Get("/", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsPermissionsRead)), routing.Wrap(hs.GetDashboardPermissionList))
-					dashboardPermissionRoute.Post("/", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsPermissionsWrite)), routing.Wrap(hs.UpdateDashboardPermissions))
+					dashboardPermissionRoute.Post("/", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsPermissionsWrite)), routing.Wrap(hs.UpdateDashboardPermissions))
 				})
 			})
 		})
--- a/pkg/api/index.go
+++ b/pkg/api/index.go
@ -572,7 +572,7 @@ func (hs *HTTPServer) buildCreateNavLinks(c *models.ReqContext) []*dtos.NavLink
 	hasAccess := ac.HasAccess(hs.AccessControl, c)
 	var children []*dtos.NavLink
-	if hasAccess(ac.ReqSignedIn, ac.EvalPermission(ac.ActionDashboardsCreate)) {
+	if hasAccess(ac.ReqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsCreate)) {
 		children = append(children, &dtos.NavLink{Text: "Dashboard", Icon: "apps", Url: hs.Cfg.AppSubURL + "/dashboard/new", Id: "create-dashboard"})
 	}
@ -583,7 +583,7 @@ func (hs *HTTPServer) buildCreateNavLinks(c *models.ReqContext) []*dtos.NavLink
 		})
 	}
-	if hasAccess(ac.ReqSignedIn, ac.EvalPermission(ac.ActionDashboardsCreate)) {
+	if hasAccess(ac.ReqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsCreate)) {
 		children = append(children, &dtos.NavLink{
 			Text: "Import", SubTitle: "Import dashboard from file or Grafana.com", Id: "import", Icon: "import",
 			Url: hs.Cfg.AppSubURL + "/dashboard/import",
@ -651,7 +651,7 @@ func (hs *HTTPServer) editorInAnyFolder(c *models.ReqContext) bool {
 func (hs *HTTPServer) setIndexViewData(c *models.ReqContext) (*dtos.IndexViewData, error) {
 	hasAccess := ac.HasAccess(hs.AccessControl, c)
-	hasEditPerm := hasAccess(hs.editorInAnyFolder, ac.EvalAny(ac.EvalPermission(ac.ActionDashboardsCreate), ac.EvalPermission(dashboards.ActionFoldersCreate)))
+	hasEditPerm := hasAccess(hs.editorInAnyFolder, ac.EvalAny(ac.EvalPermission(dashboards.ActionDashboardsCreate), ac.EvalPermission(dashboards.ActionFoldersCreate)))
 	settings, err := hs.getFrontendSettingsMap(c)
 	if err != nil {
--- a/pkg/services/accesscontrol/models.go
+++ b/pkg/services/accesscontrol/models.go
@ -359,17 +359,6 @@ const (
 	ActionAnnotationsRead   = "annotations:read"
 	ActionAnnotationsWrite  = "annotations:write"
 	// Dashboard actions
 	ActionDashboardsCreate           = "dashboards:create"
 	ActionDashboardsRead             = "dashboards:read"
 	ActionDashboardsWrite            = "dashboards:write"
 	ActionDashboardsDelete           = "dashboards:delete"
 	ActionDashboardsPermissionsRead  = "dashboards.permissions:read"
 	ActionDashboardsPermissionsWrite = "dashboards.permissions:write"
 	// Dashboard scopes
 	ScopeDashboardsAll = "dashboards:*"
 	// Alert scopes are divided into two groups. The internal (to Grafana) and the external ones.
 	// For the Grafana ones, given we have ACID control we're able to provide better granularity by defining CRUD options.
 	// For the external ones, we only have read and write permissions due to the lack of atomicity control of the external system.
--- a/pkg/services/accesscontrol/ossaccesscontrol/permissions_services.go
+++ b/pkg/services/accesscontrol/ossaccesscontrol/permissions_services.go
@ -138,9 +138,9 @@ func ProvideTeamPermissions(
 	return resourcepermissions.New(options, cfg, router, ac, store, sql)
 }
-var DashboardViewActions = []string{accesscontrol.ActionDashboardsRead}
+var DashboardViewActions = []string{dashboards.ActionDashboardsRead}
-var DashboardEditActions = append(DashboardViewActions, []string{accesscontrol.ActionDashboardsWrite, accesscontrol.ActionDashboardsDelete}...)
+var DashboardEditActions = append(DashboardViewActions, []string{dashboards.ActionDashboardsWrite, dashboards.ActionDashboardsDelete}...)
-var DashboardAdminActions = append(DashboardEditActions, []string{accesscontrol.ActionDashboardsPermissionsRead, accesscontrol.ActionDashboardsPermissionsWrite}...)
+var DashboardAdminActions = append(DashboardEditActions, []string{dashboards.ActionDashboardsPermissionsRead, dashboards.ActionDashboardsPermissionsWrite}...)
 func ProvideDashboardPermissions(
 	cfg *setting.Cfg, router routing.RouteRegister, sql *sqlstore.SQLStore,
@ -203,7 +203,7 @@ func ProvideDashboardPermissions(
 }
 var FolderViewActions = []string{dashboards.ActionFoldersRead}
-var FolderEditActions = append(FolderViewActions, []string{dashboards.ActionFoldersWrite, dashboards.ActionFoldersDelete, accesscontrol.ActionDashboardsCreate}...)
+var FolderEditActions = append(FolderViewActions, []string{dashboards.ActionFoldersWrite, dashboards.ActionFoldersDelete, dashboards.ActionDashboardsCreate}...)
 var FolderAdminActions = append(FolderEditActions, []string{dashboards.ActionFoldersPermissionsRead, dashboards.ActionFoldersPermissionsWrite}...)
 func ProvideFolderPermissions(
--- a/pkg/services/dashboardimport/api/api.go
+++ b/pkg/services/dashboardimport/api/api.go
@ -12,6 +12,7 @@ import (
 	"github.com/grafana/grafana/pkg/plugins"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/dashboardimport"
 	"github.com/grafana/grafana/pkg/services/dashboards"
 	"github.com/grafana/grafana/pkg/web"
 )
@ -39,7 +40,7 @@ func (api *ImportDashboardAPI) RegisterAPIEndpoints(routeRegister routing.RouteR
 	routeRegister.Group("/api/dashboards", func(route routing.RouteRegister) {
 		route.Post(
 			"/import",
-			authorize(middleware.ReqSignedIn, accesscontrol.EvalPermission(accesscontrol.ActionDashboardsCreate)),
+			authorize(middleware.ReqSignedIn, accesscontrol.EvalPermission(dashboards.ActionDashboardsCreate)),
 			routing.Wrap(api.ImportDashboard),
 		)
 	}, middleware.ReqSignedIn)
--- a/pkg/services/dashboards/accesscontrol.go
+++ b/pkg/services/dashboards/accesscontrol.go
@ -21,11 +21,20 @@ const (
 	ScopeDashboardsRoot   = "dashboards"
 	ScopeDashboardsPrefix = "dashboards:uid:"
 	ActionDashboardsCreate           = "dashboards:create"
 	ActionDashboardsRead             = "dashboards:read"
 	ActionDashboardsWrite            = "dashboards:write"
 	ActionDashboardsDelete           = "dashboards:delete"
 	ActionDashboardsPermissionsRead  = "dashboards.permissions:read"
 	ActionDashboardsPermissionsWrite = "dashboards.permissions:write"
 )
 var (
-	ScopeFoldersAll      = ac.GetResourceAllScope(ScopeFoldersRoot)
+	ScopeFoldersProvider    = ac.NewScopeProvider(ScopeFoldersRoot)
-	ScopeFoldersProvider = ac.NewScopeProvider(ScopeFoldersRoot)
+	ScopeFoldersAll         = ScopeFoldersProvider.GetResourceAllScope()
 	ScopeDashboardsProvider = ac.NewScopeProvider(ScopeDashboardsRoot)
 	ScopeDashboardsAll      = ScopeDashboardsProvider.GetResourceAllScope()
 )
 // NewFolderNameScopeResolver provides an ScopeAttributeResolver that is able to convert a scope prefixed with "folders:name:" into an uid based scope.
--- a/pkg/services/dashboards/manager/dashboard_service.go
+++ b/pkg/services/dashboards/manager/dashboard_service.go
@ -22,10 +22,10 @@ import (
 var (
 	provisionerPermissions = map[string][]string{
-		m.ActionFoldersCreate:                {},
+		m.ActionFoldersCreate:    {},
-		m.ActionFoldersWrite:                 {m.ScopeFoldersAll},
+		m.ActionFoldersWrite:     {m.ScopeFoldersAll},
-		accesscontrol.ActionDashboardsCreate: {m.ScopeFoldersAll},
+		m.ActionDashboardsCreate: {m.ScopeFoldersAll},
-		accesscontrol.ActionDashboardsWrite:  {m.ScopeFoldersAll},
+		m.ActionDashboardsWrite:  {m.ScopeFoldersAll},
 	}
 )
--- a/pkg/services/guardian/accesscontrol_guardian.go
+++ b/pkg/services/guardian/accesscontrol_guardian.go
@ -53,12 +53,12 @@ func (a *AccessControlDashboardGuardian) CanSave() (bool, error) {
 	}
 	if a.dashboard.IsFolder {
-		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, folderScope(a.dashboard.Uid)))
+		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
 	}
 	return a.evaluate(accesscontrol.EvalAny(
-		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, dashboardScope(a.dashboard.Uid)),
+		accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
-		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, folderScope(a.parentFolderUID)),
+		accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
 	))
 }
@ -71,12 +71,12 @@ func (a *AccessControlDashboardGuardian) CanEdit() (bool, error) {
 	}
 	if a.dashboard.IsFolder {
-		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, folderScope(a.dashboard.Uid)))
+		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
 	}
 	return a.evaluate(accesscontrol.EvalAny(
-		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, dashboardScope(a.dashboard.Uid)),
+		accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
-		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, folderScope(a.parentFolderUID)),
+		accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
 	))
 }
@ -86,12 +86,12 @@ func (a *AccessControlDashboardGuardian) CanView() (bool, error) {
 	}
 	if a.dashboard.IsFolder {
-		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersRead, folderScope(a.dashboard.Uid)))
+		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
 	}
 	return a.evaluate(accesscontrol.EvalAny(
-		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsRead, dashboardScope(a.dashboard.Uid)),
+		accesscontrol.EvalPermission(dashboards.ActionDashboardsRead, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
-		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsRead, folderScope(a.parentFolderUID)),
+		accesscontrol.EvalPermission(dashboards.ActionDashboardsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
 	))
 }
@ -102,19 +102,19 @@ func (a *AccessControlDashboardGuardian) CanAdmin() (bool, error) {
 	if a.dashboard.IsFolder {
 		return a.evaluate(accesscontrol.EvalAll(
-			accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsRead, folderScope(a.dashboard.Uid)),
+			accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)),
-			accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsWrite, folderScope(a.dashboard.Uid)),
+			accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)),
 		))
 	}
 	return a.evaluate(accesscontrol.EvalAny(
 		accesscontrol.EvalAll(
-			accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsRead, dashboardScope(a.dashboard.Uid)),
+			accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
-			accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsWrite, dashboardScope(a.dashboard.Uid)),
+			accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
 		),
 		accesscontrol.EvalAll(
-			accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsRead, folderScope(a.parentFolderUID)),
+			accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
-			accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsWrite, folderScope(a.parentFolderUID)),
+			accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
 		),
 	))
 }
@ -125,12 +125,12 @@ func (a *AccessControlDashboardGuardian) CanDelete() (bool, error) {
 	}
 	if a.dashboard.IsFolder {
-		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersDelete, folderScope(a.dashboard.Uid)))
+		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersDelete, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
 	}
 	return a.evaluate(accesscontrol.EvalAny(
-		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsDelete, dashboardScope(a.dashboard.Uid)),
+		accesscontrol.EvalPermission(dashboards.ActionDashboardsDelete, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
-		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsDelete, folderScope(a.parentFolderUID)),
+		accesscontrol.EvalPermission(dashboards.ActionDashboardsDelete, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
 	))
 }
@ -142,7 +142,7 @@ func (a *AccessControlDashboardGuardian) CanCreate(folderID int64, isFolder bool
 	if err != nil {
 		return false, err
 	}
-	return a.evaluate(accesscontrol.EvalPermission(accesscontrol.ActionDashboardsCreate, folderScope(folder.Uid)))
+	return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionDashboardsCreate, dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.Uid)))
 }
 func (a *AccessControlDashboardGuardian) evaluate(evaluator accesscontrol.Evaluator) (bool, error) {
@ -283,11 +283,3 @@ func (a *AccessControlDashboardGuardian) loadParentFolder(folderID int64) (*mode
 	}
 	return folderQuery.Result, nil
 }
 func dashboardScope(uid string) string {
 	return accesscontrol.GetResourceScopeUID("dashboards", uid)
 }
 func folderScope(uid string) string {
 	return dashboards.ScopeFoldersProvider.GetResourceScopeUID(uid)
 }
--- a/pkg/services/guardian/accesscontrol_guardian_test.go
+++ b/pkg/services/guardian/accesscontrol_guardian_test.go
@ -36,7 +36,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "dashboards:*",
 				},
 			},
@ -47,7 +47,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "folders:*",
 				},
 			},
@ -58,7 +58,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "dashboards:uid:1",
 				},
 			},
@ -69,7 +69,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "folders:uid:general",
 				},
 			},
@ -80,7 +80,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "dashboards:uid:10",
 				},
 			},
@ -91,7 +91,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "folders:uid:100",
 				},
 			},
@ -116,7 +116,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "dashboards:*",
 				},
 			},
@ -127,7 +127,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "folders:*",
 				},
 			},
@ -138,7 +138,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "dashboards:uid:1",
 				},
 			},
@ -149,7 +149,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "folders:uid:general",
 				},
 			},
@ -160,7 +160,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "dashboards:uid:10",
 				},
 			},
@ -171,7 +171,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "folders:uid:10",
 				},
 			},
@ -182,7 +182,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsRead,
+					Action: dashboards.ActionDashboardsRead,
 					Scope:  "dashboards:uid:1",
 				},
 			},
@ -212,7 +212,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsRead,
+					Action: dashboards.ActionDashboardsRead,
 					Scope:  "dashboards:*",
 				},
 			},
@ -223,7 +223,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsRead,
+					Action: dashboards.ActionDashboardsRead,
 					Scope:  "folders:*",
 				},
 			},
@ -234,7 +234,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsRead,
+					Action: dashboards.ActionDashboardsRead,
 					Scope:  "dashboards:uid:1",
 				},
 			},
@ -245,7 +245,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsRead,
+					Action: dashboards.ActionDashboardsRead,
 					Scope:  "folders:uid:general",
 				},
 			},
@ -256,7 +256,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsRead,
+					Action: dashboards.ActionDashboardsRead,
 					Scope:  "dashboards:uid:10",
 				},
 			},
@ -267,7 +267,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsRead,
+					Action: dashboards.ActionDashboardsRead,
 					Scope:  "folders:uid:10",
 				},
 			},
@ -292,11 +292,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsRead,
+					Action: dashboards.ActionDashboardsPermissionsRead,
 					Scope:  "dashboards:*",
 				},
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsWrite,
+					Action: dashboards.ActionDashboardsPermissionsWrite,
 					Scope:  "dashboards:*",
 				},
 			},
@ -307,11 +307,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsRead,
+					Action: dashboards.ActionDashboardsPermissionsRead,
 					Scope:  "folders:*",
 				},
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsWrite,
+					Action: dashboards.ActionDashboardsPermissionsWrite,
 					Scope:  "folders:*",
 				},
 			},
@ -322,11 +322,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsRead,
+					Action: dashboards.ActionDashboardsPermissionsRead,
 					Scope:  "dashboards:uid:1",
 				},
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsWrite,
+					Action: dashboards.ActionDashboardsPermissionsWrite,
 					Scope:  "dashboards:uid:1",
 				},
 			},
@ -337,11 +337,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsRead,
+					Action: dashboards.ActionDashboardsPermissionsRead,
 					Scope:  "folders:uid:general",
 				},
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsWrite,
+					Action: dashboards.ActionDashboardsPermissionsWrite,
 					Scope:  "folders:uid:general",
 				},
 			},
@ -352,11 +352,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsRead,
+					Action: dashboards.ActionDashboardsPermissionsRead,
 					Scope:  "dashboards:uid:10",
 				},
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsWrite,
+					Action: dashboards.ActionDashboardsPermissionsWrite,
 					Scope:  "dashboards:uid:10",
 				},
 			},
@ -367,11 +367,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsRead,
+					Action: dashboards.ActionDashboardsPermissionsRead,
 					Scope:  "folders:uid:10",
 				},
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsWrite,
+					Action: dashboards.ActionDashboardsPermissionsWrite,
 					Scope:  "folders:uid:10",
 				},
 			},
@ -396,7 +396,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsDelete,
+					Action: dashboards.ActionDashboardsDelete,
 					Scope:  "dashboards:*",
 				},
 			},
@ -407,7 +407,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsDelete,
+					Action: dashboards.ActionDashboardsDelete,
 					Scope:  "folders:*",
 				},
 			},
@ -418,7 +418,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsDelete,
+					Action: dashboards.ActionDashboardsDelete,
 					Scope:  "dashboards:uid:1",
 				},
 			},
@ -429,7 +429,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsDelete,
+					Action: dashboards.ActionDashboardsDelete,
 					Scope:  "folders:uid:general",
 				},
 			},
@ -440,7 +440,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsDelete,
+					Action: dashboards.ActionDashboardsDelete,
 					Scope:  "dashboards:uid:10",
 				},
 			},
@ -451,7 +451,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsDelete,
+					Action: dashboards.ActionDashboardsDelete,
 					Scope:  "folders:uid:10",
 				},
 			},
@ -485,7 +485,7 @@ func TestAccessControlDashboardGuardian_CanCreate(t *testing.T) {
 			isFolder: false,
 			folderID: 0,
 			permissions: []*accesscontrol.Permission{
-				{Action: accesscontrol.ActionDashboardsCreate, Scope: "folders:uid:general"},
+				{Action: dashboards.ActionDashboardsCreate, Scope: "folders:uid:general"},
 			},
 			expected: true,
 		},
@ -494,7 +494,7 @@ func TestAccessControlDashboardGuardian_CanCreate(t *testing.T) {
 			isFolder: false,
 			folderID: 0,
 			permissions: []*accesscontrol.Permission{
-				{Action: accesscontrol.ActionDashboardsCreate, Scope: "folders:*"},
+				{Action: dashboards.ActionDashboardsCreate, Scope: "folders:*"},
 			},
 			expected: true,
 		},
--- a/pkg/services/sqlstore/annotation_test.go
+++ b/pkg/services/sqlstore/annotation_test.go
@ -15,6 +15,7 @@ import (
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/annotations"
 	"github.com/grafana/grafana/pkg/services/dashboards"
 	dashboardstore "github.com/grafana/grafana/pkg/services/dashboards/database"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/sqlstore"
@ -406,7 +407,7 @@ func TestAnnotationListingWithRBAC(t *testing.T) {
 			description: "Should find all annotations when has permissions to list all annotations and read all dashboards",
 			permissions: map[string][]string{
 				accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsAll},
-				accesscontrol.ActionDashboardsRead:  {accesscontrol.ScopeDashboardsAll},
+				dashboards.ActionDashboardsRead:     {dashboards.ScopeDashboardsAll},
 			},
 			expectedAnnotationIds: []int64{dash1Annotation.Id, dash2Annotation.Id, organizationAnnotation.Id},
 		},
@ -414,7 +415,7 @@ func TestAnnotationListingWithRBAC(t *testing.T) {
 			description: "Should find all dashboard annotations",
 			permissions: map[string][]string{
 				accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsTypeDashboard},
-				accesscontrol.ActionDashboardsRead:  {accesscontrol.ScopeDashboardsAll},
+				dashboards.ActionDashboardsRead:     {dashboards.ScopeDashboardsAll},
 			},
 			expectedAnnotationIds: []int64{dash1Annotation.Id, dash2Annotation.Id},
 		},
@ -422,7 +423,7 @@ func TestAnnotationListingWithRBAC(t *testing.T) {
 			description: "Should find only annotations from dashboards that user can read",
 			permissions: map[string][]string{
 				accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsTypeDashboard},
-				accesscontrol.ActionDashboardsRead:  {fmt.Sprintf("dashboards:uid:%s", dash1UID)},
+				dashboards.ActionDashboardsRead:     {fmt.Sprintf("dashboards:uid:%s", dash1UID)},
 			},
 			expectedAnnotationIds: []int64{dash1Annotation.Id},
 		},
@ -437,14 +438,14 @@ func TestAnnotationListingWithRBAC(t *testing.T) {
 			description: "Should find only organization annotations",
 			permissions: map[string][]string{
 				accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsTypeOrganization},
-				accesscontrol.ActionDashboardsRead:  {accesscontrol.ScopeDashboardsAll},
+				dashboards.ActionDashboardsRead:     {dashboards.ScopeDashboardsAll},
 			},
 			expectedAnnotationIds: []int64{organizationAnnotation.Id},
 		},
 		{
 			description: "Should error if user doesn't have annotation read permissions",
 			permissions: map[string][]string{
-				accesscontrol.ActionDashboardsRead: {accesscontrol.ScopeDashboardsAll},
+				dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll},
 			},
 			expectedError: true,
 		},
--- a/pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go
+++ b/pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go
@ -16,20 +16,20 @@ import (
 var dashboardPermissionTranslation = map[models.PermissionType][]string{
 	models.PERMISSION_VIEW: {
-		ac.ActionDashboardsRead,
+		dashboards.ActionDashboardsRead,
 	},
 	models.PERMISSION_EDIT: {
-		ac.ActionDashboardsRead,
+		dashboards.ActionDashboardsRead,
-		ac.ActionDashboardsWrite,
+		dashboards.ActionDashboardsWrite,
-		ac.ActionDashboardsDelete,
+		dashboards.ActionDashboardsDelete,
 	},
 	models.PERMISSION_ADMIN: {
-		ac.ActionDashboardsRead,
+		dashboards.ActionDashboardsRead,
-		ac.ActionDashboardsWrite,
+		dashboards.ActionDashboardsWrite,
-		ac.ActionDashboardsCreate,
+		dashboards.ActionDashboardsCreate,
-		ac.ActionDashboardsDelete,
+		dashboards.ActionDashboardsDelete,
-		ac.ActionDashboardsPermissionsRead,
+		dashboards.ActionDashboardsPermissionsRead,
-		ac.ActionDashboardsPermissionsWrite,
+		dashboards.ActionDashboardsPermissionsWrite,
 	},
 }
@ -38,7 +38,7 @@ var folderPermissionTranslation = map[models.PermissionType][]string{
 		dashboards.ActionFoldersRead,
 	}...),
 	models.PERMISSION_EDIT: append(dashboardPermissionTranslation[models.PERMISSION_EDIT], []string{
-		ac.ActionDashboardsCreate,
+		dashboards.ActionDashboardsCreate,
 		dashboards.ActionFoldersRead,
 		dashboards.ActionFoldersWrite,
 		dashboards.ActionFoldersCreate,
--- a/pkg/services/sqlstore/permissions/dashboard.go
+++ b/pkg/services/sqlstore/permissions/dashboard.go
@ -94,10 +94,10 @@ func NewAccessControlDashboardPermissionFilter(user *models.SignedInUser, permis
 			folderActions = append(folderActions, accesscontrol.ActionAlertingRuleCreate)
 		}
 	} else {
-		dashboardActions = append(dashboardActions, accesscontrol.ActionDashboardsRead)
+		dashboardActions = append(dashboardActions, dashboards.ActionDashboardsRead)
 		if needEdit {
-			folderActions = append(folderActions, accesscontrol.ActionDashboardsCreate)
+			folderActions = append(folderActions, dashboards.ActionDashboardsCreate)
-			dashboardActions = append(dashboardActions, accesscontrol.ActionDashboardsWrite)
+			dashboardActions = append(dashboardActions, dashboards.ActionDashboardsWrite)
 		}
 	}
 	return AccessControlDashboardPermissionFilter{User: user, folderActions: folderActions, dashboardActions: dashboardActions}
--- a/pkg/services/sqlstore/permissions/dashboard_test.go
+++ b/pkg/services/sqlstore/permissions/dashboard_test.go
@ -55,31 +55,31 @@ func TestNewAccessControlDashboardPermissionFilter(t *testing.T) {
 			queryType:  randomType,
 			permission: models.PERMISSION_ADMIN,
 			expectedDashboardActions: []string{
-				accesscontrol.ActionDashboardsRead,
+				dashboards.ActionDashboardsRead,
-				accesscontrol.ActionDashboardsWrite,
+				dashboards.ActionDashboardsWrite,
 			},
 			expectedFolderActions: []string{
 				dashboards.ActionFoldersRead,
-				accesscontrol.ActionDashboardsCreate,
+				dashboards.ActionDashboardsCreate,
 			},
 		},
 		{
 			queryType:  randomType,
 			permission: models.PERMISSION_EDIT,
 			expectedDashboardActions: []string{
-				accesscontrol.ActionDashboardsRead,
+				dashboards.ActionDashboardsRead,
-				accesscontrol.ActionDashboardsWrite,
+				dashboards.ActionDashboardsWrite,
 			},
 			expectedFolderActions: []string{
 				dashboards.ActionFoldersRead,
-				accesscontrol.ActionDashboardsCreate,
+				dashboards.ActionDashboardsCreate,
 			},
 		},
 		{
 			queryType:  randomType,
 			permission: models.PERMISSION_VIEW,
 			expectedDashboardActions: []string{
-				accesscontrol.ActionDashboardsRead,
+				dashboards.ActionDashboardsRead,
 			},
 			expectedFolderActions: []string{
 				dashboards.ActionFoldersRead,