RBAC: Migration to remove the scope from permissions where action is alert.instances:read #82202
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What is this feature?
A migration to remove the scope for any permissions where the action
alert.instances:read
.Why do we need this feature?
We initially introduced
alert.instances:read
action with a scope (here), however, we later realised that scope was not needed for this action and removed it (here).However, this scope removal caused unanticipated side-effects. One of these side-effects is that if a user has created a custom role with action
alert.instances:read
and some scope, they now might not be able to edit this role (this is because we check that the user has all the permissions included in the role that they are editing before allowing them to edit it, andalert.instances:read
is not granted to users with a scope anymore).Who is this feature for?
Enterprise users who use custom roles, and have included a permission with scope
alert.instances:read
.Which issue(s) does this PR fix?:
Fixes #
Release notice breaking change
If you use an automated provisioning (eg, Terraform) for custom roles, and have provisioned a role that includes permission with action
alert.instances:read
and some scope, you will need to update the permission in your provisioning files by removing the scope.