diff --git a/pkg/services/accesscontrol/database/resource.go b/pkg/services/accesscontrol/database/resource.go
index 2f054c5436d..fceed204d6b 100644
--- a/pkg/services/accesscontrol/database/resource.go
+++ b/pkg/services/accesscontrol/database/resource.go
@@ -128,14 +128,14 @@ func (s *AccessControlStore) setResourcePermissions(
 	var permissions []accesscontrol.ResourcePermission
 
 	for action := range missing {
-		p, err := createResourcePermission(sess, role.ID, action, cmd.Resource, cmd.ResourceID)
+		p, err := s.createResourcePermission(sess, role.ID, action, cmd.Resource, cmd.ResourceID)
 		if err != nil {
 			return nil, err
 		}
 		permissions = append(permissions, *p)
 	}
 
-	keptPermissions, err := getManagedPermissions(sess, cmd.ResourceID, keep)
+	keptPermissions, err := s.getManagedPermissions(sess, cmd.ResourceID, keep)
 	if err != nil {
 		return nil, err
 	}
@@ -187,14 +187,14 @@ func (s *AccessControlStore) GetResourcesPermissions(ctx context.Context, orgID
 
 	err := s.sql.WithDbSession(ctx, func(sess *sqlstore.DBSession) error {
 		var err error
-		result, err = getResourcesPermissions(sess, orgID, query, false)
+		result, err = s.getResourcesPermissions(sess, orgID, query, false)
 		return err
 	})
 
 	return result, err
 }
 
-func createResourcePermission(sess *sqlstore.DBSession, roleID int64, action, resource string, resourceID string) (*accesscontrol.ResourcePermission, error) {
+func (s *AccessControlStore) createResourcePermission(sess *sqlstore.DBSession, roleID int64, action, resource string, resourceID string) (*accesscontrol.ResourcePermission, error) {
 	permission := managedPermission(action, resource, resourceID)
 	permission.RoleID = roleID
 	permission.Created = time.Now()
@@ -220,7 +220,7 @@ func createResourcePermission(sess *sqlstore.DBSession, roleID int64, action, re
 		LEFT JOIN team_role tr ON r.id = tr.role_id
 		LEFT JOIN team t ON tr.team_id = t.id
 		LEFT JOIN user_role ur ON r.id = ur.role_id
-		LEFT JOIN user u ON ur.user_id = u.id
+		LEFT JOIN ` + s.sql.Dialect.Quote("user") + ` u ON ur.user_id = u.id
 	WHERE p.id = ?
 	`
 
@@ -232,7 +232,7 @@ func createResourcePermission(sess *sqlstore.DBSession, roleID int64, action, re
 	return p, nil
 }
 
-func getResourcesPermissions(sess *sqlstore.DBSession, orgID int64, query accesscontrol.GetResourcesPermissionsQuery, managed bool) ([]accesscontrol.ResourcePermission, error) {
+func (s *AccessControlStore) getResourcesPermissions(sess *sqlstore.DBSession, orgID int64, query accesscontrol.GetResourcesPermissionsQuery, managed bool) ([]accesscontrol.ResourcePermission, error) {
 	result := make([]accesscontrol.ResourcePermission, 0)
 
 	if len(query.Actions) == 0 {
@@ -284,16 +284,16 @@ func getResourcesPermissions(sess *sqlstore.DBSession, orgID int64, query access
 		INNER JOIN role r ON p.role_id = r.id
     `
 	userFrom := rawFrom + `
-		INNER JOIN user_role ur ON r.id = ur.role_id
-		INNER JOIN user u ON ur.user_id = u.id
+		INNER JOIN user_role ur ON r.id = ur.role_id AND (ur.org_id = 0 OR ur.org_id = ?)
+		INNER JOIN ` + s.sql.Dialect.Quote("user") + ` u ON ur.user_id = u.id
 	`
 	teamFrom := rawFrom + `
-		INNER JOIN team_role tr ON r.id = tr.role_id
+		INNER JOIN team_role tr ON r.id = tr.role_id AND (tr.org_id = 0 OR tr.org_id = ?)
 		INNER JOIN team t ON tr.team_id = t.id
 	`
 
 	builtinFrom := rawFrom + `
-		INNER JOIN builtin_role br ON r.id = br.role_id
+		INNER JOIN builtin_role br ON r.id = br.role_id  AND (br.org_id = 0 OR br.org_id = ?)
 	`
 	where := `
 	WHERE (r.org_id = ? OR r.org_id = 0)
@@ -306,6 +306,7 @@ func getResourcesPermissions(sess *sqlstore.DBSession, orgID int64, query access
 	}
 
 	args := []interface{}{
+		orgID,
 		orgID,
 		getResourceAllScope(query.Resource),
 		getResourceAllIDScope(query.Resource),
@@ -448,12 +449,12 @@ func (s *AccessControlStore) getOrCreateManagedRole(sess *sqlstore.DBSession, or
 	return &role, nil
 }
 
-func getManagedPermissions(sess *sqlstore.DBSession, resourceID string, ids []int64) ([]accesscontrol.ResourcePermission, error) {
+func (s *AccessControlStore) getManagedPermissions(sess *sqlstore.DBSession, resourceID string, ids []int64) ([]accesscontrol.ResourcePermission, error) {
 	var result []accesscontrol.ResourcePermission
+
 	if len(ids) == 0 {
 		return result, nil
 	}
-
 	rawSql := `
 	SELECT
 		p.*,
@@ -470,7 +471,7 @@ func getManagedPermissions(sess *sqlstore.DBSession, resourceID string, ids []in
 		LEFT JOIN team_role tr ON r.id = tr.role_id
 		LEFT JOIN team t ON tr.team_id = t.id
 		LEFT JOIN user_role ur ON r.id = ur.role_id
-		LEFT JOIN user u ON ur.user_id = u.id
+		LEFT JOIN ` + s.sql.Dialect.Quote("user") + ` u ON ur.user_id = u.id
 	WHERE p.id IN (?` + strings.Repeat(",?", len(ids)-1) + `)
 	`