Merge remote-tracking branch 'origin/main' into protobuf-response-type

New Crowdin translations by GitHub Action

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

.github/CODEOWNERS

@@ -208,7 +208,7 @@
 /pkg/tests/apis/shorturl @grafana/sharing-squad
 /pkg/tests/api/correlations/ @grafana/datapro
 /pkg/tsdb/grafanads/ @grafana/grafana-backend-group
-/pkg/tsdb/opentsdb/ @grafana/partner-datasources
+/pkg/tsdb/opentsdb/ @grafana/oss-big-tent
 /pkg/util/ @grafana/grafana-backend-group
 /pkg/web/ @grafana/grafana-backend-group
 
@@ -260,7 +260,7 @@
 /devenv/dev-dashboards/dashboards.go @grafana/dataviz-squad
 /devenv/dev-dashboards/home.json @grafana/dataviz-squad
 /devenv/dev-dashboards/datasource-elasticsearch/ @grafana/partner-datasources
-/devenv/dev-dashboards/datasource-opentsdb/ @grafana/partner-datasources
+/devenv/dev-dashboards/datasource-opentsdb/ @grafana/oss-big-tent
 /devenv/dev-dashboards/datasource-influxdb/ @grafana/partner-datasources
 /devenv/dev-dashboards/datasource-mssql/ @grafana/partner-datasources
 /devenv/dev-dashboards/datasource-loki/ @grafana/plugins-platform-frontend
@@ -307,7 +307,7 @@
 /devenv/docker/blocks/mysql_exporter/ @grafana/oss-big-tent
 /devenv/docker/blocks/mysql_opendata/ @grafana/oss-big-tent
 /devenv/docker/blocks/mysql_tests/ @grafana/oss-big-tent
-/devenv/docker/blocks/opentsdb/ @grafana/partner-datasources
+/devenv/docker/blocks/opentsdb/ @grafana/oss-big-tent
 /devenv/docker/blocks/postgres/ @grafana/oss-big-tent
 /devenv/docker/blocks/postgres_tests/ @grafana/oss-big-tent
 /devenv/docker/blocks/prometheus/ @grafana/oss-big-tent
@@ -1101,7 +1101,7 @@ eslint-suppressions.json @grafanabot
 /public/app/plugins/datasource/mixed/ @grafana/dashboards-squad
 /public/app/plugins/datasource/mssql/ @grafana/partner-datasources
 /public/app/plugins/datasource/mysql/ @grafana/oss-big-tent
-/public/app/plugins/datasource/opentsdb/ @grafana/partner-datasources
+/public/app/plugins/datasource/opentsdb/ @grafana/oss-big-tent
 /public/app/plugins/datasource/grafana-postgresql-datasource/ @grafana/oss-big-tent
 /public/app/plugins/datasource/prometheus/ @grafana/oss-big-tent
 /public/app/plugins/datasource/cloud-monitoring/ @grafana/partner-datasources

.github/workflows/pr-patch-check-event.yml

@@ -12,6 +12,7 @@ on:
 permissions:
   id-token: write
   contents: read
+  statuses: write
 
 # Since this is run on a pull request, we want to apply the patches intended for the
 # target branch onto the source branch, to verify compatibility before merging.

.github/workflows/pr-patch-check.yml

@@ -29,6 +29,10 @@ permissions:
 # target branch onto the source branch, to verify compatibility before merging.
 jobs:
   dispatch-job:
+    # If the source is not from a fork then dispatch the job to the workflow.
+    # This will fail on forks when trying to broker a token, so instead, forks will create the required status and mark
+    # it as a success
+    if: ${{ ! github.event.pull_request.head.repo.fork }}
     env:
       HEAD_REF: ${{ inputs.head_ref }}
       BASE_REF: ${{ github.base_ref }}
@@ -76,3 +80,20 @@ jobs:
                   triggering_github_handle: SENDER
                 }
             })
+  dispatch-job-fork:
+    # If the source is from a fork then use the built-in workflow token to create the same status and unconditionally
+    # mark it as a success.
+    if: ${{ github.event.pull_request.head.repo.fork }}
+    permissions:
+      statuses: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create status
+        uses: myrotvorets/set-commit-status-action@6d6905c99cd24a4a2cbccc720b62dc6ca5587141
+        with:
+          token: ${{ github.token }}
+          sha: ${{ inputs.pr_commit_sha }}
+          repo: ${{ inputs.repo }}
+          status: success
+          context: "Test Patches (event)"
+          description: "Test Patches (event) on a fork"

.github/workflows/release-comms.yml

@@ -111,12 +111,13 @@ jobs:
       ownerRepo: 'grafana/grafana-enterprise'
       from: ${{ needs.setup.outputs.release_branch }}
       to: ${{ needs.create_next_release_branch_enterprise.outputs.branch }}
-  post_changelog_on_forum:
-    needs: setup
-    uses: grafana/grafana/.github/workflows/community-release.yml@main
-    with:
-      version: ${{ needs.setup.outputs.version }}
-      dry_run: ${{ needs.setup.outputs.dry_run == 'true' }}
+  # Removed this for now since it doesn't work
+  # post_changelog_on_forum:
+  #   needs: setup
+  #   uses: grafana/grafana/.github/workflows/community-release.yml@main
+  #   with:
+  #     version: ${{ needs.setup.outputs.version }}
+  #     dry_run: ${{ needs.setup.outputs.dry_run == 'true' }}
   create_github_release:
     # a github release requires a git tag
     # The github-release action retrieves the changelog using the /repos/grafana/grafana/contents/CHANGELOG.md API

.golangci.yml

@@ -3,7 +3,7 @@
 # Others can set up the YAML LSP manually, which supports schemas: https://github.com/redhat-developer/yaml-language-server
 
 # $schema: https://golangci-lint.run/jsonschema/golangci.jsonschema.json
-version: "2"
+version: '2'
 run:
   timeout: 15m
   concurrency: 10
@@ -83,6 +83,16 @@ linters:
           deny:
             - pkg: github.com/grafana/grafana/pkg
               desc: apps/playlist is not allowed to import grafana core
+        apps-dashboard:
+          list-mode: lax
+          files:
+            - ./apps/dashboard/*
+            - ./apps/dashboard/**/*
+          allow:
+            - github.com/grafana/grafana/pkg/apimachinery
+          deny:
+            - pkg: github.com/grafana/grafana/pkg
+              desc: apps/dashboard is not allowed to import grafana core
         apps-secret:
           list-mode: lax
           files:
@@ -281,16 +291,16 @@ linters:
         text: G306
       - linters:
           - gosec
-        text: "401"
+        text: '401'
       - linters:
           - gosec
-        text: "402"
+        text: '402'
       - linters:
           - gosec
-        text: "501"
+        text: '501'
       - linters:
           - gosec
-        text: "404"
+        text: '404'
       - linters:
           - errorlint
         text: non-wrapping format verb for fmt.Errorf

apps/advisor/go.mod

@@ -15,6 +15,7 @@ require (
 	github.com/stretchr/testify v1.11.1
 	k8s.io/apimachinery v0.34.2
 	k8s.io/apiserver v0.34.2
+	k8s.io/client-go v0.34.2
 	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
 )
 
@@ -43,6 +44,7 @@ replace github.com/grafana/grafana/apps/plugins => ../plugins
 replace github.com/prometheus/alertmanager => github.com/grafana/prometheus-alertmanager v0.25.1-0.20250911094103-5456b6e45604
 
 require (
+	cel.dev/expr v0.24.0 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	dario.cat/mergo v1.0.2 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
@@ -55,6 +57,7 @@ require (
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
+	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/ProtonMail/go-crypto v1.1.6 // indirect
 	github.com/VividCortex/mysqlerr v0.0.0-20170204212430-6c6b55f8796f // indirect
 	github.com/alecthomas/units v0.0.0-20240927000941-0f3dac36c52b // indirect
@@ -85,6 +88,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cheekybits/genny v1.0.0 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
@@ -101,6 +105,7 @@ require (
 	github.com/evanphx/json-patch v5.9.11+incompatible // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/gchaincl/sqlhooks v1.3.0 // indirect
 	github.com/getkin/kin-openapi v0.133.0 // indirect
@@ -144,12 +149,13 @@ require (
 	github.com/golang-migrate/migrate/v4 v4.7.0 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/btree v1.1.3 // indirect
+	github.com/google/cel-go v0.26.1 // indirect
 	github.com/google/flatbuffers v25.2.10+incompatible // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/google/wire v0.7.0 // indirect
-	github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba // indirect
+	github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 // indirect
 	github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f // indirect
 	github.com/grafana/dataplane/sdata v0.0.9 // indirect
 	github.com/grafana/dskit v0.0.0-20250908063411-6b6da59b5cc4 // indirect
@@ -162,6 +168,7 @@ require (
 	github.com/grafana/sqlds/v4 v4.2.7 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 // indirect
+	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20191002090509-6af20e3a5340 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-hclog v1.6.3 // indirect
@@ -176,6 +183,7 @@ require (
 	github.com/hashicorp/memberlist v0.5.2 // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jaegertracing/jaeger-idl v0.5.0 // indirect
 	github.com/jessevdk/go-flags v1.6.1 // indirect
 	github.com/jmespath-community/go-jmespath v1.1.1 // indirect
@@ -248,7 +256,9 @@ require (
 	github.com/shurcooL/vfsgen v0.0.0-20230704071429-0000e147ea92 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/cast v1.10.0 // indirect
+	github.com/spf13/cobra v1.10.1 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/stoewer/go-strcase v1.3.1 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/tetratelabs/wazero v1.8.2 // indirect
 	github.com/thomaspoignant/go-feature-flag v1.42.0 // indirect
@@ -256,6 +266,9 @@ require (
 	github.com/woodsbury/decimal128 v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/zeebo/xxh3 v1.0.2 // indirect
+	go.etcd.io/etcd/api/v3 v3.6.4 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.6.4 // indirect
+	go.etcd.io/etcd/client/v3 v3.6.4 // indirect
 	go.mongodb.org/mongo-driver v1.17.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect
@@ -274,6 +287,8 @@ require (
 	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/mock v0.6.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.1 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/crypto v0.45.0 // indirect
@@ -297,23 +312,26 @@ require (
 	google.golang.org/grpc v1.77.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/mail.v2 v2.3.1 // indirect
+	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/src-d/go-errors.v1 v1.0.0 // indirect
 	gopkg.in/telebot.v3 v3.3.8 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/api v0.34.2 // indirect
 	k8s.io/apiextensions-apiserver v0.34.2 // indirect
-	k8s.io/client-go v0.34.2 // indirect
 	k8s.io/component-base v0.34.2 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kms v0.34.2 // indirect
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
 	modernc.org/libc v1.66.10 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 	modernc.org/sqlite v1.40.1 // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.1 // indirect

apps/advisor/go.sum

@@ -282,6 +282,7 @@ github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03V
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/cznic/b v0.0.0-20180115125044-35e9bbe41f07/go.mod h1:URriBxXwVq5ijiJ12C7iIZqlA69nTlI+LgI6/pwftG8=
 github.com/cznic/fileutil v0.0.0-20180108211300-6a051e75936f/go.mod h1:8S58EK26zhXSxzv7NQFpnliaOQsmDUxvoQO3rt154Vg=
@@ -406,6 +407,8 @@ github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
+github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
 github.com/go-openapi/analysis v0.24.0 h1:vE/VFFkICKyYuTWYnplQ+aVr45vlG6NcZKC7BdIXhsA=
 github.com/go-openapi/analysis v0.24.0/go.mod h1:GLyoJA+bvmGGaHgpfeDh8ldpGo69fAJg7eeMDMRCIrw=
 github.com/go-openapi/errors v0.22.3 h1:k6Hxa5Jg1TUyZnOwV2Lh81j8ayNw5VVYLvKrp4zFKFs=
@@ -606,8 +609,10 @@ github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2z
 github.com/gorilla/mux v1.7.1/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba h1:psKWNETD5nGxmFAlqnWsXoRyUwSa2GHNEMSEDKGKfQ4=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
+github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
+github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 h1:ZzG/gCclEit9w0QUfQt9GURcOycAIGcsQAhY1u0AEX0=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f h1:Cbm6OKkOcJ+7CSZsGsEJzktC/SIa5bxVeYKQLuYK86o=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f/go.mod h1:axY0cdOg3q0TZHwpHnIz5x16xZ8ZBxJHShsSHHXcHQg=
 github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 h1:Muoy+FMGrHj3GdFbvsMzUT7eusgii9PKf9L1ZaXDDbY=
@@ -749,6 +754,8 @@ github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGw
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
 github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
+github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
+github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA=
@@ -979,6 +986,7 @@ github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSg
 github.com/pressly/goose/v3 v3.26.0 h1:KJakav68jdH0WDvoAcj8+n61WqOIaPGgH0bJWS6jpmM=
 github.com/pressly/goose/v3 v3.26.0/go.mod h1:4hC1KrritdCxtuFsqgs1R4AU5bWtTAf+cnWvfhf2DNY=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM=
 github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og=
@@ -996,6 +1004,7 @@ github.com/prometheus/client_model v0.1.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6T
 github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA=
@@ -1010,6 +1019,7 @@ github.com/prometheus/common/sigv4 v0.1.0/go.mod h1:2Jkxxk9yYvCkE5G1sQT7GuEXm57J
 github.com/prometheus/exporter-toolkit v0.14.0 h1:NMlswfibpcZZ+H0sZBiTjrA3/aBFHkNZqE+iCj5EmRg=
 github.com/prometheus/exporter-toolkit v0.14.0/go.mod h1:Gu5LnVvt7Nr/oqTBUC23WILZepW0nffNo10XdhQcwWA=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
@@ -1036,6 +1046,7 @@ github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0t
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
 github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/sagikazarmark/crypt v0.6.0/go.mod h1:U8+INwJo3nBv1m6A/8OBXAq7Jnpspk5AxSgDyEQcea8=
 github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc=
@@ -1058,6 +1069,8 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
+github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
 github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw=
 github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
@@ -1071,6 +1084,7 @@ github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
 github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.13.0/go.mod h1:Icm2xNL3/8uyh/wFuB1jI7TiTNKp8632Nwegu+zgdYw=
@@ -1096,6 +1110,7 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/stretchr/testify v1.7.5/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
@@ -1112,6 +1127,8 @@ github.com/thomaspoignant/go-feature-flag v1.42.0/go.mod h1:y0QiWH7chHWhGATb/+Xq
 github.com/tidwall/pretty v0.0.0-20180105212114-65a9db5fad51/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tjhop/slog-gokit v0.1.5 h1:ayloIUi5EK2QYB8eY4DOPO95/mRtMW42lUkp3quJohc=
 github.com/tjhop/slog-gokit v0.1.5/go.mod h1:yA48zAHvV+Sg4z4VRyeFyFUNNXd3JY5Zg84u3USICq0=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
 github.com/uber/jaeger-client-go v2.30.0+incompatible h1:D6wyKGCecFaSRUpo8lCVbaOOb6ThwMmTEbhRwtKR97o=
 github.com/uber/jaeger-client-go v2.30.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk=
@@ -1129,6 +1146,8 @@ github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcY
 github.com/xanzy/go-gitlab v0.15.0/go.mod h1:8zdQa/ri1dfn8eS3Ir1SyfvOKlw7WBJ8DVThkpGiXrs=
 github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I=
 github.com/xdg/stringprep v1.0.0/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y=
+github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510 h1:S2dVYn90KE98chqDkyE9Z4N61UnQd+KOfgp5Iu53llk=
+github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -1139,6 +1158,8 @@ github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN
 github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
 github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
 gitlab.com/nyarla/go-crypt v0.0.0-20160106005555-d9a5dc2b789b/go.mod h1:T3BPAOm2cqquPa0MKWeNkmOM5RQsRhkrwMWonFMN7fE=
+go.etcd.io/bbolt v1.4.2 h1:IrUHp260R8c+zYx/Tm8QZr04CX+qWS5PGfPdevhdm1I=
+go.etcd.io/bbolt v1.4.2/go.mod h1:Is8rSHO/b4f3XigBC0lL0+4FwAQv3HXEEIgFMuKHceM=
 go.etcd.io/etcd/api/v3 v3.5.4/go.mod h1:5GB2vv4A4AOn3yk7MftYGHkUfGtDHnEraIjym4dYz5A=
 go.etcd.io/etcd/api/v3 v3.6.4 h1:7F6N7toCKcV72QmoUKa23yYLiiljMrT4xCeBL9BmXdo=
 go.etcd.io/etcd/api/v3 v3.6.4/go.mod h1:eFhhvfR8Px1P6SEuLT600v+vrhdDTdcfMzmnxVXXSbk=
@@ -1149,6 +1170,12 @@ go.etcd.io/etcd/client/v2 v2.305.4/go.mod h1:Ud+VUwIi9/uQHOMA+4ekToJ12lTxlv0zB/+
 go.etcd.io/etcd/client/v3 v3.5.4/go.mod h1:ZaRkVgBZC+L+dLCjTcF1hRXpgZXQPOvnA/Ak/gq3kiY=
 go.etcd.io/etcd/client/v3 v3.6.4 h1:YOMrCfMhRzY8NgtzUsHl8hC2EBSnuqbR3dh84Uryl7A=
 go.etcd.io/etcd/client/v3 v3.6.4/go.mod h1:jaNNHCyg2FdALyKWnd7hxZXZxZANb0+KGY+YQaEMISo=
+go.etcd.io/etcd/pkg/v3 v3.6.4 h1:fy8bmXIec1Q35/jRZ0KOes8vuFxbvdN0aAFqmEfJZWA=
+go.etcd.io/etcd/pkg/v3 v3.6.4/go.mod h1:kKcYWP8gHuBRcteyv6MXWSN0+bVMnfgqiHueIZnKMtE=
+go.etcd.io/etcd/server/v3 v3.6.4 h1:LsCA7CzjVt+8WGrdsnh6RhC0XqCsLkBly3ve5rTxMAU=
+go.etcd.io/etcd/server/v3 v3.6.4/go.mod h1:aYCL/h43yiONOv0QIR82kH/2xZ7m+IWYjzRmyQfnCAg=
+go.etcd.io/raft/v3 v3.6.0 h1:5NtvbDVYpnfZWcIHgGRk9DyzkBIXOi8j+DDp1IcnUWQ=
+go.etcd.io/raft/v3 v3.6.0/go.mod h1:nLvLevg6+xrVtHUmVaTcTz603gQPHfh7kUAwV6YpfGo=
 go.mongodb.org/mongo-driver v1.1.0/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
 go.mongodb.org/mongo-driver v1.17.4 h1:jUorfmVzljjr0FLzYQsGP8cgN/qzzxlY9Vh0C9KFXVw=
 go.mongodb.org/mongo-driver v1.17.4/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ=
@@ -1301,6 +1328,7 @@ golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181108082009-03003ca0c849/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1712,6 +1740,7 @@ google.golang.org/genproto/googleapis/api v0.0.0-20251111163417-95abcf5c77ba/go.
 google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba h1:UKgtfRM7Yh93Sya0Fo8ZzhDP4qBckrrxEr2oF5UIVb8=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
+google.golang.org/grpc v1.18.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=

apps/advisor/pkg/app/app.go

@@ -8,18 +8,24 @@ import (
 
 	"github.com/grafana/grafana-app-sdk/app"
 	"github.com/grafana/grafana-app-sdk/k8s"
+	appsdkapiserver "github.com/grafana/grafana-app-sdk/k8s/apiserver"
 	"github.com/grafana/grafana-app-sdk/logging"
 	"github.com/grafana/grafana-app-sdk/operator"
 	"github.com/grafana/grafana-app-sdk/resource"
 	"github.com/grafana/grafana-app-sdk/simple"
+	advisorapi "github.com/grafana/grafana/apps/advisor/pkg/apis"
 	advisorv0alpha1 "github.com/grafana/grafana/apps/advisor/pkg/apis/advisor/v0alpha1"
 	"github.com/grafana/grafana/apps/advisor/pkg/app/checkregistry"
 	"github.com/grafana/grafana/apps/advisor/pkg/app/checks"
 	"github.com/grafana/grafana/apps/advisor/pkg/app/checkscheduler"
 	"github.com/grafana/grafana/apps/advisor/pkg/app/checktyperegisterer"
 	"github.com/grafana/grafana/pkg/apimachinery/identity"
+	"github.com/grafana/grafana/pkg/services/org"
+	"github.com/grafana/grafana/pkg/setting"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/client-go/rest"
 )
 
 func New(cfg app.Config) (app.App, error) {
@@ -188,3 +194,45 @@ func GetKinds() map[schema.GroupVersion][]resource.Kind {
 		},
 	}
 }
+
+func ProvideAppInstaller(
+	authorizer authorizer.Authorizer,
+	checkRegistry checkregistry.CheckService,
+	cfg *setting.Cfg,
+	orgService org.Service,
+) (*AdvisorAppInstaller, error) {
+	provider := simple.NewAppProvider(advisorapi.LocalManifest(), nil, New)
+	pluginConfig := cfg.PluginSettings["grafana-advisor-app"]
+	specificConfig := checkregistry.AdvisorAppConfig{
+		CheckRegistry: checkRegistry,
+		PluginConfig:  pluginConfig,
+		StackID:       cfg.StackID,
+		OrgService:    orgService,
+	}
+	appCfg := app.Config{
+		KubeConfig:     rest.Config{},
+		ManifestData:   *advisorapi.LocalManifest().ManifestData,
+		SpecificConfig: specificConfig,
+	}
+
+	defaultInstaller, err := appsdkapiserver.NewDefaultAppInstaller(provider, appCfg, advisorapi.NewGoTypeAssociator())
+	if err != nil {
+		return nil, err
+	}
+
+	installer := &AdvisorAppInstaller{
+		AppInstaller: defaultInstaller,
+		authorizer:   authorizer,
+	}
+
+	return installer, nil
+}
+
+type AdvisorAppInstaller struct {
+	appsdkapiserver.AppInstaller
+	authorizer authorizer.Authorizer
+}
+
+func (a *AdvisorAppInstaller) GetAuthorizer() authorizer.Authorizer {
+	return a.authorizer
+}

apps/advisor/pkg/app/authorizer.go

@@ -1,47 +0,0 @@
-package app
-
-import (
-	"context"
-
-	claims "github.com/grafana/authlib/types"
-	"github.com/grafana/grafana/pkg/apimachinery/identity"
-	"k8s.io/apiserver/pkg/authorization/authorizer"
-)
-
-func GetAuthorizer() authorizer.Authorizer {
-	return authorizer.AuthorizerFunc(func(
-		ctx context.Context, attr authorizer.Attributes,
-	) (authorized authorizer.Decision, reason string, err error) {
-		if !attr.IsResourceRequest() {
-			return authorizer.DecisionNoOpinion, "", nil
-		}
-
-		// Check for service identity
-		if identity.IsServiceIdentity(ctx) {
-			return authorizer.DecisionAllow, "", nil
-		}
-
-		// Check for access policy identity
-		info, ok := claims.AuthInfoFrom(ctx)
-		if ok && claims.IsIdentityType(info.GetIdentityType(), claims.TypeAccessPolicy) {
-			// For access policy identities, we need to use ResourceAuthorizer
-			// This requires an AccessClient, which should be provided by the API server
-			// For now, we'll use the default ResourceAuthorizer from the API server
-			// This will be set up by the API server's authorization chain
-			return authorizer.DecisionNoOpinion, "", nil
-		}
-
-		// For regular Grafana users, check if they are admin
-		u, err := identity.GetRequester(ctx)
-		if err != nil {
-			return authorizer.DecisionDeny, "valid user is required", err
-		}
-
-		// check if is admin
-		if u.HasRole(identity.RoleAdmin) {
-			return authorizer.DecisionAllow, "", nil
-		}
-
-		return authorizer.DecisionDeny, "forbidden", nil
-	})
-}

apps/advisor/pkg/app/authorizer_test.go

@@ -1,91 +0,0 @@
-package app
-
-import (
-	"context"
-	"testing"
-
-	claims "github.com/grafana/authlib/types"
-	"github.com/grafana/grafana/pkg/apimachinery/identity"
-	"github.com/stretchr/testify/assert"
-	"k8s.io/apiserver/pkg/authorization/authorizer"
-)
-
-func TestGetAuthorizer(t *testing.T) {
-	tests := []struct {
-		name             string
-		ctx              context.Context
-		attr             authorizer.Attributes
-		expectedDecision authorizer.Decision
-		expectedReason   string
-		expectedErr      error
-	}{
-		{
-			name:             "non-resource request",
-			ctx:              context.TODO(),
-			attr:             &mockAttributes{resourceRequest: false},
-			expectedDecision: authorizer.DecisionNoOpinion,
-			expectedReason:   "",
-			expectedErr:      nil,
-		},
-		{
-			name:             "user is admin",
-			ctx:              identity.WithRequester(context.TODO(), &mockUser{isGrafanaAdmin: true}),
-			attr:             &mockAttributes{resourceRequest: true},
-			expectedDecision: authorizer.DecisionAllow,
-			expectedReason:   "",
-			expectedErr:      nil,
-		},
-		{
-			name:             "user is not admin",
-			ctx:              identity.WithRequester(context.TODO(), &mockUser{isGrafanaAdmin: false}),
-			attr:             &mockAttributes{resourceRequest: true},
-			expectedDecision: authorizer.DecisionDeny,
-			expectedReason:   "forbidden",
-			expectedErr:      nil,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			auth := GetAuthorizer()
-			decision, reason, err := auth.Authorize(tt.ctx, tt.attr)
-			assert.Equal(t, tt.expectedDecision, decision)
-			assert.Equal(t, tt.expectedReason, reason)
-			assert.Equal(t, tt.expectedErr, err)
-		})
-	}
-}
-
-type mockAttributes struct {
-	authorizer.Attributes
-	resourceRequest bool
-}
-
-func (m *mockAttributes) IsResourceRequest() bool {
-	return m.resourceRequest
-}
-
-// Implement other methods of authorizer.Attributes as needed
-
-type mockUser struct {
-	identity.Requester
-	isGrafanaAdmin bool
-}
-
-func (m *mockUser) GetIsGrafanaAdmin() bool {
-	return m.isGrafanaAdmin
-}
-
-func (m *mockUser) HasRole(role identity.RoleType) bool {
-	return role == identity.RoleAdmin && m.isGrafanaAdmin
-}
-
-func (m *mockUser) GetUID() string {
-	return "test-uid"
-}
-
-func (m *mockUser) GetIdentityType() claims.IdentityType {
-	return claims.TypeUser
-}
-
-// Implement other methods of identity.Requester as needed

apps/alerting/historian/go.mod

@@ -4,7 +4,7 @@ go 1.25.5
 
 require (
 	github.com/go-kit/log v0.2.1
-	github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba
+	github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7
 	github.com/grafana/dskit v0.0.0-20250908063411-6b6da59b5cc4
 	github.com/grafana/grafana-app-sdk v0.48.5
 	github.com/grafana/grafana-app-sdk/logging v0.48.3

apps/alerting/historian/go.sum

@@ -216,12 +216,10 @@ github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/grafana/grafana-app-sdk v0.48.5 h1:MS8l9fTZz+VbTfgApn09jw27GxhQ6fNOWGhC4ydvZmM=
-github.com/grafana/grafana-app-sdk v0.48.5/go.mod h1:HJsMOSBmt/D/Ihs1SvagOwmXKi0coBMVHlfvdd+qe9Y=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba h1:psKWNETD5nGxmFAlqnWsXoRyUwSa2GHNEMSEDKGKfQ4=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 h1:ZzG/gCclEit9w0QUfQt9GURcOycAIGcsQAhY1u0AEX0=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
 github.com/grafana/dskit v0.0.0-20250908063411-6b6da59b5cc4 h1:jSojuc7njleS3UOz223WDlXOinmuLAIPI0z2vtq8EgI=
 github.com/grafana/dskit v0.0.0-20250908063411-6b6da59b5cc4/go.mod h1:VahT+GtfQIM+o8ht2StR6J9g+Ef+C2Vokh5uuSmOD/4=
 github.com/grafana/grafana-app-sdk v0.48.5 h1:MS8l9fTZz+VbTfgApn09jw27GxhQ6fNOWGhC4ydvZmM=

apps/dashboard/go.mod

@@ -9,6 +9,7 @@ require (
 	github.com/grafana/grafana-app-sdk/logging v0.48.3
 	github.com/grafana/grafana-plugin-sdk-go v0.284.0
 	github.com/grafana/grafana/pkg/apimachinery v0.0.0-20250514132646-acbc7b54ed9e
+	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/prometheus/client_golang v1.23.2
 	github.com/stretchr/testify v1.11.1
 	k8s.io/apimachinery v0.34.2
@@ -57,7 +58,6 @@ require (
 	github.com/hashicorp/go-hclog v1.6.3 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-plugin v1.7.0 // indirect
-	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/jaegertracing/jaeger-idl v0.5.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect

apps/dashboard/pkg/migration/conversion/testdata/input/v1beta1.value-mapping-and-overrides.json

@@ -0,0 +1,603 @@
+{
+  "kind": "DashboardWithAccessInfo",
+  "apiVersion": "dashboard.grafana.app/v1beta1",
+  "metadata": {
+    "name": "value-mapping-test",
+    "namespace": "default",
+    "uid": "value-mapping-test",
+    "resourceVersion": "1765384157199094",
+    "generation": 2,
+    "creationTimestamp": "2025-11-19T20:09:28Z",
+    "labels": {
+      "grafana.app/deprecatedInternalID": "646372978987008"
+    },
+    "annotations": {},
+    "managedFields": []
+  },
+  "spec": {
+    "annotations": {
+      "list": [
+        {
+          "builtIn": 1,
+          "datasource": {
+            "type": "grafana",
+            "uid": "-- Grafana --"
+          },
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations & Alerts",
+          "type": "dashboard"
+        }
+      ]
+    },
+    "description": "Test dashboard for all value mapping types and override matcher types",
+    "editable": true,
+    "fiscalYearStartMonth": 0,
+    "graphTooltip": 0,
+    "links": [],
+    "panels": [
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with ValueMap mapping type - maps specific text values to colors and display text",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "critical": {
+                    "color": "red",
+                    "index": 0,
+                    "text": "Critical!"
+                  },
+                  "warning": {
+                    "color": "orange",
+                    "index": 1,
+                    "text": "Warning"
+                  },
+                  "ok": {
+                    "color": "green",
+                    "index": 2,
+                    "text": "OK"
+                  }
+                },
+                "type": "value"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byName",
+                "options": "status"
+              },
+              "properties": [
+                {
+                  "id": "custom.width",
+                  "value": 100
+                },
+                {
+                  "id": "custom.align",
+                  "value": "center"
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 0,
+          "y": 0
+        },
+        "id": 1,
+        "targets": [
+          {
+            "expr": "up",
+            "refId": "A"
+          }
+        ],
+        "title": "ValueMap Example",
+        "type": "stat"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with RangeMap mapping type - maps numerical ranges to colors and display text",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "from": 0,
+                  "to": 50,
+                  "result": {
+                    "color": "green",
+                    "index": 0,
+                    "text": "Low"
+                  }
+                },
+                "type": "range"
+              },
+              {
+                "options": {
+                  "from": 50,
+                  "to": 80,
+                  "result": {
+                    "color": "orange",
+                    "index": 1,
+                    "text": "Medium"
+                  }
+                },
+                "type": "range"
+              },
+              {
+                "options": {
+                  "from": 80,
+                  "to": 100,
+                  "result": {
+                    "color": "red",
+                    "index": 2,
+                    "text": "High"
+                  }
+                },
+                "type": "range"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byRegexp",
+                "options": "/^cpu_/"
+              },
+              "properties": [
+                {
+                  "id": "unit",
+                  "value": "percent"
+                },
+                {
+                  "id": "decimals",
+                  "value": 2
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 12,
+          "y": 0
+        },
+        "id": 2,
+        "targets": [
+          {
+            "expr": "cpu_usage_percent",
+            "refId": "A"
+          }
+        ],
+        "title": "RangeMap Example",
+        "type": "gauge"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with RegexMap mapping type - maps values matching regex patterns to colors",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "pattern": "/^error.*/",
+                  "result": {
+                    "color": "red",
+                    "index": 0,
+                    "text": "Error"
+                  }
+                },
+                "type": "regex"
+              },
+              {
+                "options": {
+                  "pattern": "/^warn.*/",
+                  "result": {
+                    "color": "orange",
+                    "index": 1,
+                    "text": "Warning"
+                  }
+                },
+                "type": "regex"
+              },
+              {
+                "options": {
+                  "pattern": "/^info.*/",
+                  "result": {
+                    "color": "blue",
+                    "index": 2,
+                    "text": "Info"
+                  }
+                },
+                "type": "regex"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byType",
+                "options": "string"
+              },
+              "properties": [
+                {
+                  "id": "custom.cellOptions",
+                  "value": {
+                    "type": "color-text"
+                  }
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 0,
+          "y": 8
+        },
+        "id": 3,
+        "targets": [
+          {
+            "expr": "log_level",
+            "refId": "A"
+          }
+        ],
+        "title": "RegexMap Example",
+        "type": "stat"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with SpecialValueMap mapping type - maps special values like null, NaN, true, false to display text",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "match": "null",
+                  "result": {
+                    "color": "gray",
+                    "index": 0,
+                    "text": "No Data"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "nan",
+                  "result": {
+                    "color": "gray",
+                    "index": 1,
+                    "text": "Not a Number"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "null+nan",
+                  "result": {
+                    "color": "gray",
+                    "index": 2,
+                    "text": "N/A"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "true",
+                  "result": {
+                    "color": "green",
+                    "index": 3,
+                    "text": "Yes"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "false",
+                  "result": {
+                    "color": "red",
+                    "index": 4,
+                    "text": "No"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "empty",
+                  "result": {
+                    "color": "gray",
+                    "index": 5,
+                    "text": "Empty"
+                  }
+                },
+                "type": "special"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byFrameRefID",
+                "options": "A"
+              },
+              "properties": [
+                {
+                  "id": "color",
+                  "value": {
+                    "mode": "fixed",
+                    "fixedColor": "blue"
+                  }
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 12,
+          "y": 8
+        },
+        "id": 4,
+        "targets": [
+          {
+            "expr": "some_metric",
+            "refId": "A"
+          }
+        ],
+        "title": "SpecialValueMap Example",
+        "type": "stat"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with all mapping types combined - demonstrates mixing different mapping types and multiple override matchers",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "success": {
+                    "color": "green",
+                    "index": 0,
+                    "text": "Success"
+                  },
+                  "failure": {
+                    "color": "red",
+                    "index": 1,
+                    "text": "Failure"
+                  }
+                },
+                "type": "value"
+              },
+              {
+                "options": {
+                  "from": 0,
+                  "to": 100,
+                  "result": {
+                    "color": "blue",
+                    "index": 2,
+                    "text": "In Range"
+                  }
+                },
+                "type": "range"
+              },
+              {
+                "options": {
+                  "pattern": "/^[A-Z]{3}-\\d+$/",
+                  "result": {
+                    "color": "purple",
+                    "index": 3,
+                    "text": "ID Format"
+                  }
+                },
+                "type": "regex"
+              },
+              {
+                "options": {
+                  "match": "null",
+                  "result": {
+                    "color": "gray",
+                    "index": 4,
+                    "text": "Missing"
+                  }
+                },
+                "type": "special"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byName",
+                "options": "status"
+              },
+              "properties": [
+                {
+                  "id": "custom.width",
+                  "value": 120
+                },
+                {
+                  "id": "custom.cellOptions",
+                  "value": {
+                    "type": "color-background"
+                  }
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byRegexp",
+                "options": "/^value_/"
+              },
+              "properties": [
+                {
+                  "id": "unit",
+                  "value": "short"
+                },
+                {
+                  "id": "min",
+                  "value": 0
+                },
+                {
+                  "id": "max",
+                  "value": 100
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byType",
+                "options": "number"
+              },
+              "properties": [
+                {
+                  "id": "decimals",
+                  "value": 2
+                },
+                {
+                  "id": "thresholds",
+                  "value": {
+                    "mode": "absolute",
+                    "steps": [
+                      {
+                        "color": "green",
+                        "value": null
+                      },
+                      {
+                        "color": "yellow",
+                        "value": 50
+                      },
+                      {
+                        "color": "red",
+                        "value": 80
+                      }
+                    ]
+                  }
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byFrameRefID",
+                "options": "B"
+              },
+              "properties": [
+                {
+                  "id": "displayName",
+                  "value": "Secondary Query"
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byValue",
+                "options": {
+                  "reducer": "allIsNull",
+                  "op": "gte",
+                  "value": 0
+                }
+              },
+              "properties": [
+                {
+                  "id": "custom.hidden",
+                  "value": true
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 24,
+          "x": 0,
+          "y": 16
+        },
+        "id": 5,
+        "targets": [
+          {
+            "expr": "combined_metric",
+            "refId": "A"
+          },
+          {
+            "expr": "secondary_metric",
+            "refId": "B"
+          }
+        ],
+        "title": "Combined Mappings and Overrides Example",
+        "type": "table"
+      }
+    ],
+    "schemaVersion": 42,
+    "tags": [
+      "value-mapping",
+      "overrides",
+      "test"
+    ],
+    "templating": {
+      "list": []
+    },
+    "time": {
+      "from": "now-6h",
+      "to": "now"
+    },
+    "timepicker": {},
+    "timezone": "browser",
+    "title": "Value Mapping and Overrides Test",
+    "weekStart": ""
+  },
+  "status": {
+    "conversion": {
+      "failed": false,
+      "storedVersion": "v0alpha1"
+    }
+  },
+  "access": {
+    "slug": "value-mapping-test",
+    "url": "/d/value-mapping-test/value-mapping-and-overrides-test",
+    "canSave": true,
+    "canEdit": true,
+    "canAdmin": true,
+    "canStar": true,
+    "canDelete": true,
+    "annotationsPermissions": {
+      "dashboard": {
+        "canAdd": true,
+        "canEdit": true,
+        "canDelete": true
+      },
+      "organization": {
+        "canAdd": true,
+        "canEdit": true,
+        "canDelete": true
+      }
+    }
+  }
+}

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v30.value_mappings_and_tooltip_options.v42.v2alpha1.json

@@ -530,7 +530,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v30.value_mappings_and_tooltip_options.v42.v2beta1.json

@@ -546,7 +546,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v33.panel_ds_name_to_ref.v42.v2alpha1.json

@@ -548,7 +548,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v33.panel_ds_name_to_ref.v42.v2beta1.json

@@ -574,7 +574,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v34.multiple_stats_cloudwatch.v42.v2alpha1.json

@@ -1663,7 +1663,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v34.multiple_stats_cloudwatch.v42.v2beta1.json

@@ -1727,7 +1727,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v42.hidefrom_tooltip.v42.v2alpha1.json

@@ -328,7 +328,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v42.hidefrom_tooltip.v42.v2beta1.json

@@ -335,7 +335,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/output/v1beta1.value-mapping-and-overrides.v0alpha1.json

@@ -0,0 +1,580 @@
+{
+  "kind": "DashboardWithAccessInfo",
+  "apiVersion": "dashboard.grafana.app/v0alpha1",
+  "metadata": {
+    "name": "value-mapping-test",
+    "namespace": "default",
+    "uid": "value-mapping-test",
+    "resourceVersion": "1765384157199094",
+    "generation": 2,
+    "creationTimestamp": "2025-11-19T20:09:28Z",
+    "labels": {
+      "grafana.app/deprecatedInternalID": "646372978987008"
+    }
+  },
+  "spec": {
+    "annotations": {
+      "list": [
+        {
+          "builtIn": 1,
+          "datasource": {
+            "type": "grafana",
+            "uid": "-- Grafana --"
+          },
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations \u0026 Alerts",
+          "type": "dashboard"
+        }
+      ]
+    },
+    "description": "Test dashboard for all value mapping types and override matcher types",
+    "editable": true,
+    "fiscalYearStartMonth": 0,
+    "graphTooltip": 0,
+    "links": [],
+    "panels": [
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with ValueMap mapping type - maps specific text values to colors and display text",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "critical": {
+                    "color": "red",
+                    "index": 0,
+                    "text": "Critical!"
+                  },
+                  "ok": {
+                    "color": "green",
+                    "index": 2,
+                    "text": "OK"
+                  },
+                  "warning": {
+                    "color": "orange",
+                    "index": 1,
+                    "text": "Warning"
+                  }
+                },
+                "type": "value"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byName",
+                "options": "status"
+              },
+              "properties": [
+                {
+                  "id": "custom.width",
+                  "value": 100
+                },
+                {
+                  "id": "custom.align",
+                  "value": "center"
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 0,
+          "y": 0
+        },
+        "id": 1,
+        "targets": [
+          {
+            "expr": "up",
+            "refId": "A"
+          }
+        ],
+        "title": "ValueMap Example",
+        "type": "stat"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with RangeMap mapping type - maps numerical ranges to colors and display text",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "from": 0,
+                  "result": {
+                    "color": "green",
+                    "index": 0,
+                    "text": "Low"
+                  },
+                  "to": 50
+                },
+                "type": "range"
+              },
+              {
+                "options": {
+                  "from": 50,
+                  "result": {
+                    "color": "orange",
+                    "index": 1,
+                    "text": "Medium"
+                  },
+                  "to": 80
+                },
+                "type": "range"
+              },
+              {
+                "options": {
+                  "from": 80,
+                  "result": {
+                    "color": "red",
+                    "index": 2,
+                    "text": "High"
+                  },
+                  "to": 100
+                },
+                "type": "range"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byRegexp",
+                "options": "/^cpu_/"
+              },
+              "properties": [
+                {
+                  "id": "unit",
+                  "value": "percent"
+                },
+                {
+                  "id": "decimals",
+                  "value": 2
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 12,
+          "y": 0
+        },
+        "id": 2,
+        "targets": [
+          {
+            "expr": "cpu_usage_percent",
+            "refId": "A"
+          }
+        ],
+        "title": "RangeMap Example",
+        "type": "gauge"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with RegexMap mapping type - maps values matching regex patterns to colors",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "pattern": "/^error.*/",
+                  "result": {
+                    "color": "red",
+                    "index": 0,
+                    "text": "Error"
+                  }
+                },
+                "type": "regex"
+              },
+              {
+                "options": {
+                  "pattern": "/^warn.*/",
+                  "result": {
+                    "color": "orange",
+                    "index": 1,
+                    "text": "Warning"
+                  }
+                },
+                "type": "regex"
+              },
+              {
+                "options": {
+                  "pattern": "/^info.*/",
+                  "result": {
+                    "color": "blue",
+                    "index": 2,
+                    "text": "Info"
+                  }
+                },
+                "type": "regex"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byType",
+                "options": "string"
+              },
+              "properties": [
+                {
+                  "id": "custom.cellOptions",
+                  "value": {
+                    "type": "color-text"
+                  }
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 0,
+          "y": 8
+        },
+        "id": 3,
+        "targets": [
+          {
+            "expr": "log_level",
+            "refId": "A"
+          }
+        ],
+        "title": "RegexMap Example",
+        "type": "stat"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with SpecialValueMap mapping type - maps special values like null, NaN, true, false to display text",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "match": "null",
+                  "result": {
+                    "color": "gray",
+                    "index": 0,
+                    "text": "No Data"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "nan",
+                  "result": {
+                    "color": "gray",
+                    "index": 1,
+                    "text": "Not a Number"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "null+nan",
+                  "result": {
+                    "color": "gray",
+                    "index": 2,
+                    "text": "N/A"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "true",
+                  "result": {
+                    "color": "green",
+                    "index": 3,
+                    "text": "Yes"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "false",
+                  "result": {
+                    "color": "red",
+                    "index": 4,
+                    "text": "No"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "empty",
+                  "result": {
+                    "color": "gray",
+                    "index": 5,
+                    "text": "Empty"
+                  }
+                },
+                "type": "special"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byFrameRefID",
+                "options": "A"
+              },
+              "properties": [
+                {
+                  "id": "color",
+                  "value": {
+                    "fixedColor": "blue",
+                    "mode": "fixed"
+                  }
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 12,
+          "y": 8
+        },
+        "id": 4,
+        "targets": [
+          {
+            "expr": "some_metric",
+            "refId": "A"
+          }
+        ],
+        "title": "SpecialValueMap Example",
+        "type": "stat"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with all mapping types combined - demonstrates mixing different mapping types and multiple override matchers",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "failure": {
+                    "color": "red",
+                    "index": 1,
+                    "text": "Failure"
+                  },
+                  "success": {
+                    "color": "green",
+                    "index": 0,
+                    "text": "Success"
+                  }
+                },
+                "type": "value"
+              },
+              {
+                "options": {
+                  "from": 0,
+                  "result": {
+                    "color": "blue",
+                    "index": 2,
+                    "text": "In Range"
+                  },
+                  "to": 100
+                },
+                "type": "range"
+              },
+              {
+                "options": {
+                  "pattern": "/^[A-Z]{3}-\\d+$/",
+                  "result": {
+                    "color": "purple",
+                    "index": 3,
+                    "text": "ID Format"
+                  }
+                },
+                "type": "regex"
+              },
+              {
+                "options": {
+                  "match": "null",
+                  "result": {
+                    "color": "gray",
+                    "index": 4,
+                    "text": "Missing"
+                  }
+                },
+                "type": "special"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byName",
+                "options": "status"
+              },
+              "properties": [
+                {
+                  "id": "custom.width",
+                  "value": 120
+                },
+                {
+                  "id": "custom.cellOptions",
+                  "value": {
+                    "type": "color-background"
+                  }
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byRegexp",
+                "options": "/^value_/"
+              },
+              "properties": [
+                {
+                  "id": "unit",
+                  "value": "short"
+                },
+                {
+                  "id": "min",
+                  "value": 0
+                },
+                {
+                  "id": "max",
+                  "value": 100
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byType",
+                "options": "number"
+              },
+              "properties": [
+                {
+                  "id": "decimals",
+                  "value": 2
+                },
+                {
+                  "id": "thresholds",
+                  "value": {
+                    "mode": "absolute",
+                    "steps": [
+                      {
+                        "color": "green",
+                        "value": null
+                      },
+                      {
+                        "color": "yellow",
+                        "value": 50
+                      },
+                      {
+                        "color": "red",
+                        "value": 80
+                      }
+                    ]
+                  }
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byFrameRefID",
+                "options": "B"
+              },
+              "properties": [
+                {
+                  "id": "displayName",
+                  "value": "Secondary Query"
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byValue",
+                "options": {
+                  "op": "gte",
+                  "reducer": "allIsNull",
+                  "value": 0
+                }
+              },
+              "properties": [
+                {
+                  "id": "custom.hidden",
+                  "value": true
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 24,
+          "x": 0,
+          "y": 16
+        },
+        "id": 5,
+        "targets": [
+          {
+            "expr": "combined_metric",
+            "refId": "A"
+          },
+          {
+            "expr": "secondary_metric",
+            "refId": "B"
+          }
+        ],
+        "title": "Combined Mappings and Overrides Example",
+        "type": "table"
+      }
+    ],
+    "schemaVersion": 42,
+    "tags": [
+      "value-mapping",
+      "overrides",
+      "test"
+    ],
+    "templating": {
+      "list": []
+    },
+    "time": {
+      "from": "now-6h",
+      "to": "now"
+    },
+    "timepicker": {},
+    "timezone": "browser",
+    "title": "Value Mapping and Overrides Test",
+    "weekStart": ""
+  },
+  "status": {
+    "conversion": {
+      "failed": false,
+      "storedVersion": "v1beta1"
+    }
+  }
+}

apps/dashboard/pkg/migration/conversion/testdata/output/v1beta1.value-mapping-and-overrides.v2alpha1.json

@@ -0,0 +1,783 @@
+{
+  "kind": "DashboardWithAccessInfo",
+  "apiVersion": "dashboard.grafana.app/v2alpha1",
+  "metadata": {
+    "name": "value-mapping-test",
+    "namespace": "default",
+    "uid": "value-mapping-test",
+    "resourceVersion": "1765384157199094",
+    "generation": 2,
+    "creationTimestamp": "2025-11-19T20:09:28Z",
+    "labels": {
+      "grafana.app/deprecatedInternalID": "646372978987008"
+    }
+  },
+  "spec": {
+    "annotations": [
+      {
+        "kind": "AnnotationQuery",
+        "spec": {
+          "datasource": {
+            "type": "grafana",
+            "uid": "-- Grafana --"
+          },
+          "query": {
+            "kind": "grafana",
+            "spec": {}
+          },
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations \u0026 Alerts",
+          "builtIn": true,
+          "legacyOptions": {
+            "type": "dashboard"
+          }
+        }
+      }
+    ],
+    "cursorSync": "Off",
+    "description": "Test dashboard for all value mapping types and override matcher types",
+    "editable": true,
+    "elements": {
+      "panel-1": {
+        "kind": "Panel",
+        "spec": {
+          "id": 1,
+          "title": "ValueMap Example",
+          "description": "Panel with ValueMap mapping type - maps specific text values to colors and display text",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "prometheus",
+                      "spec": {
+                        "expr": "up"
+                      }
+                    },
+                    "datasource": {
+                      "type": "prometheus",
+                      "uid": "prometheus-uid"
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "stat",
+            "spec": {
+              "pluginVersion": "",
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "value",
+                      "options": {
+                        "critical": {
+                          "text": "Critical!",
+                          "color": "red",
+                          "index": 0
+                        },
+                        "ok": {
+                          "text": "OK",
+                          "color": "green",
+                          "index": 2
+                        },
+                        "warning": {
+                          "text": "Warning",
+                          "color": "orange",
+                          "index": 1
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byName",
+                      "options": "status"
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.width",
+                        "value": 100
+                      },
+                      {
+                        "id": "custom.align",
+                        "value": "center"
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-2": {
+        "kind": "Panel",
+        "spec": {
+          "id": 2,
+          "title": "RangeMap Example",
+          "description": "Panel with RangeMap mapping type - maps numerical ranges to colors and display text",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "prometheus",
+                      "spec": {
+                        "expr": "cpu_usage_percent"
+                      }
+                    },
+                    "datasource": {
+                      "type": "prometheus",
+                      "uid": "prometheus-uid"
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "gauge",
+            "spec": {
+              "pluginVersion": "",
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 0,
+                        "to": 50,
+                        "result": {
+                          "text": "Low",
+                          "color": "green",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 50,
+                        "to": 80,
+                        "result": {
+                          "text": "Medium",
+                          "color": "orange",
+                          "index": 1
+                        }
+                      }
+                    },
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 80,
+                        "to": 100,
+                        "result": {
+                          "text": "High",
+                          "color": "red",
+                          "index": 2
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byRegexp",
+                      "options": "/^cpu_/"
+                    },
+                    "properties": [
+                      {
+                        "id": "unit",
+                        "value": "percent"
+                      },
+                      {
+                        "id": "decimals",
+                        "value": 2
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-3": {
+        "kind": "Panel",
+        "spec": {
+          "id": 3,
+          "title": "RegexMap Example",
+          "description": "Panel with RegexMap mapping type - maps values matching regex patterns to colors",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "prometheus",
+                      "spec": {
+                        "expr": "log_level"
+                      }
+                    },
+                    "datasource": {
+                      "type": "prometheus",
+                      "uid": "prometheus-uid"
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "stat",
+            "spec": {
+              "pluginVersion": "",
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^error.*/",
+                        "result": {
+                          "text": "Error",
+                          "color": "red",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^warn.*/",
+                        "result": {
+                          "text": "Warning",
+                          "color": "orange",
+                          "index": 1
+                        }
+                      }
+                    },
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^info.*/",
+                        "result": {
+                          "text": "Info",
+                          "color": "blue",
+                          "index": 2
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byType",
+                      "options": "string"
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.cellOptions",
+                        "value": {
+                          "type": "color-text"
+                        }
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-4": {
+        "kind": "Panel",
+        "spec": {
+          "id": 4,
+          "title": "SpecialValueMap Example",
+          "description": "Panel with SpecialValueMap mapping type - maps special values like null, NaN, true, false to display text",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "prometheus",
+                      "spec": {
+                        "expr": "some_metric"
+                      }
+                    },
+                    "datasource": {
+                      "type": "prometheus",
+                      "uid": "prometheus-uid"
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "stat",
+            "spec": {
+              "pluginVersion": "",
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "null",
+                        "result": {
+                          "text": "No Data",
+                          "color": "gray",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "nan",
+                        "result": {
+                          "text": "Not a Number",
+                          "color": "gray",
+                          "index": 1
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "null+nan",
+                        "result": {
+                          "text": "N/A",
+                          "color": "gray",
+                          "index": 2
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "true",
+                        "result": {
+                          "text": "Yes",
+                          "color": "green",
+                          "index": 3
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "false",
+                        "result": {
+                          "text": "No",
+                          "color": "red",
+                          "index": 4
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "empty",
+                        "result": {
+                          "text": "Empty",
+                          "color": "gray",
+                          "index": 5
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byFrameRefID",
+                      "options": "A"
+                    },
+                    "properties": [
+                      {
+                        "id": "color",
+                        "value": {
+                          "fixedColor": "blue",
+                          "mode": "fixed"
+                        }
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-5": {
+        "kind": "Panel",
+        "spec": {
+          "id": 5,
+          "title": "Combined Mappings and Overrides Example",
+          "description": "Panel with all mapping types combined - demonstrates mixing different mapping types and multiple override matchers",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "prometheus",
+                      "spec": {
+                        "expr": "combined_metric"
+                      }
+                    },
+                    "datasource": {
+                      "type": "prometheus",
+                      "uid": "prometheus-uid"
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                },
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "prometheus",
+                      "spec": {
+                        "expr": "secondary_metric"
+                      }
+                    },
+                    "datasource": {
+                      "type": "prometheus",
+                      "uid": "prometheus-uid"
+                    },
+                    "refId": "B",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "table",
+            "spec": {
+              "pluginVersion": "",
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "value",
+                      "options": {
+                        "failure": {
+                          "text": "Failure",
+                          "color": "red",
+                          "index": 1
+                        },
+                        "success": {
+                          "text": "Success",
+                          "color": "green",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 0,
+                        "to": 100,
+                        "result": {
+                          "text": "In Range",
+                          "color": "blue",
+                          "index": 2
+                        }
+                      }
+                    },
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^[A-Z]{3}-\\d+$/",
+                        "result": {
+                          "text": "ID Format",
+                          "color": "purple",
+                          "index": 3
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "null",
+                        "result": {
+                          "text": "Missing",
+                          "color": "gray",
+                          "index": 4
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byName",
+                      "options": "status"
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.width",
+                        "value": 120
+                      },
+                      {
+                        "id": "custom.cellOptions",
+                        "value": {
+                          "type": "color-background"
+                        }
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byRegexp",
+                      "options": "/^value_/"
+                    },
+                    "properties": [
+                      {
+                        "id": "unit",
+                        "value": "short"
+                      },
+                      {
+                        "id": "min",
+                        "value": 0
+                      },
+                      {
+                        "id": "max",
+                        "value": 100
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byType",
+                      "options": "number"
+                    },
+                    "properties": [
+                      {
+                        "id": "decimals",
+                        "value": 2
+                      },
+                      {
+                        "id": "thresholds",
+                        "value": {
+                          "mode": "absolute",
+                          "steps": [
+                            {
+                              "color": "green",
+                              "value": null
+                            },
+                            {
+                              "color": "yellow",
+                              "value": 50
+                            },
+                            {
+                              "color": "red",
+                              "value": 80
+                            }
+                          ]
+                        }
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byFrameRefID",
+                      "options": "B"
+                    },
+                    "properties": [
+                      {
+                        "id": "displayName",
+                        "value": "Secondary Query"
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byValue",
+                      "options": {
+                        "op": "gte",
+                        "reducer": "allIsNull",
+                        "value": 0
+                      }
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.hidden",
+                        "value": true
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      }
+    },
+    "layout": {
+      "kind": "GridLayout",
+      "spec": {
+        "items": [
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 0,
+              "y": 0,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-1"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 12,
+              "y": 0,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-2"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 0,
+              "y": 8,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-3"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 12,
+              "y": 8,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-4"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 0,
+              "y": 16,
+              "width": 24,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-5"
+              }
+            }
+          }
+        ]
+      }
+    },
+    "links": [],
+    "liveNow": false,
+    "preload": false,
+    "tags": [
+      "value-mapping",
+      "overrides",
+      "test"
+    ],
+    "timeSettings": {
+      "timezone": "browser",
+      "from": "now-6h",
+      "to": "now",
+      "autoRefresh": "",
+      "autoRefreshIntervals": [
+        "5s",
+        "10s",
+        "30s",
+        "1m",
+        "5m",
+        "15m",
+        "30m",
+        "1h",
+        "2h",
+        "1d"
+      ],
+      "hideTimepicker": false,
+      "fiscalYearStartMonth": 0
+    },
+    "title": "Value Mapping and Overrides Test",
+    "variables": []
+  },
+  "status": {
+    "conversion": {
+      "failed": false,
+      "storedVersion": "v1beta1"
+    }
+  }
+}

apps/dashboard/pkg/migration/conversion/testdata/output/v1beta1.value-mapping-and-overrides.v2beta1.json

@@ -0,0 +1,795 @@
+{
+  "kind": "DashboardWithAccessInfo",
+  "apiVersion": "dashboard.grafana.app/v2beta1",
+  "metadata": {
+    "name": "value-mapping-test",
+    "namespace": "default",
+    "uid": "value-mapping-test",
+    "resourceVersion": "1765384157199094",
+    "generation": 2,
+    "creationTimestamp": "2025-11-19T20:09:28Z",
+    "labels": {
+      "grafana.app/deprecatedInternalID": "646372978987008"
+    }
+  },
+  "spec": {
+    "annotations": [
+      {
+        "kind": "AnnotationQuery",
+        "spec": {
+          "query": {
+            "kind": "DataQuery",
+            "group": "grafana",
+            "version": "v0",
+            "datasource": {
+              "name": "-- Grafana --"
+            },
+            "spec": {}
+          },
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations \u0026 Alerts",
+          "builtIn": true,
+          "legacyOptions": {
+            "type": "dashboard"
+          }
+        }
+      }
+    ],
+    "cursorSync": "Off",
+    "description": "Test dashboard for all value mapping types and override matcher types",
+    "editable": true,
+    "elements": {
+      "panel-1": {
+        "kind": "Panel",
+        "spec": {
+          "id": 1,
+          "title": "ValueMap Example",
+          "description": "Panel with ValueMap mapping type - maps specific text values to colors and display text",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "DataQuery",
+                      "group": "prometheus",
+                      "version": "v0",
+                      "datasource": {
+                        "name": "prometheus-uid"
+                      },
+                      "spec": {
+                        "expr": "up"
+                      }
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "VizConfig",
+            "group": "stat",
+            "version": "",
+            "spec": {
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "value",
+                      "options": {
+                        "critical": {
+                          "text": "Critical!",
+                          "color": "red",
+                          "index": 0
+                        },
+                        "ok": {
+                          "text": "OK",
+                          "color": "green",
+                          "index": 2
+                        },
+                        "warning": {
+                          "text": "Warning",
+                          "color": "orange",
+                          "index": 1
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byName",
+                      "options": "status"
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.width",
+                        "value": 100
+                      },
+                      {
+                        "id": "custom.align",
+                        "value": "center"
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-2": {
+        "kind": "Panel",
+        "spec": {
+          "id": 2,
+          "title": "RangeMap Example",
+          "description": "Panel with RangeMap mapping type - maps numerical ranges to colors and display text",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "DataQuery",
+                      "group": "prometheus",
+                      "version": "v0",
+                      "datasource": {
+                        "name": "prometheus-uid"
+                      },
+                      "spec": {
+                        "expr": "cpu_usage_percent"
+                      }
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "VizConfig",
+            "group": "gauge",
+            "version": "",
+            "spec": {
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 0,
+                        "to": 50,
+                        "result": {
+                          "text": "Low",
+                          "color": "green",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 50,
+                        "to": 80,
+                        "result": {
+                          "text": "Medium",
+                          "color": "orange",
+                          "index": 1
+                        }
+                      }
+                    },
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 80,
+                        "to": 100,
+                        "result": {
+                          "text": "High",
+                          "color": "red",
+                          "index": 2
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byRegexp",
+                      "options": "/^cpu_/"
+                    },
+                    "properties": [
+                      {
+                        "id": "unit",
+                        "value": "percent"
+                      },
+                      {
+                        "id": "decimals",
+                        "value": 2
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-3": {
+        "kind": "Panel",
+        "spec": {
+          "id": 3,
+          "title": "RegexMap Example",
+          "description": "Panel with RegexMap mapping type - maps values matching regex patterns to colors",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "DataQuery",
+                      "group": "prometheus",
+                      "version": "v0",
+                      "datasource": {
+                        "name": "prometheus-uid"
+                      },
+                      "spec": {
+                        "expr": "log_level"
+                      }
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "VizConfig",
+            "group": "stat",
+            "version": "",
+            "spec": {
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^error.*/",
+                        "result": {
+                          "text": "Error",
+                          "color": "red",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^warn.*/",
+                        "result": {
+                          "text": "Warning",
+                          "color": "orange",
+                          "index": 1
+                        }
+                      }
+                    },
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^info.*/",
+                        "result": {
+                          "text": "Info",
+                          "color": "blue",
+                          "index": 2
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byType",
+                      "options": "string"
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.cellOptions",
+                        "value": {
+                          "type": "color-text"
+                        }
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-4": {
+        "kind": "Panel",
+        "spec": {
+          "id": 4,
+          "title": "SpecialValueMap Example",
+          "description": "Panel with SpecialValueMap mapping type - maps special values like null, NaN, true, false to display text",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "DataQuery",
+                      "group": "prometheus",
+                      "version": "v0",
+                      "datasource": {
+                        "name": "prometheus-uid"
+                      },
+                      "spec": {
+                        "expr": "some_metric"
+                      }
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "VizConfig",
+            "group": "stat",
+            "version": "",
+            "spec": {
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "null",
+                        "result": {
+                          "text": "No Data",
+                          "color": "gray",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "nan",
+                        "result": {
+                          "text": "Not a Number",
+                          "color": "gray",
+                          "index": 1
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "null+nan",
+                        "result": {
+                          "text": "N/A",
+                          "color": "gray",
+                          "index": 2
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "true",
+                        "result": {
+                          "text": "Yes",
+                          "color": "green",
+                          "index": 3
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "false",
+                        "result": {
+                          "text": "No",
+                          "color": "red",
+                          "index": 4
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "empty",
+                        "result": {
+                          "text": "Empty",
+                          "color": "gray",
+                          "index": 5
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byFrameRefID",
+                      "options": "A"
+                    },
+                    "properties": [
+                      {
+                        "id": "color",
+                        "value": {
+                          "fixedColor": "blue",
+                          "mode": "fixed"
+                        }
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-5": {
+        "kind": "Panel",
+        "spec": {
+          "id": 5,
+          "title": "Combined Mappings and Overrides Example",
+          "description": "Panel with all mapping types combined - demonstrates mixing different mapping types and multiple override matchers",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "DataQuery",
+                      "group": "prometheus",
+                      "version": "v0",
+                      "datasource": {
+                        "name": "prometheus-uid"
+                      },
+                      "spec": {
+                        "expr": "combined_metric"
+                      }
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                },
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "DataQuery",
+                      "group": "prometheus",
+                      "version": "v0",
+                      "datasource": {
+                        "name": "prometheus-uid"
+                      },
+                      "spec": {
+                        "expr": "secondary_metric"
+                      }
+                    },
+                    "refId": "B",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "VizConfig",
+            "group": "table",
+            "version": "",
+            "spec": {
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "value",
+                      "options": {
+                        "failure": {
+                          "text": "Failure",
+                          "color": "red",
+                          "index": 1
+                        },
+                        "success": {
+                          "text": "Success",
+                          "color": "green",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 0,
+                        "to": 100,
+                        "result": {
+                          "text": "In Range",
+                          "color": "blue",
+                          "index": 2
+                        }
+                      }
+                    },
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^[A-Z]{3}-\\d+$/",
+                        "result": {
+                          "text": "ID Format",
+                          "color": "purple",
+                          "index": 3
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "null",
+                        "result": {
+                          "text": "Missing",
+                          "color": "gray",
+                          "index": 4
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byName",
+                      "options": "status"
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.width",
+                        "value": 120
+                      },
+                      {
+                        "id": "custom.cellOptions",
+                        "value": {
+                          "type": "color-background"
+                        }
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byRegexp",
+                      "options": "/^value_/"
+                    },
+                    "properties": [
+                      {
+                        "id": "unit",
+                        "value": "short"
+                      },
+                      {
+                        "id": "min",
+                        "value": 0
+                      },
+                      {
+                        "id": "max",
+                        "value": 100
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byType",
+                      "options": "number"
+                    },
+                    "properties": [
+                      {
+                        "id": "decimals",
+                        "value": 2
+                      },
+                      {
+                        "id": "thresholds",
+                        "value": {
+                          "mode": "absolute",
+                          "steps": [
+                            {
+                              "color": "green",
+                              "value": null
+                            },
+                            {
+                              "color": "yellow",
+                              "value": 50
+                            },
+                            {
+                              "color": "red",
+                              "value": 80
+                            }
+                          ]
+                        }
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byFrameRefID",
+                      "options": "B"
+                    },
+                    "properties": [
+                      {
+                        "id": "displayName",
+                        "value": "Secondary Query"
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byValue",
+                      "options": {
+                        "op": "gte",
+                        "reducer": "allIsNull",
+                        "value": 0
+                      }
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.hidden",
+                        "value": true
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      }
+    },
+    "layout": {
+      "kind": "GridLayout",
+      "spec": {
+        "items": [
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 0,
+              "y": 0,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-1"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 12,
+              "y": 0,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-2"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 0,
+              "y": 8,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-3"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 12,
+              "y": 8,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-4"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 0,
+              "y": 16,
+              "width": 24,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-5"
+              }
+            }
+          }
+        ]
+      }
+    },
+    "links": [],
+    "liveNow": false,
+    "preload": false,
+    "tags": [
+      "value-mapping",
+      "overrides",
+      "test"
+    ],
+    "timeSettings": {
+      "timezone": "browser",
+      "from": "now-6h",
+      "to": "now",
+      "autoRefresh": "",
+      "autoRefreshIntervals": [
+        "5s",
+        "10s",
+        "30s",
+        "1m",
+        "5m",
+        "15m",
+        "30m",
+        "1h",
+        "2h",
+        "1d"
+      ],
+      "hideTimepicker": false,
+      "fiscalYearStartMonth": 0
+    },
+    "title": "Value Mapping and Overrides Test",
+    "variables": []
+  },
+  "status": {
+    "conversion": {
+      "failed": false,
+      "storedVersion": "v1beta1"
+    }
+  }
+}

apps/dashboard/pkg/migration/conversion/v1beta1_to_v2alpha1.go

@@ -501,11 +501,9 @@ func convertToRowsLayout(ctx context.Context, panels []interface{}, dsIndexProvi
 
 			if currentRow != nil {
 				// If currentRow is a hidden-header row (panels before first explicit row),
-				// set its collapse to match the first explicit row's collapsed value
-				// This matches frontend behavior: collapse: panel.collapsed
+				// it should not be collapsed because it will disappear and be visible only in edit mode
 				if currentRow.Spec.HideHeader != nil && *currentRow.Spec.HideHeader {
-					rowCollapsed := getBoolField(panelMap, "collapsed", false)
-					currentRow.Spec.Collapse = &rowCollapsed
+					currentRow.Spec.Collapse = &[]bool{false}[0]
 				}
 				// Flush current row to layout
 				rows = append(rows, *currentRow)
@@ -2022,6 +2020,9 @@ func transformPanelQueries(ctx context.Context, panelMap map[string]interface{},
 
 func transformSingleQuery(ctx context.Context, targetMap map[string]interface{}, panelDatasource *dashv2alpha1.DashboardDataSourceRef, dsIndexProvider schemaversion.DataSourceIndexProvider) dashv2alpha1.DashboardPanelQueryKind {
 	refId := schemaversion.GetStringValue(targetMap, "refId", "A")
+	if refId == "" {
+		refId = "A"
+	}
 	hidden := getBoolField(targetMap, "hide", false)
 
 	// Extract datasource from query or use panel datasource
@@ -2518,22 +2519,15 @@ func buildRegexMap(mappingMap map[string]interface{}) *dashv2alpha1.DashboardReg
 	regexMap := &dashv2alpha1.DashboardRegexMap{}
 	regexMap.Type = dashv2alpha1.DashboardMappingTypeRegex
 
-	opts, ok := mappingMap["options"].([]interface{})
-	if !ok || len(opts) == 0 {
-		return nil
-	}
-
-	optMap, ok := opts[0].(map[string]interface{})
+	optMap, ok := mappingMap["options"].(map[string]interface{})
 	if !ok {
 		return nil
 	}
 
 	r := dashv2alpha1.DashboardV2alpha1RegexMapOptions{}
-	if pattern, ok := optMap["regex"].(string); ok {
+	if pattern, ok := optMap["pattern"].(string); ok {
 		r.Pattern = pattern
 	}
-
-	// Result is a DashboardValueMappingResult
 	if resMap, ok := optMap["result"].(map[string]interface{}); ok {
 		r.Result = buildValueMappingResult(resMap)
 	}

apps/dashboard/pkg/migration/schemaversion/cache.go

@@ -5,12 +5,11 @@ import (
 	"sync"
 	"time"
 
-	"github.com/grafana/authlib/types"
-	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/hashicorp/golang-lru/v2/expirable"
-	k8srequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/endpoints/request"
 
-	"github.com/grafana/grafana/pkg/services/apiserver/endpoints/request"
+	"github.com/grafana/authlib/types"
+	"github.com/grafana/grafana-app-sdk/logging"
 )
 
 const defaultCacheSize = 1000
@@ -32,17 +31,15 @@ type cachedProvider[T any] struct {
 	fetch    func(context.Context) T
 	cache    *expirable.LRU[string, T] // LRU cache: namespace to cache entry
 	inFlight sync.Map                  // map[string]*sync.Mutex - per-namespace fetch locks
-	logger   log.Logger
 }
 
 // newCachedProvider creates a new cachedProvider.
 // The fetch function should be able to handle context with different namespaces.
 // A non-positive size turns LRU mechanism off (cache of unlimited size).
 // A non-positive cacheTTL disables TTL expiration.
-func newCachedProvider[T any](fetch func(context.Context) T, size int, cacheTTL time.Duration, logger log.Logger) *cachedProvider[T] {
+func newCachedProvider[T any](fetch func(context.Context) T, size int, cacheTTL time.Duration) *cachedProvider[T] {
 	cacheProvider := &cachedProvider[T]{
-		fetch:  fetch,
-		logger: logger,
+		fetch: fetch,
 	}
 	cacheProvider.cache = expirable.NewLRU(size, func(key string, value T) {
 		cacheProvider.inFlight.Delete(key)
@@ -53,14 +50,13 @@ func newCachedProvider[T any](fetch func(context.Context) T, size int, cacheTTL
 // Get returns the cached value if it's still valid, otherwise calls fetch and caches the result.
 func (p *cachedProvider[T]) Get(ctx context.Context) T {
 	// Get namespace info from ctx
-	nsInfo, err := request.NamespaceInfoFrom(ctx, true)
-	if err != nil {
+	namespace, ok := request.NamespaceFrom(ctx)
+	if !ok {
 		// No namespace, fall back to direct fetch call without caching
-		p.logger.Warn("Unable to get namespace info from context, skipping cache", "error", err)
+		logging.FromContext(ctx).Warn("Unable to get namespace info from context, skipping cache")
 		return p.fetch(ctx)
 	}
 
-	namespace := nsInfo.Value
 	// Fast path: check if cache is still valid
 	if entry, ok := p.cache.Get(namespace); ok {
 		return entry
@@ -81,7 +77,7 @@ func (p *cachedProvider[T]) Get(ctx context.Context) T {
 	}
 
 	// Fetch outside the main lock - only this namespace is blocked
-	p.logger.Debug("cache miss or expired, fetching new value", "namespace", namespace)
+	logging.FromContext(ctx).Debug("cache miss or expired, fetching new value", "namespace", namespace)
 	value := p.fetch(ctx)
 
 	// Update the cache for this namespace
@@ -93,12 +89,12 @@ func (p *cachedProvider[T]) Get(ctx context.Context) T {
 // Preload loads data into the cache for the given namespaces.
 func (p *cachedProvider[T]) Preload(ctx context.Context, nsInfos []types.NamespaceInfo) {
 	// Build the cache using a context with the namespace
-	p.logger.Info("preloading cache", "nsInfos", len(nsInfos))
+	logging.FromContext(ctx).Info("preloading cache", "nsInfos", len(nsInfos))
 	startedAt := time.Now()
 	defer func() {
-		p.logger.Info("finished preloading cache", "nsInfos", len(nsInfos), "elapsed", time.Since(startedAt))
+		logging.FromContext(ctx).Info("finished preloading cache", "nsInfos", len(nsInfos), "elapsed", time.Since(startedAt))
 	}()
 	for _, nsInfo := range nsInfos {
-		p.cache.Add(nsInfo.Value, p.fetch(k8srequest.WithNamespace(ctx, nsInfo.Value)))
+		p.cache.Add(nsInfo.Value, p.fetch(request.WithNamespace(ctx, nsInfo.Value)))
 	}
 }

apps/dashboard/pkg/migration/schemaversion/cache_test.go

@@ -8,11 +8,11 @@ import (
 	"testing"
 	"time"
 
-	authlib "github.com/grafana/authlib/types"
-	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"k8s.io/apiserver/pkg/endpoints/request"
+
+	authlib "github.com/grafana/authlib/types"
 )
 
 // testProvider tracks how many times get() is called
@@ -44,7 +44,7 @@ func TestCachedProvider_CacheHit(t *testing.T) {
 
 	underlying := newTestProvider(datasources)
 	// Test newCachedProvider directly instead of the wrapper
-	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute)
 
 	// Use "default" namespace (org 1) - this is the standard Grafana namespace format
 	ctx := request.WithNamespace(context.Background(), "default")
@@ -69,7 +69,7 @@ func TestCachedProvider_NamespaceIsolation(t *testing.T) {
 	}
 
 	underlying := newTestProvider(datasources)
-	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute)
 
 	// Use "default" (org 1) and "org-2" (org 2) - standard Grafana namespace formats
 	ctx1 := request.WithNamespace(context.Background(), "default")
@@ -102,7 +102,7 @@ func TestCachedProvider_NoNamespaceFallback(t *testing.T) {
 	}
 
 	underlying := newTestProvider(datasources)
-	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute)
 
 	// Context without namespace - should fall back to direct provider call
 	ctx := context.Background()
@@ -123,7 +123,7 @@ func TestCachedProvider_ConcurrentAccess(t *testing.T) {
 	}
 
 	underlying := newTestProvider(datasources)
-	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute)
 
 	// Use "default" namespace (org 1)
 	ctx := request.WithNamespace(context.Background(), "default")
@@ -155,7 +155,7 @@ func TestCachedProvider_ConcurrentNamespaces(t *testing.T) {
 	}
 
 	underlying := newTestProvider(datasources)
-	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute)
 
 	var wg sync.WaitGroup
 	numOrgs := 10
@@ -198,7 +198,7 @@ func TestCachedProvider_CorrectDataPerNamespace(t *testing.T) {
 			"org-2":   {{UID: "org2-ds", Type: "loki", Name: "Org2 DS", Default: true}},
 		},
 	}
-	cached := newCachedProvider(underlying.Index, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.Index, defaultCacheSize, time.Minute)
 
 	// Use valid namespace formats
 	ctx1 := request.WithNamespace(context.Background(), "default")
@@ -228,7 +228,7 @@ func TestCachedProvider_PreloadMultipleNamespaces(t *testing.T) {
 			"org-3":   {{UID: "org3-ds", Type: "tempo", Name: "Org3 DS", Default: true}},
 		},
 	}
-	cached := newCachedProvider(underlying.Index, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.Index, defaultCacheSize, time.Minute)
 
 	// Preload multiple namespaces
 	nsInfos := []authlib.NamespaceInfo{
@@ -346,7 +346,7 @@ func TestCachedProvider_TTLExpiration(t *testing.T) {
 	underlying := newTestProvider(datasources)
 	// Use a very short TTL for testing
 	shortTTL := 50 * time.Millisecond
-	cached := newCachedProvider(underlying.get, defaultCacheSize, shortTTL, log.New("test"))
+	cached := newCachedProvider(underlying.get, defaultCacheSize, shortTTL)
 
 	ctx := request.WithNamespace(context.Background(), "default")
 
@@ -379,7 +379,7 @@ func TestCachedProvider_ParallelNamespacesFetch(t *testing.T) {
 			{UID: "ds1", Type: "prometheus", Name: "Prometheus", Default: true},
 		},
 	}
-	cached := newCachedProvider(provider.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(provider.get, defaultCacheSize, time.Minute)
 
 	numNamespaces := 5
 	var wg sync.WaitGroup
@@ -421,7 +421,7 @@ func TestCachedProvider_SameNamespaceSerialFetch(t *testing.T) {
 			{UID: "ds1", Type: "prometheus", Name: "Prometheus", Default: true},
 		},
 	}
-	cached := newCachedProvider(provider.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(provider.get, defaultCacheSize, time.Minute)
 
 	numGoroutines := 10
 	var wg sync.WaitGroup

apps/dashboard/pkg/migration/schemaversion/datasource_utils.go

@@ -3,8 +3,6 @@ package schemaversion
 import (
 	"context"
 	"time"
-
-	"github.com/grafana/grafana/pkg/infra/log"
 )
 
 // Shared utility functions for datasource migrations across different schema versions.
@@ -36,7 +34,7 @@ func WrapIndexProviderWithCache(provider DataSourceIndexProvider, cacheTTL time.
 		return provider
 	}
 	return &cachedIndexProvider{
-		newCachedProvider[*DatasourceIndex](provider.Index, defaultCacheSize, cacheTTL, log.New("schemaversion.dsindexprovider")),
+		newCachedProvider[*DatasourceIndex](provider.Index, defaultCacheSize, cacheTTL),
 	}
 }
 
@@ -46,7 +44,7 @@ func WrapLibraryElementProviderWithCache(provider LibraryElementIndexProvider, c
 		return provider
 	}
 	return &cachedLibraryElementProvider{
-		newCachedProvider[[]LibraryElementInfo](provider.GetLibraryElementInfo, defaultCacheSize, cacheTTL, log.New("schemaversion.leindexprovider")),
+		newCachedProvider[[]LibraryElementInfo](provider.GetLibraryElementInfo, defaultCacheSize, cacheTTL),
 	}
 }
 

apps/dashboard/pkg/migration/testdata/dev-dashboards-output/panel-gauge/gauge_tests_new.v42.json

@@ -75,9 +75,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": true,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -154,9 +154,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -233,9 +233,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -312,9 +312,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -391,9 +391,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -470,9 +470,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": false,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -549,9 +549,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": false,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -641,9 +641,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -720,9 +720,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -799,9 +799,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -878,9 +878,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -974,9 +974,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": false,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1053,9 +1053,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": false,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1132,9 +1132,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": true,
           "rounded": false,
-          "spotlight": false,
-          "gradient": true
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1211,9 +1211,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": false,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1290,9 +1290,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": false,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1386,9 +1386,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": true,
           "rounded": false,
-          "spotlight": false,
-          "gradient": true
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1469,9 +1469,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": true,
           "rounded": false,
-          "spotlight": false,
-          "gradient": true
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1552,9 +1552,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": true,
           "rounded": false,
-          "spotlight": false,
-          "gradient": true
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1643,9 +1643,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -1727,9 +1727,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -1825,9 +1825,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -1910,9 +1910,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -1994,9 +1994,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -2078,9 +2078,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -2172,7 +2172,9 @@
         },
         "orientation": "auto",
         "reduceOptions": {
-          "calcs": ["lastNotNull"],
+          "calcs": [
+            "lastNotNull"
+          ],
           "fields": "",
           "values": false
         },
@@ -2238,7 +2240,9 @@
         },
         "orientation": "auto",
         "reduceOptions": {
-          "calcs": ["lastNotNull"],
+          "calcs": [
+            "lastNotNull"
+          ],
           "fields": "",
           "values": false
         },
@@ -2275,4 +2279,4 @@
   "title": "Panel tests - Gauge (new)",
   "uid": "panel-tests-gauge-new",
   "weekStart": ""
-}
+}

apps/dashboard/pkg/migration/testdata/dev-dashboards-output/panel-gauge/gauge_tests_old_to_new.v42.json

@@ -955,9 +955,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": false,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1162,4 +1162,4 @@
   "title": "Panel tests - Old gauge to new",
   "uid": "panel-tests-old-gauge-to-new",
   "weekStart": ""
-}
+}

apps/iam/go.mod

@@ -221,7 +221,7 @@ require (
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
 	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
-	github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba // indirect
+	github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 // indirect
 	github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f // indirect
 	github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 // indirect
 	github.com/grafana/dataplane/sdata v0.0.9 // indirect

apps/iam/go.sum

@@ -817,8 +817,8 @@ github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba h1:psKWNETD5nGxmFAlqnWsXoRyUwSa2GHNEMSEDKGKfQ4=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 h1:ZzG/gCclEit9w0QUfQt9GURcOycAIGcsQAhY1u0AEX0=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f h1:Cbm6OKkOcJ+7CSZsGsEJzktC/SIa5bxVeYKQLuYK86o=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f/go.mod h1:axY0cdOg3q0TZHwpHnIz5x16xZ8ZBxJHShsSHHXcHQg=
 github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 h1:Muoy+FMGrHj3GdFbvsMzUT7eusgii9PKf9L1ZaXDDbY=

apps/plugins/go.mod

@@ -74,7 +74,7 @@ require (
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba // indirect
+	github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 // indirect
 	github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f // indirect
 	github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 // indirect
 	github.com/grafana/dataplane/sdata v0.0.9 // indirect

apps/plugins/go.sum

@@ -174,8 +174,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba h1:psKWNETD5nGxmFAlqnWsXoRyUwSa2GHNEMSEDKGKfQ4=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 h1:ZzG/gCclEit9w0QUfQt9GURcOycAIGcsQAhY1u0AEX0=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f h1:Cbm6OKkOcJ+7CSZsGsEJzktC/SIa5bxVeYKQLuYK86o=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f/go.mod h1:axY0cdOg3q0TZHwpHnIz5x16xZ8ZBxJHShsSHHXcHQg=
 github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 h1:Muoy+FMGrHj3GdFbvsMzUT7eusgii9PKf9L1ZaXDDbY=

apps/scope/pkg/apis/scope/v0alpha1/types.go

@@ -211,6 +211,12 @@ type ScopeNavigationSpec struct {
 	Scope string `json:"scope"`
 	// Used to navigate to a sub-scope of the main scope. URL will not be used if this is set.
 	SubScope string `json:"subScope,omitempty"`
+	// Preload the subscope children, as soon as the ScopeNavigation is loaded.
+	PreLoadSubScopeChildren bool `json:"preLoadSubScopeChildren,omitempty"`
+	// Expands to display the subscope children when the ScopeNavigation is loaded.
+	ExpandOnLoad bool `json:"expandOnLoad,omitempty"`
+	// Makes the subscope not selectable, only serving as a way to build the tree.
+	DisableSubScopeSelection bool `json:"disableSubScopeSelection,omitempty"`
 }
 
 // Type of the item.

apps/scope/pkg/apis/scope/v0alpha1/zz_generated.openapi.go

@@ -642,6 +642,27 @@ func schema_pkg_apis_scope_v0alpha1_ScopeNavigationSpec(ref common.ReferenceCall
 							Format:      "",
 						},
 					},
+					"preLoadSubScopeChildren": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Preload the subscope children, as soon as the ScopeNavigation is loaded.",
+							Type:        []string{"boolean"},
+							Format:      "",
+						},
+					},
+					"expandOnLoad": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Expands to display the subscope children when the ScopeNavigation is loaded.",
+							Type:        []string{"boolean"},
+							Format:      "",
+						},
+					},
+					"disableSubScopeSelection": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Makes the subscope not selectable, only serving as a way to build the tree.",
+							Type:        []string{"boolean"},
+							Format:      "",
+						},
+					},
 				},
 				Required: []string{"url", "scope"},
 			},

conf/defaults.ini

@@ -1327,6 +1327,10 @@ alertmanager_max_silences_count =
 # Maximum silence size in bytes. Default: 0 (no limit).
 alertmanager_max_silence_size_bytes =
 
+# Maximum size of the expanded template output in bytes. Default: 10485760 (0 - no limit).
+# The result of template expansion will be truncated to the limit.
+alertmanager_max_template_output_bytes =
+
 # Redis server address or addresses. It can be a single Redis address if using Redis standalone,
 # or a list of comma-separated addresses if using Redis Cluster/Sentinel.
 ha_redis_address =

devenv/scopes/scopes-config.yaml

@@ -210,6 +210,7 @@ navigationTree:
     url: /d/UTv--wqMk
     scope: shoe-org
     subScope: apparel
+    disableSubScopeSelection: true
     children:
       - name: apparel-product-overview
         title: Product Overview

devenv/scopes/scopes.go

@@ -77,22 +77,24 @@ type TreeNode struct {
 }
 
 type NavigationConfig struct {
-	URL      string   `yaml:"url"`      // URL path (e.g., /d/abc123 or /explore)
-	Scope    string   `yaml:"scope"`    // Required scope
-	SubScope string   `yaml:"subScope"` // Optional subScope for hierarchical navigation
-	Title    string   `yaml:"title"`    // Display title
-	Groups   []string `yaml:"groups"`   // Optional groups for categorization
+	URL                      string   `yaml:"url"`                      // URL path (e.g., /d/abc123 or /explore)
+	Scope                    string   `yaml:"scope"`                    // Required scope
+	SubScope                 string   `yaml:"subScope"`                 // Optional subScope for hierarchical navigation
+	Title                    string   `yaml:"title"`                    // Display title
+	Groups                   []string `yaml:"groups"`                   // Optional groups for categorization
+	DisableSubScopeSelection bool     `yaml:"disableSubScopeSelection"` // Makes the subscope not selectable
 }
 
 // NavigationTreeNode represents a node in the navigation tree structure
 type NavigationTreeNode struct {
-	Name     string               `yaml:"name"`
-	Title    string               `yaml:"title"`
-	URL      string               `yaml:"url"`
-	Scope    string               `yaml:"scope"`
-	SubScope string               `yaml:"subScope,omitempty"`
-	Groups   []string             `yaml:"groups,omitempty"`
-	Children []NavigationTreeNode `yaml:"children,omitempty"`
+	Name                     string               `yaml:"name"`
+	Title                    string               `yaml:"title"`
+	URL                      string               `yaml:"url"`
+	Scope                    string               `yaml:"scope"`
+	SubScope                 string               `yaml:"subScope,omitempty"`
+	Groups                   []string             `yaml:"groups,omitempty"`
+	DisableSubScopeSelection bool                 `yaml:"disableSubScopeSelection,omitempty"`
+	Children                 []NavigationTreeNode `yaml:"children,omitempty"`
 }
 
 // Helper function to convert ScopeFilterConfig to v0alpha1.ScopeFilter
@@ -313,8 +315,9 @@ func (c *Client) createScopeNavigation(name string, nav NavigationConfig) error
 	prefixedScope := prefix + "-" + nav.Scope
 
 	spec := v0alpha1.ScopeNavigationSpec{
-		URL:   nav.URL,
-		Scope: prefixedScope,
+		URL:                      nav.URL,
+		Scope:                    prefixedScope,
+		DisableSubScopeSelection: nav.DisableSubScopeSelection,
 	}
 
 	if nav.SubScope != "" {
@@ -404,9 +407,10 @@ func treeToNavigations(node NavigationTreeNode, parentPath []string, dashboardCo
 
 	// Create navigation for this node
 	nav := NavigationConfig{
-		URL:   url,
-		Scope: node.Scope,
-		Title: node.Title,
+		URL:                      url,
+		Scope:                    node.Scope,
+		Title:                    node.Title,
+		DisableSubScopeSelection: node.DisableSubScopeSelection,
 	}
 	if node.SubScope != "" {
 		nav.SubScope = node.SubScope

docs/sources/administration/plugin-management/plugin-install.md

@@ -21,11 +21,28 @@ weight: 120
 
 # Install a plugin
 
-Besides the UI, you can use alternative methods to install a plugin depending on your environment or set-up.
+{{< admonition type="note" >}}
+
+Installing plugins from the Grafana website into a Grafana Cloud instance will be removed in February 2026.
+
+If you're a Grafana Cloud user, follow [Install a plugin through the Grafana UI](#install-a-plugin-through-the-grafana-uiinstall-a-plugin-through-the-grafana-ui) instead.
+
+{{< /admonition >}}
+
+## Install a plugin through the Grafana UI
+
+The most common way to install a plugin is through the Grafana UI.
+
+1. In Grafana, click **Administration > Plugins and data > Plugins** in the side navigation menu to view all plugins.
+1. Browse and find a plugin.
+1. Click the plugin's logo.
+1. Click **Install**.
+
+You can use use the following alternative methods to install a plugin depending on your environment or setup.
 
 ## Install a plugin using Grafana CLI
 
-The Grafana CLI allows you to install, upgrade, and manage your Grafana plugins using a command line tool. For more information about Grafana CLI plugin commands, refer to [Plugin commands](/docs/grafana/<GRAFANA_VERSION>/cli/#plugins-commands).
+The Grafana CLI allows you to install, upgrade, and manage your Grafana plugins using a command line tool. For more information about Grafana CLI plugin commands, refer to [Plugin commands](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/administration/cli/#plugins-commands).
 
 ## Install a plugin from a ZIP file
 

docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md

@@ -44,7 +44,7 @@ refs:
       destination: /docs/grafana-cloud/alerting-and-irm/oncall/user-and-team-management/#available-grafana-oncall-rbac-roles--granted-actions
 ---
 
-# RBAC role definitions
+# Grafana RBAC role definitions
 
 {{< admonition type="note" >}}
 Available in [Grafana Enterprise](/docs/grafana/<GRAFANA_VERSION>/introduction/grafana-enterprise/) and [Grafana Cloud](/docs/grafana-cloud).
@@ -59,7 +59,7 @@ The following tables list permissions associated with basic and fixed roles. Thi
 | Grafana Admin                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | `basic_grafana_admin`                                                                                                                                    |
 | `fixed:authentication.config:writer`<br>`fixed:general.auth.config:writer`<br>`fixed:ldap:writer`<br>`fixed:licensing:writer`<br>`fixed:migrationassistant:migrator`<br>`fixed:org.users:writer`<br>`fixed:organization:maintainer`<br>`fixed:plugins:maintainer`<br>`fixed:provisioning:writer`<br>`fixed:roles:writer`<br>`fixed:settings:reader`<br>`fixed:settings:writer`<br>`fixed:stats:reader`<br>`fixed:support.bundles:writer`<br>`fixed:usagestats:reader`<br>`fixed:users:writer` | Default [Grafana server administrator](/docs/grafana/<GRAFANA_VERSION>/administration/roles-and-permissions/#grafana-server-administrators) assignments. |
 | Admin                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | `basic_admin`                                                                                                                                            | All roles assigned to Editor and `fixed:reports:writer` <br>`fixed:datasources:writer`<br>`fixed:organization:writer`<br>`fixed:datasources.permissions:writer`<br>`fixed:teams:writer`<br>`fixed:dashboards:writer`<br>`fixed:dashboards.permissions:writer`<br>`fixed:dashboards.public:writer`<br>`fixed:folders:writer`<br>`fixed:folders.permissions:writer`<br>`fixed:alerting:writer`<br>`fixed:alerting.provisioning.secrets:reader`<br>`fixed:alerting.provisioning:writer`<br>`fixed:datasources.caching:writer`<br>`fixed:plugins:writer`<br>`fixed:library.panels:writer` | Default [Grafana organization administrator](ref:rbac-basic-roles) assignments. |
-| Editor                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | `basic_editor`                                                                                                                                           | All roles assigned to Viewer and `fixed:datasources:explorer` <br>`fixed:dashboards:creator`<br>`fixed:folders:creator`<br>`fixed:annotations:writer`<br>`fixed:alerting:writer`<br>`fixed:library.panels:creator`<br>`fixed:library.panels:general.writer`<br>`fixed:alerting.provisioning.status:writer`                                                                                                                                                                                                                                                                            | Default [Editor](ref:rbac-basic-roles) assignments.                             |
+| Editor                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | `basic_editor`                                                                                                                                           | All roles assigned to Viewer and `fixed:datasources:explorer` <br>`fixed:dashboards:creator`<br>`fixed:folders:creator`<br>`fixed:annotations:writer`<br>`fixed:alerting:writer`<br>`fixed:library.panels:creator`<br>`fixed:library.panels:general.writer`<br>`fixed:alerting.provisioning.provenance:writer`                                                                                                                                                                                                                                                                        | Default [Editor](ref:rbac-basic-roles) assignments.                             |
 | Viewer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | `basic_viewer`                                                                                                                                           | `fixed:datasources.id:reader`<br>`fixed:organization:reader`<br>`fixed:annotations:reader`<br>`fixed:annotations.dashboard:writer`<br>`fixed:alerting:reader`<br>`fixed:plugins.app:reader`<br>`fixed:dashboards.insights:reader`<br>`fixed:datasources.insights:reader`<br>`fixed:library.panels:general.reader`<br>`fixed:folders.general:reader`<br>`fixed:datasources.builtin:reader`                                                                                                                                                                                             | Default [Viewer](ref:rbac-basic-roles) assignments.                             |
 | No Basic Role                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | n/a                                                                                                                                                      |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | Default [No Basic Role](ref:rbac-basic-roles)                                   |
 
@@ -74,86 +74,86 @@ These UUIDs won't be available if your instance was created before Grafana v10.2
 To learn how to use the roles API to determine the role UUIDs, refer to [Manage RBAC roles](ref:rbac-manage-rbac-roles).
 {{< /admonition >}}
 
-| Fixed role                                   | UUID                                | Permissions                                                                                                                                                                                                                                                                 | Description                                                                                                                                                                                                                                                                           |
-| -------------------------------------------- | ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `fixed:alerting:reader`                      | `fixed_O2oP1_uBFozI2i93klAkcvEWR30` | All permissions from `fixed:alerting.rules:reader` <br>`fixed:alerting.instances:reader`<br>`fixed:alerting.notifications:reader`                                                                                                                                           | Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules\*, alerts, contact points, and notification policies.[\*](#alerting-roles)                                                                                                                            |
-| `fixed:alerting:writer`                      | `fixed_-PAZgSJsDlRD8NUg-PFSeH_BkJY` | All permissions from `fixed:alerting.rules:writer` <br>`fixed:alerting.instances:writer`<br>`fixed:alerting.notifications:writer`                                                                                                                                           | Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules\*, silences, contact points, templates, mute timings, and notification policies.[\*](#alerting-roles)                                                                                                    |
-| `fixed:alerting.instances:reader`            | `fixed_ut5fVS-Ulh_ejFoskFhJT_rYg0Y` | `alert.instances:read` for organization scope <br> `alert.instances.external:read` for scope `datasources:*`                                                                                                                                                                | Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.[\*](#alerting-roles)                                                                                                                                              |
-| `fixed:alerting.instances:writer`            | `fixed_pKOBJE346uyqMLdgWbk1NsQfEl0` | All permissions from `fixed:alerting.instances:reader` and<br> `alert.instances:create`<br>`alert.instances:write` for organization scope <br> `alert.instances.external:write` for scope `datasources:*`                                                                   | Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.[\*](#alerting-roles)                                                                                                                                                                 |
-| `fixed:alerting.notifications:reader`        | `fixed_hmBn0lX5h1RZXB9Vaot420EEdA0` | `alert.notifications:read` for organization scope<br>`alert.notifications.external:read` for scope `datasources:*`                                                                                                                                                          | Read all Grafana and Alertmanager contact points, templates, and notification policies.[\*](#alerting-roles)                                                                                                                                                                          |
-| `fixed:alerting.notifications:writer`        | `fixed_XplK6HPNxf9AP5IGTdB5Iun4tJc` | All permissions from `fixed:alerting.notifications:reader` and<br>`alert.notifications:write`for organization scope<br>`alert.notifications.external:read` for scope `datasources:*`                                                                                        | Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.[\*](#alerting-roles)                                                                                                                              |
-| `fixed:alerting.provisioning:writer`         | `fixed_y7pFjdEkxpx5ETdcxPvp0AgRuUo` | `alert.provisioning:read` and `alert.provisioning:write`                                                                                                                                                                                                                    | Create, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API. [\*](#alerting-roles)                                                                                                                                      |
-| `fixed:alerting.provisioning.secrets:reader` | `fixed_9fmzXXZZG-Od0Amy2ofEG8Uk--c` | `alert.provisioning:read` and `alert.provisioning.secrets:read`                                                                                                                                                                                                             | Read-only permissions for Provisioning API and let export resources with decrypted secrets [\*](#alerting-roles)                                                                                                                                                                      |
-| `fixed:alerting.provisioning.status:writer`  | `fixed_eAxlzfkTuobvKEgXHveFMBZrOj8` | `alert.provisioning.provenance:write`                                                                                                                                                                                                                                       | Set provenance status to alert rules, notification policies, contact points, etc. Should be used together with regular writer roles. [\*](#alerting-roles)                                                                                                                            |
-| `fixed:alerting.rules:reader`                | `fixed_fRGKL_vAqUsmUWq5EYKnOha9DcA` | `alert.rule:read`, `alert.silences:read` for scope `folders:*` <br> `alert.rules.external:read` for scope `datasources:*` <br> `alert.notifications.time-intervals:read` <br> `alert.notifications.receivers:list`                                                          | Read all\* Grafana, Mimir, and Loki alert rules.[\*](#alerting-roles) and read rule-specific silences                                                                                                                                                                                 |
-| `fixed:alerting.rules:writer`                | `fixed_YJJGwAalUwDZPrXSyFH8GfYBXAc` | All permissions from `fixed:alerting.rules:reader` and <br> `alert.rule:create` <br> `alert.rule:write` <br> `alert.rule:delete` <br> `alert.silences:create` <br> `alert.silences:write` for scope `folders:*` <br> `alert.rules.external:write` for scope `datasources:*` | Create, update, and delete all\* Grafana, Mimir, and Loki alert rules.[\*](#alerting-roles) and manage rule-specific silences                                                                                                                                                         |
-| `fixed:annotations:reader`                   | `fixed_hpZnoizrfAJsrceNcNQqWYV-xNU` | `annotations:read` for scopes `annotations:type:*`                                                                                                                                                                                                                          | Read all annotations and annotation tags.                                                                                                                                                                                                                                             |
-| `fixed:annotations:writer`                   | `fixed_ZVW-Aa9Tzle6J4s2aUFcq1StKWE` | All permissions from `fixed:annotations:reader` <br>`annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:*`                                                                                                                    | Read, create, update and delete all annotations and annotation tags.                                                                                                                                                                                                                  |
-| `fixed:annotations.dashboard:writer`         | `fixed_8A775xenXeKaJk4Cr7bchP9yXOA` | `annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:dashboard`                                                                                                                                                                | Create, update and delete dashboard annotations and annotation tags.                                                                                                                                                                                                                  |
-| `fixed:authentication.config:writer`         | `fixed_0rYhZ2Qnzs8AdB1nX7gexk3fHDw` | `settings:read` for scope `settings:auth.saml:*` <br> `settings:write` for scope `settings:auth.saml:*`                                                                                                                                                                     | Read and update authentication and SAML settings.                                                                                                                                                                                                                                     |
-| `fixed:general.auth.config:writer`           | `fixed_QFxIT_FGtBqbIVJIwx1bLgI5z6c` | `settings:read` for scope `settings:auth:oauth_allow_insecure_email_lookup` <br> `settings:write` for scope `settings:auth:oauth_allow_insecure_email_lookup`                                                                                                               | Read and update the Grafana instance's general authentication configuration settings.                                                                                                                                                                                                 |
-| `fixed:dashboards:creator`                   | `fixed_ZorKUcEPCM01A1fPakEzGBUyU64` | `dashboards:create`<br>`folders:read`                                                                                                                                                                                                                                       | Create dashboards.                                                                                                                                                                                                                                                                    |
-| `fixed:dashboards:reader`                    | `fixed_Sgr67JTOhjQGFlzYRahOe45TdWM` | `dashboards:read`                                                                                                                                                                                                                                                           | Read all dashboards.                                                                                                                                                                                                                                                                  |
-| `fixed:dashboards:writer`                    | `fixed_OK2YOQGIoI1G031hVzJB6rAJQAs` | All permissions from `fixed:dashboards:reader` and <br>`dashboards:write`<br>`dashboards:delete`<br>`dashboards:create`<br>`dashboards.permissions:read`<br>`dashboards.permissions:write`                                                                                  | Read, create, update, and delete all dashboards.                                                                                                                                                                                                                                      |
-| `fixed:dashboards.insights:reader`           | `fixed_JlBJ2_gizP8zhgaeGE2rjyZe2Rs` | `dashboards.insights:read`                                                                                                                                                                                                                                                  | Read dashboard insights data and see presence indicators.                                                                                                                                                                                                                             |
-| `fixed:dashboards.permissions:reader`        | `fixed_f17oxuXW_58LL8mYJsm4T_mCeIw` | `dashboards.permissions:read`                                                                                                                                                                                                                                               | Read all dashboard permissions.                                                                                                                                                                                                                                                       |
-| `fixed:dashboards.permissions:writer`        | `fixed_CcznxhWX_Yqn8uWMXMQ-b5iFW9k` | All permissions from `fixed:dashboards.permissions:reader` and <br>`dashboards.permissions:write`                                                                                                                                                                           | Read and update all dashboard permissions.                                                                                                                                                                                                                                            |
-| `fixed:dashboards.public:writer`             | `fixed_f_GHHRBciaqESXfGz2oCcooqHxs` | `dashboards.public:write`                                                                                                                                                                                                                                                   | Create, update, delete or pause a shared dashboard.                                                                                                                                                                                                                                   |
-| `fixed:datasources:creator`                  | `fixed_XX8jHREgUt-wo1A-rPXIiFlX6Zw` | `datasources:create`                                                                                                                                                                                                                                                        | Create data sources.                                                                                                                                                                                                                                                                  |
-| `fixed:datasources:explorer`                 | `fixed_qDzW9mzx9yM91T5Bi8dHUM2muTw` | `datasources:explore`                                                                                                                                                                                                                                                       | Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.                                                                                                                                                |
-| `fixed:datasources:reader`                   | `fixed_C2x8IxkiBc1KZVjyYH775T9jNMQ` | `datasources:read`<br>`datasources:query`                                                                                                                                                                                                                                   | Read and query data sources.                                                                                                                                                                                                                                                          |
-| `fixed:datasources:writer`                   | `fixed_q8HXq8kjjA5IlHHgBJlKlUyaNik` | All permissions from `fixed:datasources:reader` and <br>`datasources:create`<br>`datasources:write`<br>`datasources:delete`                                                                                                                                                 | Read, query, create, delete, or update a data source.                                                                                                                                                                                                                                 |
-| `fixed:datasources.builtin:reader`           | `fixed_q8HXq8kjjA5IlHHgBJlKlUyaNik` | `datasources:read` and `datasources:query` scoped to `datasources:uid:grafana`                                                                                                                                                                                              | An internal role used to grant Viewers access to the builtin example data source in Grafana.                                                                                                                                                                                          |
-| `fixed:datasources.caching:reader`           | `fixed_D2ddpGxJYlw0mbsTS1ek9fj0kj4` | `datasources.caching:read`                                                                                                                                                                                                                                                  | Read data source query caching settings.                                                                                                                                                                                                                                              |
-| `fixed:datasources.caching:writer`           | `fixed_JtFjHr7jd7hSqUYcktKvRvIOGRE` | `datasources.caching:read`<br>`datasources.caching:write`                                                                                                                                                                                                                   | Enable, disable, or update query caching settings.                                                                                                                                                                                                                                    |
-| `fixed:datasources.id:reader`                | `fixed_entg--fHmDqWY2-69N0ocawK0Os` | `datasources.id:read`                                                                                                                                                                                                                                                       | Read the ID of a data source based on its name.                                                                                                                                                                                                                                       |
-| `fixed:datasources.insights:reader`          | `fixed_EBZ3NwlfecNPp2p0XcZRC1nfEYk` | `datasources.insights:read`                                                                                                                                                                                                                                                 | Read data source insights data.                                                                                                                                                                                                                                                       |
-| `fixed:datasources.permissions:reader`       | `fixed_ErYA-cTN3yn4h4GxaVPcawRhiOY` | `datasources.permissions:read`                                                                                                                                                                                                                                              | Read data source permissions.                                                                                                                                                                                                                                                         |
-| `fixed:datasources.permissions:writer`       | `fixed_aiQh9YDfLOKjQhYasF9_SFUjQiw` | All permissions from `fixed:datasources.permissions:reader` and <br>`datasources.permissions:write`                                                                                                                                                                         | Create, read, or delete permissions of a data source.                                                                                                                                                                                                                                 |
-| `fixed:folders:creator`                      | `fixed_gGLRbZGAGB6n9uECqSh_W382RlQ` | `folders:create`                                                                                                                                                                                                                                                            | Create folders in the root level.                                                                                                                                                                                                                                                     |
-| `fixed:folders:reader`                       | `fixed_yeW-5QPeo-i5PZUIUXMlAA97GnQ` | `folders:read`<br>`dashboards:read`                                                                                                                                                                                                                                         | Read all folders and dashboards.                                                                                                                                                                                                                                                      |
-| `fixed:folders:writer`                       | `fixed_wJXLoTzgE7jVuz90dryYoiogL0o` | All permissions from `fixed:dashboards:writer` and <br>`folders:read`<br>`folders:write`<br>`folders:create`<br>`folders:delete`<br>`folders.permissions:read`<br>`folders.permissions:write`                                                                               | Read, update, and delete all folders and dashboards. Create folders and subfolders.                                                                                                                                                                                                   |
-| `fixed:folders.general:reader`               | `fixed_rSASbkg8DvpG_gTX5s41d7uxRvI` | `folders:read` scoped to `folders:uid:general`                                                                                                                                                                                                                              | An internal role used to correctly display access to the folder tree for Viewer role.                                                                                                                                                                                                 |
-| `fixed:folders.permissions:reader`           | `fixed_E06l4cx0JFm47EeLBE4nmv3pnSo` | `folders.permissions:read`                                                                                                                                                                                                                                                  | Read all folder permissions.                                                                                                                                                                                                                                                          |
-| `fixed:folders.permissions:writer`           | `fixed_3GAgpQ_hWG8o7-lwNb86_VB37eI` | All permissions from `fixed:folders.permissions:reader` and <br>`folders.permissions:write`                                                                                                                                                                                 | Read and update all folder permissions.                                                                                                                                                                                                                                               |
-| `fixed:ldap:reader`                          | `fixed_lMcOPwSkxKY-qCK8NMJc5k6izLE` | `ldap.user:read`<br>`ldap.status:read`                                                                                                                                                                                                                                      | Read the LDAP configuration and LDAP status information.                                                                                                                                                                                                                              |
-| `fixed:ldap:writer`                          | `fixed_p6AvnU4GCQyIh7-hbwI-bk3GYnU` | All permissions from `fixed:ldap:reader` and <br>`ldap.user:sync`<br>`ldap.config:reload`                                                                                                                                                                                   | Read and update the LDAP configuration, and read LDAP status information.                                                                                                                                                                                                             |
-| `fixed:library.panels:creator`               | `fixed_6eX6ItfegCIY5zLmPqTDW8ZV7KY` | `library.panels:create`<br>`folders:read`                                                                                                                                                                                                                                   | Create library panel at the root level.                                                                                                                                                                                                                                               |
-| `fixed:library.panels:general.reader`        | `fixed_ct0DghiBWR_2BiQm3EvNPDVmpio` | `library.panels:read`                                                                                                                                                                                                                                                       | Read all library panels at the root level.                                                                                                                                                                                                                                            |
-| `fixed:library.panels:general.writer`        | `fixed_DgprkmqfN_1EhZ2v1_d1fYG8LzI` | All permissions from `fixed:library.panels:general.reader` plus<br>`library.panels:create`<br>`library.panels:delete`<br>`library.panels:write`                                                                                                                             | Create, read, write or delete all library panels and their permissions at the root level.                                                                                                                                                                                             |
-| `fixed:library.panels:reader`                | `fixed_tvTr9CnZ6La5vvUO_U_X1LPnhUs` | `library.panels:read`                                                                                                                                                                                                                                                       | Read all library panels.                                                                                                                                                                                                                                                              |
-| `fixed:library.panels:writer`                | `fixed_JTljAr21LWLTXCkgfBC4H0lhBC8` | All permissions from `fixed:library.panels:reader` plus<br>`library.panels:create`<br>`library.panels:delete`<br>`library.panels:write`                                                                                                                                     | Create, read, write or delete all library panels and their permissions.                                                                                                                                                                                                               |
-| `fixed:licensing:reader`                     | `fixed_OADpuXvNEylO2Kelu3GIuBXEAYE` | `licensing:read`<br>`licensing.reports:read`                                                                                                                                                                                                                                | Read licensing information and licensing reports.                                                                                                                                                                                                                                     |
-| `fixed:licensing:writer`                     | `fixed_gzbz3rJpQMdaKHt-E4q0PVaKMoE` | All permissions from `fixed:licensing:reader` and <br>`licensing:write`<br>`licensing:delete`                                                                                                                                                                               | Read licensing information and licensing reports, update and delete the license token.                                                                                                                                                                                                |
-| `fixed:migrationassistant:migrator`          | `fixed_LLk2p7TRuBztOAksTQb1Klc8YTk` | `migrationassistant:migrate`                                                                                                                                                                                                                                                | Execute on-prem to cloud migrations through the Migration Assistant.                                                                                                                                                                                                                  |
-| `fixed:org.users:reader`                     | `fixed_oCqNwlVHLOpw7-jAlwp4HzYqwGY` | `org.users:read`                                                                                                                                                                                                                                                            | Read users within a single organization.                                                                                                                                                                                                                                              |
-| `fixed:org.users:writer`                     | `fixed_VERj5nayasjgf_Yh0sWqqCkxWlw` | All permissions from `fixed:org.users:reader` and <br>`org.users:add`<br>`org.users:remove`<br>`org.users:write`                                                                                                                                                            | Within a single organization, add a user, invite a new user, read information about a user and their role, remove a user from that organization, or change the role of a user.                                                                                                        |
-| `fixed:organization:maintainer`              | `fixed_CMm-uuBaPUBf4r8XG3jIvxo55bg` | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs:create`<br>`orgs:delete`<br>`orgs.quotas:write`                                                                                                                                             | Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.                                                                                                                                                                    |
-| `fixed:organization:reader`                  | `fixed_0SZPJlTHdNEe8zO91zv7Zwiwa2w` | `orgs:read`<br>`orgs.quotas:read`                                                                                                                                                                                                                                           | Read an organization and its quotas.                                                                                                                                                                                                                                                  |
-| `fixed:organization:writer`                  | `fixed_Y4jGqDd8w1yCrPwlik8z5Iu8-3M` | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs.preferences:read`<br>`orgs.preferences:write`                                                                                                                                               | Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.                                                                                                                                                                             |
-| `fixed:plugins:maintainer`                   | `fixed_yEOKidBcWgbm74x-nTa3lW5lOyY` | `plugins:install`                                                                                                                                                                                                                                                           | Install and uninstall plugins. Needs to be assigned globally.                                                                                                                                                                                                                         |
-| `fixed:plugins:writer`                       | `fixed_MRYpGk7kpNNwt2VoVOXFiPnQziE` | `plugins:write`                                                                                                                                                                                                                                                             | Enable and disable plugins and edit plugins' settings.                                                                                                                                                                                                                                |
-| `fixed:plugins.app:reader`                   | `fixed_AcZRiNYx7NueYkUqzw1o2OGGUAA` | `plugins.app:access`                                                                                                                                                                                                                                                        | Access application plugins (still enforcing the organization role).                                                                                                                                                                                                                   |
-| `fixed:provisioning:writer`                  | `fixed_bgk1FCyR6OEDwhgirZlQgu5LlCA` | `provisioning:reload`                                                                                                                                                                                                                                                       | Reload provisioning.                                                                                                                                                                                                                                                                  |
-| `fixed:reports:reader`                       | `fixed_72_8LU_0ukfm6BdblOw8Z9q-GQ8` | `reports:read`<br>`reports:send`<br>`reports.settings:read`                                                                                                                                                                                                                 | Read all reports and shared report settings.                                                                                                                                                                                                                                          |
-| `fixed:reports:writer`                       | `fixed_jBW3_7g1EWOjGVBYeVRwtFxhUNw` | All permissions from `fixed:reports:reader` and <br>`reports:create`<br>`reports:write`<br>`reports:delete`<br>`reports.settings:write`                                                                                                                                     | Create, read, update, or delete all reports and shared report settings.                                                                                                                                                                                                               |
-| `fixed:roles:reader`                         | `fixed_GkfG-1NSwEGb4hpK3-E3qHyNltc` | `roles:read`<br>`teams.roles:read`<br>`users.roles:read`<br>`users.permissions:read`                                                                                                                                                                                        | Read all access control roles, roles and permissions assigned to users, teams.                                                                                                                                                                                                        |
-| `fixed:roles:resetter`                       | `fixed_WgPpC3qJRmVpVTJavFNwfS5RuzQ` | `roles:write` with scope `permissions:type:escalate`                                                                                                                                                                                                                        | Reset basic roles to their default.                                                                                                                                                                                                                                                   |
-| `fixed:roles:writer`                         | `fixed_W5aFaw8isAM27x_eWfElBhZ0iOc` | All permissions from `fixed:roles:reader` and <br>`roles:write`<br>`roles:delete`<br>`teams.roles:add`<br>`teams.roles:remove`<br>`users.roles:add`<br>`users.roles:remove`                                                                                                 | Create, read, update, or delete all roles, assign or unassign roles to users, teams.                                                                                                                                                                                                  |
-| `fixed:serviceaccounts:creator`              | `fixed_Ikw60fckA0MyiiZ73BawSfOULy4` | `serviceaccounts:create`                                                                                                                                                                                                                                                    | Create Grafana service accounts.                                                                                                                                                                                                                                                      |
-| `fixed:serviceaccounts:reader`               | `fixed_QFjJAZ88iawMLInYOxPA1DB1w6I` | `serviceaccounts:read`                                                                                                                                                                                                                                                      | Read Grafana service accounts.                                                                                                                                                                                                                                                        |
-| `fixed:serviceaccounts:writer`               | `fixed_iBvUNUEZBZ7PUW0vdkN5iojc2sk` | `serviceaccounts:read`<br>`serviceaccounts:create`<br>`serviceaccounts:write`<br>`serviceaccounts:delete`<br>`serviceaccounts.permissions:read`<br>`serviceaccounts.permissions:write`                                                                                      | Create, update, read and delete all Grafana service accounts and manage service account permissions.                                                                                                                                                                                  |
-| `fixed:settings:reader`                      | `fixed_0LaUt1x6PP8hsZzEBhqPQZFUd8Q` | `settings:read`                                                                                                                                                                                                                                                             | Read Grafana instance settings.                                                                                                                                                                                                                                                       |
-| `fixed:settings:writer`                      | `fixed_joIHDgMrGg790hMhUufVzcU4j44` | All permissions from `fixed:settings:reader` and<br>`settings:write`                                                                                                                                                                                                        | Read and update Grafana instance settings.                                                                                                                                                                                                                                            |
-| `fixed:stats:reader`                         | `fixed_OnRCXxZVINWpcKvTF5A1gecJ7pA` | `server.stats:read`                                                                                                                                                                                                                                                         | Read Grafana instance statistics.                                                                                                                                                                                                                                                     |
-| `fixed:support.bundles:reader`               | `fixed_gcPjI3PTUJwRx-GJZwDhNa7zbos` | `support.bundles:read`                                                                                                                                                                                                                                                      | List and download support bundles.                                                                                                                                                                                                                                                    |
-| `fixed:support.bundles:writer`               | `fixed_dTgCv9Wxrp_WHAhwHYIgeboxKpE` | `support.bundles:read`<br>`support.bundles:create`<br>`support.bundles:delete`                                                                                                                                                                                              | Create, delete, list and download support bundles.                                                                                                                                                                                                                                    |
-| `fixed:teams:creator`                        | `fixed_nzVQoNSDSn0fg1MDgO6XnZX2RZI` | `teams:create`<br>`org.users:read`                                                                                                                                                                                                                                          | Create a team and list organization users (required to manage the created team).                                                                                                                                                                                                      |
-| `fixed:teams:read`                           | `fixed_Z8pB0GQlrqRt8IZBCJQxPWvJPgQ` | `teams:read`                                                                                                                                                                                                                                                                | List all teams.                                                                                                                                                                                                                                                                       |
-| `fixed:teams:writer`                         | `fixed_xw1T0579h620MOYi4L96GUs7fZY` | `teams:create`<br>`teams:delete`<br>`teams:read`<br>`teams:write`<br>`teams.permissions:read`<br>`teams.permissions:write`                                                                                                                                                  | Create, read, update and delete teams and manage team memberships.                                                                                                                                                                                                                    |
-| `fixed:usagestats:reader`                    | `fixed_eAM0azEvnWFCJAjNkUKnGL_1-bU` | `server.usagestats.report:read`                                                                                                                                                                                                                                             | View usage statistics report.                                                                                                                                                                                                                                                         |
-| `fixed:users:reader`                         | `fixed_buZastUG3reWyQpPemcWjGqPAd0` | `users:read`<br>`users.quotas:read`<br>`users.authtoken:read`                                                                                                                                                                                                               | Read all users and their information, such as team memberships, authentication tokens, and quotas.                                                                                                                                                                                    |
-| `fixed:users:writer`                         | `fixed_wjzgHHo_Ux25DJuELn_oiAdB_yM` | All permissions from `fixed:users:reader` and <br>`users:write`<br>`users:create`<br>`users:delete`<br>`users:enable`<br>`users:disable`<br>`users.password:write`<br>`users.permissions:write`<br>`users:logout`<br>`users.authtoken:write`<br>`users.quotas:write`        | Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users. |
+| Fixed role                                      | UUID                                | Permissions                                                                                                                                                                                                                                                                 | Description                                                                                                                                                                                                                                                                           |
+| ----------------------------------------------- | ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `fixed:alerting:reader`                         | `fixed_O2oP1_uBFozI2i93klAkcvEWR30` | All permissions from `fixed:alerting.rules:reader` <br>`fixed:alerting.instances:reader`<br>`fixed:alerting.notifications:reader`                                                                                                                                           | Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules\*, alerts, contact points, and notification policies.[\*](#alerting-roles)                                                                                                                            |
+| `fixed:alerting:writer`                         | `fixed_-PAZgSJsDlRD8NUg-PFSeH_BkJY` | All permissions from `fixed:alerting.rules:writer` <br>`fixed:alerting.instances:writer`<br>`fixed:alerting.notifications:writer`                                                                                                                                           | Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules\*, silences, contact points, templates, mute timings, and notification policies.[\*](#alerting-roles)                                                                                                    |
+| `fixed:alerting.instances:reader`               | `fixed_ut5fVS-Ulh_ejFoskFhJT_rYg0Y` | `alert.instances:read` for organization scope <br> `alert.instances.external:read` for scope `datasources:*`                                                                                                                                                                | Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.[\*](#alerting-roles)                                                                                                                                              |
+| `fixed:alerting.instances:writer`               | `fixed_pKOBJE346uyqMLdgWbk1NsQfEl0` | All permissions from `fixed:alerting.instances:reader` and<br> `alert.instances:create`<br>`alert.instances:write` for organization scope <br> `alert.instances.external:write` for scope `datasources:*`                                                                   | Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.[\*](#alerting-roles)                                                                                                                                                                 |
+| `fixed:alerting.notifications:reader`           | `fixed_hmBn0lX5h1RZXB9Vaot420EEdA0` | `alert.notifications:read` for organization scope<br>`alert.notifications.external:read` for scope `datasources:*`                                                                                                                                                          | Read all Grafana and Alertmanager contact points, templates, and notification policies.[\*](#alerting-roles)                                                                                                                                                                          |
+| `fixed:alerting.notifications:writer`           | `fixed_XplK6HPNxf9AP5IGTdB5Iun4tJc` | All permissions from `fixed:alerting.notifications:reader` and<br>`alert.notifications:write`for organization scope<br>`alert.notifications.external:read` for scope `datasources:*`                                                                                        | Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.[\*](#alerting-roles)                                                                                                                              |
+| `fixed:alerting.provisioning:writer`            | `fixed_y7pFjdEkxpx5ETdcxPvp0AgRuUo` | `alert.provisioning:read` and `alert.provisioning:write`                                                                                                                                                                                                                    | Create, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API. [\*](#alerting-roles)                                                                                                                                      |
+| `fixed:alerting.provisioning.secrets:reader`    | `fixed_9fmzXXZZG-Od0Amy2ofEG8Uk--c` | `alert.provisioning:read` and `alert.provisioning.secrets:read`                                                                                                                                                                                                             | Read-only permissions for Provisioning API and let export resources with decrypted secrets [\*](#alerting-roles)                                                                                                                                                                      |
+| `fixed:alerting.provisioning.provenance:writer` | `fixed_eAxlzfkTuobvKEgXHveFMBZrOj8` | `alert.provisioning.provenance:write`                                                                                                                                                                                                                                       | Set provenance status to alert rules, notification policies, contact points, etc. Should be used together with regular writer roles. [\*](#alerting-roles)                                                                                                                            |
+| `fixed:alerting.rules:reader`                   | `fixed_fRGKL_vAqUsmUWq5EYKnOha9DcA` | `alert.rule:read`, `alert.silences:read` for scope `folders:*` <br> `alert.rules.external:read` for scope `datasources:*` <br> `alert.notifications.time-intervals:read` <br> `alert.notifications.receivers:list`                                                          | Read all\* Grafana, Mimir, and Loki alert rules.[\*](#alerting-roles) and read rule-specific silences                                                                                                                                                                                 |
+| `fixed:alerting.rules:writer`                   | `fixed_YJJGwAalUwDZPrXSyFH8GfYBXAc` | All permissions from `fixed:alerting.rules:reader` and <br> `alert.rule:create` <br> `alert.rule:write` <br> `alert.rule:delete` <br> `alert.silences:create` <br> `alert.silences:write` for scope `folders:*` <br> `alert.rules.external:write` for scope `datasources:*` | Create, update, and delete all\* Grafana, Mimir, and Loki alert rules.[\*](#alerting-roles) and manage rule-specific silences                                                                                                                                                         |
+| `fixed:annotations:reader`                      | `fixed_hpZnoizrfAJsrceNcNQqWYV-xNU` | `annotations:read` for scopes `annotations:type:*`                                                                                                                                                                                                                          | Read all annotations and annotation tags.                                                                                                                                                                                                                                             |
+| `fixed:annotations:writer`                      | `fixed_ZVW-Aa9Tzle6J4s2aUFcq1StKWE` | All permissions from `fixed:annotations:reader` <br>`annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:*`                                                                                                                    | Read, create, update and delete all annotations and annotation tags.                                                                                                                                                                                                                  |
+| `fixed:annotations.dashboard:writer`            | `fixed_8A775xenXeKaJk4Cr7bchP9yXOA` | `annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:dashboard`                                                                                                                                                                | Create, update and delete dashboard annotations and annotation tags.                                                                                                                                                                                                                  |
+| `fixed:authentication.config:writer`            | `fixed_0rYhZ2Qnzs8AdB1nX7gexk3fHDw` | `settings:read` for scope `settings:auth.saml:*` <br> `settings:write` for scope `settings:auth.saml:*`                                                                                                                                                                     | Read and update authentication and SAML settings.                                                                                                                                                                                                                                     |
+| `fixed:general.auth.config:writer`              | `fixed_QFxIT_FGtBqbIVJIwx1bLgI5z6c` | `settings:read` for scope `settings:auth:oauth_allow_insecure_email_lookup` <br> `settings:write` for scope `settings:auth:oauth_allow_insecure_email_lookup`                                                                                                               | Read and update the Grafana instance's general authentication configuration settings.                                                                                                                                                                                                 |
+| `fixed:dashboards:creator`                      | `fixed_ZorKUcEPCM01A1fPakEzGBUyU64` | `dashboards:create`<br>`folders:read`                                                                                                                                                                                                                                       | Create dashboards.                                                                                                                                                                                                                                                                    |
+| `fixed:dashboards:reader`                       | `fixed_Sgr67JTOhjQGFlzYRahOe45TdWM` | `dashboards:read`                                                                                                                                                                                                                                                           | Read all dashboards.                                                                                                                                                                                                                                                                  |
+| `fixed:dashboards:writer`                       | `fixed_OK2YOQGIoI1G031hVzJB6rAJQAs` | All permissions from `fixed:dashboards:reader` and <br>`dashboards:write`<br>`dashboards:delete`<br>`dashboards:create`<br>`dashboards.permissions:read`<br>`dashboards.permissions:write`                                                                                  | Read, create, update, and delete all dashboards.                                                                                                                                                                                                                                      |
+| `fixed:dashboards.insights:reader`              | `fixed_JlBJ2_gizP8zhgaeGE2rjyZe2Rs` | `dashboards.insights:read`                                                                                                                                                                                                                                                  | Read dashboard insights data and see presence indicators.                                                                                                                                                                                                                             |
+| `fixed:dashboards.permissions:reader`           | `fixed_f17oxuXW_58LL8mYJsm4T_mCeIw` | `dashboards.permissions:read`                                                                                                                                                                                                                                               | Read all dashboard permissions.                                                                                                                                                                                                                                                       |
+| `fixed:dashboards.permissions:writer`           | `fixed_CcznxhWX_Yqn8uWMXMQ-b5iFW9k` | All permissions from `fixed:dashboards.permissions:reader` and <br>`dashboards.permissions:write`                                                                                                                                                                           | Read and update all dashboard permissions.                                                                                                                                                                                                                                            |
+| `fixed:dashboards.public:writer`                | `fixed_f_GHHRBciaqESXfGz2oCcooqHxs` | `dashboards.public:write`                                                                                                                                                                                                                                                   | Create, update, delete or pause a shared dashboard.                                                                                                                                                                                                                                   |
+| `fixed:datasources:creator`                     | `fixed_XX8jHREgUt-wo1A-rPXIiFlX6Zw` | `datasources:create`                                                                                                                                                                                                                                                        | Create data sources.                                                                                                                                                                                                                                                                  |
+| `fixed:datasources:explorer`                    | `fixed_qDzW9mzx9yM91T5Bi8dHUM2muTw` | `datasources:explore`                                                                                                                                                                                                                                                       | Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.                                                                                                                                                |
+| `fixed:datasources:reader`                      | `fixed_C2x8IxkiBc1KZVjyYH775T9jNMQ` | `datasources:read`<br>`datasources:query`                                                                                                                                                                                                                                   | Read and query data sources.                                                                                                                                                                                                                                                          |
+| `fixed:datasources:writer`                      | `fixed_q8HXq8kjjA5IlHHgBJlKlUyaNik` | All permissions from `fixed:datasources:reader` and <br>`datasources:create`<br>`datasources:write`<br>`datasources:delete`                                                                                                                                                 | Read, query, create, delete, or update a data source.                                                                                                                                                                                                                                 |
+| `fixed:datasources.builtin:reader`              | `fixed_q8HXq8kjjA5IlHHgBJlKlUyaNik` | `datasources:read` and `datasources:query` scoped to `datasources:uid:grafana`                                                                                                                                                                                              | An internal role used to grant Viewers access to the builtin example data source in Grafana.                                                                                                                                                                                          |
+| `fixed:datasources.caching:reader`              | `fixed_D2ddpGxJYlw0mbsTS1ek9fj0kj4` | `datasources.caching:read`                                                                                                                                                                                                                                                  | Read data source query caching settings.                                                                                                                                                                                                                                              |
+| `fixed:datasources.caching:writer`              | `fixed_JtFjHr7jd7hSqUYcktKvRvIOGRE` | `datasources.caching:read`<br>`datasources.caching:write`                                                                                                                                                                                                                   | Enable, disable, or update query caching settings.                                                                                                                                                                                                                                    |
+| `fixed:datasources.id:reader`                   | `fixed_entg--fHmDqWY2-69N0ocawK0Os` | `datasources.id:read`                                                                                                                                                                                                                                                       | Read the ID of a data source based on its name.                                                                                                                                                                                                                                       |
+| `fixed:datasources.insights:reader`             | `fixed_EBZ3NwlfecNPp2p0XcZRC1nfEYk` | `datasources.insights:read`                                                                                                                                                                                                                                                 | Read data source insights data.                                                                                                                                                                                                                                                       |
+| `fixed:datasources.permissions:reader`          | `fixed_ErYA-cTN3yn4h4GxaVPcawRhiOY` | `datasources.permissions:read`                                                                                                                                                                                                                                              | Read data source permissions.                                                                                                                                                                                                                                                         |
+| `fixed:datasources.permissions:writer`          | `fixed_aiQh9YDfLOKjQhYasF9_SFUjQiw` | All permissions from `fixed:datasources.permissions:reader` and <br>`datasources.permissions:write`                                                                                                                                                                         | Create, read, or delete permissions of a data source.                                                                                                                                                                                                                                 |
+| `fixed:folders:creator`                         | `fixed_gGLRbZGAGB6n9uECqSh_W382RlQ` | `folders:create`                                                                                                                                                                                                                                                            | Create folders in the root level.                                                                                                                                                                                                                                                     |
+| `fixed:folders:reader`                          | `fixed_yeW-5QPeo-i5PZUIUXMlAA97GnQ` | `folders:read`<br>`dashboards:read`                                                                                                                                                                                                                                         | Read all folders and dashboards.                                                                                                                                                                                                                                                      |
+| `fixed:folders:writer`                          | `fixed_wJXLoTzgE7jVuz90dryYoiogL0o` | All permissions from `fixed:dashboards:writer` and <br>`folders:read`<br>`folders:write`<br>`folders:create`<br>`folders:delete`<br>`folders.permissions:read`<br>`folders.permissions:write`                                                                               | Read, update, and delete all folders and dashboards. Create folders and subfolders.                                                                                                                                                                                                   |
+| `fixed:folders.general:reader`                  | `fixed_rSASbkg8DvpG_gTX5s41d7uxRvI` | `folders:read` scoped to `folders:uid:general`                                                                                                                                                                                                                              | An internal role used to correctly display access to the folder tree for Viewer role.                                                                                                                                                                                                 |
+| `fixed:folders.permissions:reader`              | `fixed_E06l4cx0JFm47EeLBE4nmv3pnSo` | `folders.permissions:read`                                                                                                                                                                                                                                                  | Read all folder permissions.                                                                                                                                                                                                                                                          |
+| `fixed:folders.permissions:writer`              | `fixed_3GAgpQ_hWG8o7-lwNb86_VB37eI` | All permissions from `fixed:folders.permissions:reader` and <br>`folders.permissions:write`                                                                                                                                                                                 | Read and update all folder permissions.                                                                                                                                                                                                                                               |
+| `fixed:ldap:reader`                             | `fixed_lMcOPwSkxKY-qCK8NMJc5k6izLE` | `ldap.user:read`<br>`ldap.status:read`                                                                                                                                                                                                                                      | Read the LDAP configuration and LDAP status information.                                                                                                                                                                                                                              |
+| `fixed:ldap:writer`                             | `fixed_p6AvnU4GCQyIh7-hbwI-bk3GYnU` | All permissions from `fixed:ldap:reader` and <br>`ldap.user:sync`<br>`ldap.config:reload`                                                                                                                                                                                   | Read and update the LDAP configuration, and read LDAP status information.                                                                                                                                                                                                             |
+| `fixed:library.panels:creator`                  | `fixed_6eX6ItfegCIY5zLmPqTDW8ZV7KY` | `library.panels:create`<br>`folders:read`                                                                                                                                                                                                                                   | Create library panel at the root level.                                                                                                                                                                                                                                               |
+| `fixed:library.panels:general.reader`           | `fixed_ct0DghiBWR_2BiQm3EvNPDVmpio` | `library.panels:read`                                                                                                                                                                                                                                                       | Read all library panels at the root level.                                                                                                                                                                                                                                            |
+| `fixed:library.panels:general.writer`           | `fixed_DgprkmqfN_1EhZ2v1_d1fYG8LzI` | All permissions from `fixed:library.panels:general.reader` plus<br>`library.panels:create`<br>`library.panels:delete`<br>`library.panels:write`                                                                                                                             | Create, read, write or delete all library panels and their permissions at the root level.                                                                                                                                                                                             |
+| `fixed:library.panels:reader`                   | `fixed_tvTr9CnZ6La5vvUO_U_X1LPnhUs` | `library.panels:read`                                                                                                                                                                                                                                                       | Read all library panels.                                                                                                                                                                                                                                                              |
+| `fixed:library.panels:writer`                   | `fixed_JTljAr21LWLTXCkgfBC4H0lhBC8` | All permissions from `fixed:library.panels:reader` plus<br>`library.panels:create`<br>`library.panels:delete`<br>`library.panels:write`                                                                                                                                     | Create, read, write or delete all library panels and their permissions.                                                                                                                                                                                                               |
+| `fixed:licensing:reader`                        | `fixed_OADpuXvNEylO2Kelu3GIuBXEAYE` | `licensing:read`<br>`licensing.reports:read`                                                                                                                                                                                                                                | Read licensing information and licensing reports.                                                                                                                                                                                                                                     |
+| `fixed:licensing:writer`                        | `fixed_gzbz3rJpQMdaKHt-E4q0PVaKMoE` | All permissions from `fixed:licensing:reader` and <br>`licensing:write`<br>`licensing:delete`                                                                                                                                                                               | Read licensing information and licensing reports, update and delete the license token.                                                                                                                                                                                                |
+| `fixed:migrationassistant:migrator`             | `fixed_LLk2p7TRuBztOAksTQb1Klc8YTk` | `migrationassistant:migrate`                                                                                                                                                                                                                                                | Execute on-prem to cloud migrations through the Migration Assistant.                                                                                                                                                                                                                  |
+| `fixed:org.users:reader`                        | `fixed_oCqNwlVHLOpw7-jAlwp4HzYqwGY` | `org.users:read`                                                                                                                                                                                                                                                            | Read users within a single organization.                                                                                                                                                                                                                                              |
+| `fixed:org.users:writer`                        | `fixed_VERj5nayasjgf_Yh0sWqqCkxWlw` | All permissions from `fixed:org.users:reader` and <br>`org.users:add`<br>`org.users:remove`<br>`org.users:write`                                                                                                                                                            | Within a single organization, add a user, invite a new user, read information about a user and their role, remove a user from that organization, or change the role of a user.                                                                                                        |
+| `fixed:organization:maintainer`                 | `fixed_CMm-uuBaPUBf4r8XG3jIvxo55bg` | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs:create`<br>`orgs:delete`<br>`orgs.quotas:write`                                                                                                                                             | Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.                                                                                                                                                                    |
+| `fixed:organization:reader`                     | `fixed_0SZPJlTHdNEe8zO91zv7Zwiwa2w` | `orgs:read`<br>`orgs.quotas:read`                                                                                                                                                                                                                                           | Read an organization and its quotas.                                                                                                                                                                                                                                                  |
+| `fixed:organization:writer`                     | `fixed_Y4jGqDd8w1yCrPwlik8z5Iu8-3M` | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs.preferences:read`<br>`orgs.preferences:write`                                                                                                                                               | Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.                                                                                                                                                                             |
+| `fixed:plugins:maintainer`                      | `fixed_yEOKidBcWgbm74x-nTa3lW5lOyY` | `plugins:install`                                                                                                                                                                                                                                                           | Install and uninstall plugins. Needs to be assigned globally.                                                                                                                                                                                                                         |
+| `fixed:plugins:writer`                          | `fixed_MRYpGk7kpNNwt2VoVOXFiPnQziE` | `plugins:write`                                                                                                                                                                                                                                                             | Enable and disable plugins and edit plugins' settings.                                                                                                                                                                                                                                |
+| `fixed:plugins.app:reader`                      | `fixed_AcZRiNYx7NueYkUqzw1o2OGGUAA` | `plugins.app:access`                                                                                                                                                                                                                                                        | Access application plugins (still enforcing the organization role).                                                                                                                                                                                                                   |
+| `fixed:provisioning:writer`                     | `fixed_bgk1FCyR6OEDwhgirZlQgu5LlCA` | `provisioning:reload`                                                                                                                                                                                                                                                       | Reload provisioning.                                                                                                                                                                                                                                                                  |
+| `fixed:reports:reader`                          | `fixed_72_8LU_0ukfm6BdblOw8Z9q-GQ8` | `reports:read`<br>`reports:send`<br>`reports.settings:read`                                                                                                                                                                                                                 | Read all reports and shared report settings.                                                                                                                                                                                                                                          |
+| `fixed:reports:writer`                          | `fixed_jBW3_7g1EWOjGVBYeVRwtFxhUNw` | All permissions from `fixed:reports:reader` and <br>`reports:create`<br>`reports:write`<br>`reports:delete`<br>`reports.settings:write`                                                                                                                                     | Create, read, update, or delete all reports and shared report settings.                                                                                                                                                                                                               |
+| `fixed:roles:reader`                            | `fixed_GkfG-1NSwEGb4hpK3-E3qHyNltc` | `roles:read`<br>`teams.roles:read`<br>`users.roles:read`<br>`users.permissions:read`                                                                                                                                                                                        | Read all access control roles, roles and permissions assigned to users, teams.                                                                                                                                                                                                        |
+| `fixed:roles:resetter`                          | `fixed_WgPpC3qJRmVpVTJavFNwfS5RuzQ` | `roles:write` with scope `permissions:type:escalate`                                                                                                                                                                                                                        | Reset basic roles to their default.                                                                                                                                                                                                                                                   |
+| `fixed:roles:writer`                            | `fixed_W5aFaw8isAM27x_eWfElBhZ0iOc` | All permissions from `fixed:roles:reader` and <br>`roles:write`<br>`roles:delete`<br>`teams.roles:add`<br>`teams.roles:remove`<br>`users.roles:add`<br>`users.roles:remove`                                                                                                 | Create, read, update, or delete all roles, assign or unassign roles to users, teams.                                                                                                                                                                                                  |
+| `fixed:serviceaccounts:creator`                 | `fixed_Ikw60fckA0MyiiZ73BawSfOULy4` | `serviceaccounts:create`                                                                                                                                                                                                                                                    | Create Grafana service accounts.                                                                                                                                                                                                                                                      |
+| `fixed:serviceaccounts:reader`                  | `fixed_QFjJAZ88iawMLInYOxPA1DB1w6I` | `serviceaccounts:read`                                                                                                                                                                                                                                                      | Read Grafana service accounts.                                                                                                                                                                                                                                                        |
+| `fixed:serviceaccounts:writer`                  | `fixed_iBvUNUEZBZ7PUW0vdkN5iojc2sk` | `serviceaccounts:read`<br>`serviceaccounts:create`<br>`serviceaccounts:write`<br>`serviceaccounts:delete`<br>`serviceaccounts.permissions:read`<br>`serviceaccounts.permissions:write`                                                                                      | Create, update, read and delete all Grafana service accounts and manage service account permissions.                                                                                                                                                                                  |
+| `fixed:settings:reader`                         | `fixed_0LaUt1x6PP8hsZzEBhqPQZFUd8Q` | `settings:read`                                                                                                                                                                                                                                                             | Read Grafana instance settings.                                                                                                                                                                                                                                                       |
+| `fixed:settings:writer`                         | `fixed_joIHDgMrGg790hMhUufVzcU4j44` | All permissions from `fixed:settings:reader` and<br>`settings:write`                                                                                                                                                                                                        | Read and update Grafana instance settings.                                                                                                                                                                                                                                            |
+| `fixed:stats:reader`                            | `fixed_OnRCXxZVINWpcKvTF5A1gecJ7pA` | `server.stats:read`                                                                                                                                                                                                                                                         | Read Grafana instance statistics.                                                                                                                                                                                                                                                     |
+| `fixed:support.bundles:reader`                  | `fixed_gcPjI3PTUJwRx-GJZwDhNa7zbos` | `support.bundles:read`                                                                                                                                                                                                                                                      | List and download support bundles.                                                                                                                                                                                                                                                    |
+| `fixed:support.bundles:writer`                  | `fixed_dTgCv9Wxrp_WHAhwHYIgeboxKpE` | `support.bundles:read`<br>`support.bundles:create`<br>`support.bundles:delete`                                                                                                                                                                                              | Create, delete, list and download support bundles.                                                                                                                                                                                                                                    |
+| `fixed:teams:creator`                           | `fixed_nzVQoNSDSn0fg1MDgO6XnZX2RZI` | `teams:create`<br>`org.users:read`                                                                                                                                                                                                                                          | Create a team and list organization users (required to manage the created team).                                                                                                                                                                                                      |
+| `fixed:teams:read`                              | `fixed_Z8pB0GQlrqRt8IZBCJQxPWvJPgQ` | `teams:read`                                                                                                                                                                                                                                                                | List all teams.                                                                                                                                                                                                                                                                       |
+| `fixed:teams:writer`                            | `fixed_xw1T0579h620MOYi4L96GUs7fZY` | `teams:create`<br>`teams:delete`<br>`teams:read`<br>`teams:write`<br>`teams.permissions:read`<br>`teams.permissions:write`                                                                                                                                                  | Create, read, update and delete teams and manage team memberships.                                                                                                                                                                                                                    |
+| `fixed:usagestats:reader`                       | `fixed_eAM0azEvnWFCJAjNkUKnGL_1-bU` | `server.usagestats.report:read`                                                                                                                                                                                                                                             | View usage statistics report.                                                                                                                                                                                                                                                         |
+| `fixed:users:reader`                            | `fixed_buZastUG3reWyQpPemcWjGqPAd0` | `users:read`<br>`users.quotas:read`<br>`users.authtoken:read`                                                                                                                                                                                                               | Read all users and their information, such as team memberships, authentication tokens, and quotas.                                                                                                                                                                                    |
+| `fixed:users:writer`                            | `fixed_wjzgHHo_Ux25DJuELn_oiAdB_yM` | All permissions from `fixed:users:reader` and <br>`users:write`<br>`users:create`<br>`users:delete`<br>`users:enable`<br>`users:disable`<br>`users.password:write`<br>`users.permissions:write`<br>`users:logout`<br>`users.authtoken:write`<br>`users.quotas:write`        | Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users. |
 
 ### Alerting roles
 
@@ -164,10 +164,20 @@ Access to Grafana alert rules is an intersection of many permissions:
 - Permission to read a folder. For example, the fixed role `fixed:folders:reader` includes the action `folders:read` and a folder scope `folders:id:`.
 - Permission to query **all** data sources that a given alert rule uses. If a user cannot query a given data source, they cannot see any alert rules that query that data source.
 
-There is only one exclusion at this moment. Role `fixed:alerting.provisioning:writer` does not require user to have any additional permissions and provides access to all aspects of the alerting configuration via special provisioning API.
+There is only one exclusion. Role `fixed:alerting.provisioning:writer` does not require user to have any additional permissions and provides access to all aspects of the alerting configuration via special provisioning API.
 
 For more information about the permissions required to access alert rules, refer to [Create a custom role to access alerts in a folder](ref:plan-rbac-rollout-strategy-create-a-custom-role-to-access-alerts-in-a-folder).
 
+#### Alerting basic roles
+
+The following table lists the default RBAC alerting role assignments to the basic roles:
+
+| Basic role | Associated fixed roles                                                                                          | Description                                                                     |
+| ---------- | --------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- |
+| Admin      | `fixed:alerting:writer`<br>`fixed:alerting.provisioning.secrets:reader`<br>`fixed:alerting.provisioning:writer` | Default [Grafana organization administrator](ref:rbac-basic-roles) assignments. |
+| Editor     | `fixed:alerting:writer`<br>`fixed:alerting.provisioning.provenance:writer`                                      | Default [Editor](ref:rbac-basic-roles) assignments.                             |
+| Viewer     | `fixed:alerting:reader`                                                                                         | Default [Viewer](ref:rbac-basic-roles) assignments.                             |
+
 ### Grafana OnCall roles
 
 If you are using [Grafana OnCall](ref:oncall), you can try out the integration between Grafana OnCall and RBAC.

docs/sources/alerting/set-up/configure-alert-state-history/index.md

@@ -62,6 +62,9 @@ The following steps describe a basic configuration:
 
    # The URL of the Loki server
    loki_remote_url = http://localhost:3100
+
+   [feature_toggles]
+   enable = alertingCentralAlertHistory
    ```
 
 1. **Configure the Loki data source in Grafana**

docs/sources/alerting/set-up/configure-rbac/_index.md

@@ -17,55 +17,166 @@ weight: 155
 
 # Configure RBAC
 
-Role-based access control (RBAC) for Grafana Enterprise and Grafana Cloud provides a standardized way of granting, changing, and revoking access, so that users can view and modify Grafana resources.
+[Role-based access control (RBAC)](/docs/grafana/latest/administration/roles-and-permissions/access-control/plan-rbac-rollout-strategy/) for Grafana Enterprise and Grafana Cloud provides a standardized way of granting, changing, and revoking access, so that users can view and modify Grafana resources.
 
-A user is any individual who can log in to Grafana. Each user is associated with a role that includes permissions. Permissions determine the tasks a user can perform in the system.
+A user is any individual who can log in to Grafana. Each user has a role that includes permissions. Permissions determine the tasks a user can perform in the system.
 
 Each permission contains one or more actions and a scope.
 
+## Role types
+
+Grafana has three types of roles for managing access:
+
+- **Basic roles**: Admin, Editor, Viewer, and No basic role. These are assigned to users and provide default access levels.
+- **Fixed roles**: Predefined groups of permissions for specific use cases. Basic roles automatically include certain fixed roles.
+- **Custom roles**: User-defined roles that combine specific permissions for granular access control.
+
+## Basic role permissions
+
+The following table summarizes the default alerting permissions for each basic role.
+
+| Capability                                | Admin | Editor | Viewer |
+| ----------------------------------------- | :---: | :----: | :----: |
+| View alert rules                          |   ✓   |   ✓    |   ✓    |
+| Create, edit, and delete alert rules      |   ✓   |   ✓    |        |
+| View silences                             |   ✓   |   ✓    |   ✓    |
+| Create, edit, and expire silences         |   ✓   |   ✓    |        |
+| View contact points and templates         |   ✓   |   ✓    |   ✓    |
+| Create, edit, and delete contact points   |   ✓   |   ✓    |        |
+| View notification policies                |   ✓   |   ✓    |   ✓    |
+| Create, edit, and delete policies         |   ✓   |   ✓    |        |
+| View mute timings                         |   ✓   |   ✓    |   ✓    |
+| Create, edit, and delete timing intervals |   ✓   |   ✓    |        |
+| Access provisioning API                   |   ✓   |   ✓    |        |
+| Export with decrypted secrets             |   ✓   |        |        |
+
+{{< admonition type="note" >}}
+Access to alert rules also requires permission to read the folder containing the rules and permission to query the data sources used in the rules.
+{{< /admonition >}}
+
 ## Permissions
 
-Grafana Alerting has the following permissions.
+Grafana Alerting has the following permissions organized by resource type.
 
-| Action                                       | Applicable scope                       | Description                                                                                                                                                                                                                                       |
-| -------------------------------------------- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `alert.instances.external:read`              | `datasources:*`<br>`datasources:uid:*` | Read alerts and silences in data sources that support alerting.                                                                                                                                                                                   |
-| `alert.instances.external:write`             | `datasources:*`<br>`datasources:uid:*` | Manage alerts and silences in data sources that support alerting.                                                                                                                                                                                 |
-| `alert.instances:create`                     | n/a                                    | Create silences in the current organization.                                                                                                                                                                                                      |
-| `alert.instances:read`                       | n/a                                    | Read alerts and silences in the current organization.                                                                                                                                                                                             |
-| `alert.instances:write`                      | n/a                                    | Update and expire silences in the current organization.                                                                                                                                                                                           |
-| `alert.notifications.external:read`          | `datasources:*`<br>`datasources:uid:*` | Read templates, contact points, notification policies, and mute timings in data sources that support alerting.                                                                                                                                    |
-| `alert.notifications.external:write`         | `datasources:*`<br>`datasources:uid:*` | Manage templates, contact points, notification policies, and mute timings in data sources that support alerting.                                                                                                                                  |
-| `alert.notifications:write`                  | n/a                                    | Manage templates, contact points, notification policies, and mute timings in the current organization.                                                                                                                                            |
-| `alert.notifications:read`                   | n/a                                    | Read all templates, contact points, notification policies, and mute timings in the current organization.                                                                                                                                          |
-| `alert.rules.external:read`                  | `datasources:*`<br>`datasources:uid:*` | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki)                                                                                                                                                              |
-| `alert.rules.external:write`                 | `datasources:*`<br>`datasources:uid:*` | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki).                                                                                                                                                    |
-| `alert.rules:create`                         | `folders:*`<br>`folders:uid:*`         | Create Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query.                               |
-| `alert.rules:delete`                         | `folders:*`<br>`folders:uid:*`         | Delete Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder.                                                                                                       |
-| `alert.rules:read`                           | `folders:*`<br>`folders:uid:*`         | Read Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder.                                                                                                         |
-| `alert.rules:write`                          | `folders:*`<br>`folders:uid:*`         | Update Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder. To allow query modifications add `datasources:query` in the scope of data sources the user can query. |
-| `alert.silences:create`                      | `folders:*`<br>`folders:uid:*`         | Create rule-specific silences in a folder and its subfolders.                                                                                                                                                                                     |
-| `alert.silences:read`                        | `folders:*`<br>`folders:uid:*`         | Read all general silences and rule-specific silences in a folder and its subfolders.                                                                                                                                                              |
-| `alert.silences:write`                       | `folders:*`<br>`folders:uid:*`         | Update and expire rule-specific silences in a folder and its subfolders.                                                                                                                                                                          |
-| `alert.provisioning:read`                    | n/a                                    | Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required.                                                                                                           |
-| `alert.provisioning.secrets:read`            | n/a                                    | Same as `alert.provisioning:read` plus ability to export resources with decrypted secrets.                                                                                                                                                        |
-| `alert.provisioning:write`                   | n/a                                    | Update all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required.                                                                                                         |
-| `alert.provisioning.provenance:write`        | n/a                                    | Set provisioning status for alerting resources. Cannot be used alone. Requires user to have permissions to access resources                                                                                                                       |
-| `alert.notifications.receivers:read`         | `receivers:*`<br>`receivers:uid:*`     | Read contact points.                                                                                                                                                                                                                              |
-| `alert.notifications.receivers.secrets:read` | `receivers:*`<br>`receivers:uid:*`     | Export contact points with decrypted secrets.                                                                                                                                                                                                     |
-| `alert.notifications.receivers:create`       | n/a                                    | Create a new contact points. The creator is automatically granted full access to the created contact point.                                                                                                                                       |
-| `alert.notifications.receivers:write`        | `receivers:*`<br>`receivers:uid:*`     | Update existing contact points.                                                                                                                                                                                                                   |
-| `alert.notifications.receivers:delete`       | `receivers:*`<br>`receivers:uid:*`     | Update and delete existing contact points.                                                                                                                                                                                                        |
-| `receivers.permissions:read`                 | `receivers:*`<br>`receivers:uid:*`     | Read permissions for contact points.                                                                                                                                                                                                              |
-| `receivers.permissions:write`                | `receivers:*`<br>`receivers:uid:*`     | Manage permissions for contact points.                                                                                                                                                                                                            |
-| `alert.notifications.time-intervals:read`    | n/a                                    | Read mute time intervals.                                                                                                                                                                                                                         |
-| `alert.notifications.time-intervals:write`   | n/a                                    | Create new or update existing mute time intervals.                                                                                                                                                                                                |
-| `alert.notifications.time-intervals:delete`  | n/a                                    | Delete existing time intervals.                                                                                                                                                                                                                   |
-| `alert.notifications.templates:read`         | n/a                                    | Read templates.                                                                                                                                                                                                                                   |
-| `alert.notifications.templates:write`        | n/a                                    | Create new or update existing templates.                                                                                                                                                                                                          |
-| `alert.notifications.templates:delete`       | n/a                                    | Delete existing templates.                                                                                                                                                                                                                        |
-| `alert.notifications.templates.test:write`   | n/a                                    | Test templates with custom payloads (preview and payload editor functionality).                                                                                                                                                                   |
-| `alert.notifications.routes:read`            | n/a                                    | Read notification policies.                                                                                                                                                                                                                       |
-| `alert.notifications.routes:write`           | n/a                                    | Create new, update and update notification policies.                                                                                                                                                                                              |
+### Alert rules
+
+Permissions for managing Grafana-managed alert rules.
+
+| Action               | Applicable scope               | Description                                                                                                                                                                                                                                       |
+| -------------------- | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `alert.rules:create` | `folders:*`<br>`folders:uid:*` | Create Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query.                               |
+| `alert.rules:read`   | `folders:*`<br>`folders:uid:*` | Read Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder.                                                                                                         |
+| `alert.rules:write`  | `folders:*`<br>`folders:uid:*` | Update Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder. To allow query modifications add `datasources:query` in the scope of data sources the user can query. |
+| `alert.rules:delete` | `folders:*`<br>`folders:uid:*` | Delete Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder.                                                                                                       |
+
+### External alert rules
+
+Permissions for managing alert rules in external data sources that support alerting.
+
+| Action                       | Applicable scope                       | Description                                                                                    |
+| ---------------------------- | -------------------------------------- | ---------------------------------------------------------------------------------------------- |
+| `alert.rules.external:read`  | `datasources:*`<br>`datasources:uid:*` | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki).          |
+| `alert.rules.external:write` | `datasources:*`<br>`datasources:uid:*` | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki). |
+
+### Alert instances and silences
+
+Permissions for managing alert instances and silences in Grafana.
+
+| Action                   | Applicable scope               | Description                                                                          |
+| ------------------------ | ------------------------------ | ------------------------------------------------------------------------------------ |
+| `alert.instances:read`   | n/a                            | Read alerts and silences in the current organization.                                |
+| `alert.instances:create` | n/a                            | Create silences in the current organization.                                         |
+| `alert.instances:write`  | n/a                            | Update and expire silences in the current organization.                              |
+| `alert.silences:read`    | `folders:*`<br>`folders:uid:*` | Read all general silences and rule-specific silences in a folder and its subfolders. |
+| `alert.silences:create`  | `folders:*`<br>`folders:uid:*` | Create rule-specific silences in a folder and its subfolders.                        |
+| `alert.silences:write`   | `folders:*`<br>`folders:uid:*` | Update and expire rule-specific silences in a folder and its subfolders.             |
+
+### External alert instances
+
+Permissions for managing alert instances in external data sources.
+
+| Action                           | Applicable scope                       | Description                                                       |
+| -------------------------------- | -------------------------------------- | ----------------------------------------------------------------- |
+| `alert.instances.external:read`  | `datasources:*`<br>`datasources:uid:*` | Read alerts and silences in data sources that support alerting.   |
+| `alert.instances.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage alerts and silences in data sources that support alerting. |
+
+### Contact points
+
+Permissions for managing contact points (notification receivers).
+
+| Action                                       | Applicable scope                   | Description                                                                                                 |
+| -------------------------------------------- | ---------------------------------- | ----------------------------------------------------------------------------------------------------------- |
+| `alert.notifications.receivers:list`         | n/a                                | List contact points in the current organization.                                                            |
+| `alert.notifications.receivers:read`         | `receivers:*`<br>`receivers:uid:*` | Read contact points.                                                                                        |
+| `alert.notifications.receivers.secrets:read` | `receivers:*`<br>`receivers:uid:*` | Export contact points with decrypted secrets.                                                               |
+| `alert.notifications.receivers:create`       | n/a                                | Create a new contact points. The creator is automatically granted full access to the created contact point. |
+| `alert.notifications.receivers:write`        | `receivers:*`<br>`receivers:uid:*` | Update existing contact points.                                                                             |
+| `alert.notifications.receivers:delete`       | `receivers:*`<br>`receivers:uid:*` | Update and delete existing contact points.                                                                  |
+| `alert.notifications.receivers:test`         | `receivers:*`<br>`receivers:uid:*` | Test contact points to verify their configuration.                                                          |
+| `receivers.permissions:read`                 | `receivers:*`<br>`receivers:uid:*` | Read permissions for contact points.                                                                        |
+| `receivers.permissions:write`                | `receivers:*`<br>`receivers:uid:*` | Manage permissions for contact points.                                                                      |
+
+### Notification policies
+
+Permissions for managing notification policies (routing rules).
+
+| Action                             | Applicable scope | Description                                           |
+| ---------------------------------- | ---------------- | ----------------------------------------------------- |
+| `alert.notifications.routes:read`  | n/a              | Read notification policies.                           |
+| `alert.notifications.routes:write` | n/a              | Create new, update, and delete notification policies. |
+
+### Time intervals
+
+Permissions for managing mute time intervals.
+
+| Action                                      | Applicable scope | Description                                        |
+| ------------------------------------------- | ---------------- | -------------------------------------------------- |
+| `alert.notifications.time-intervals:read`   | n/a              | Read mute time intervals.                          |
+| `alert.notifications.time-intervals:write`  | n/a              | Create new or update existing mute time intervals. |
+| `alert.notifications.time-intervals:delete` | n/a              | Delete existing time intervals.                    |
+
+### Templates
+
+Permissions for managing notification templates.
+
+| Action                                     | Applicable scope | Description                                                                     |
+| ------------------------------------------ | ---------------- | ------------------------------------------------------------------------------- |
+| `alert.notifications.templates:read`       | n/a              | Read templates.                                                                 |
+| `alert.notifications.templates:write`      | n/a              | Create new or update existing templates.                                        |
+| `alert.notifications.templates:delete`     | n/a              | Delete existing templates.                                                      |
+| `alert.notifications.templates.test:write` | n/a              | Test templates with custom payloads (preview and payload editor functionality). |
+
+### General notifications
+
+Legacy permissions for managing all notification resources.
+
+| Action                      | Applicable scope | Description                                                                                              |
+| --------------------------- | ---------------- | -------------------------------------------------------------------------------------------------------- |
+| `alert.notifications:read`  | n/a              | Read all templates, contact points, notification policies, and mute timings in the current organization. |
+| `alert.notifications:write` | n/a              | Manage templates, contact points, notification policies, and mute timings in the current organization.   |
+
+### External notifications
+
+Permissions for managing notification resources in external data sources.
+
+| Action                               | Applicable scope                       | Description                                                                                                      |
+| ------------------------------------ | -------------------------------------- | ---------------------------------------------------------------------------------------------------------------- |
+| `alert.notifications.external:read`  | `datasources:*`<br>`datasources:uid:*` | Read templates, contact points, notification policies, and mute timings in data sources that support alerting.   |
+| `alert.notifications.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage templates, contact points, notification policies, and mute timings in data sources that support alerting. |
+
+### Provisioning
+
+Permissions for managing alerting resources via the provisioning API.
+
+| Action                                   | Applicable scope | Description                                                                                                                                                        |
+| ---------------------------------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `alert.provisioning:read`                | n/a              | Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required.                            |
+| `alert.provisioning.secrets:read`        | n/a              | Same as `alert.provisioning:read` plus ability to export resources with decrypted secrets.                                                                         |
+| `alert.provisioning:write`               | n/a              | Update all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required.                          |
+| `alert.rules.provisioning:read`          | n/a              | Read Grafana alert rules via provisioning API. More specific than `alert.provisioning:read`.                                                                       |
+| `alert.rules.provisioning:write`         | n/a              | Create, update, and delete Grafana alert rules via provisioning API. More specific than `alert.provisioning:write`.                                                |
+| `alert.notifications.provisioning:read`  | n/a              | Read notification resources (contact points, notification policies, templates, time intervals) via provisioning API. More specific than `alert.provisioning:read`. |
+| `alert.notifications.provisioning:write` | n/a              | Create, update, and delete notification resources via provisioning API. More specific than `alert.provisioning:write`.                                             |
+| `alert.provisioning.provenance:write`    | n/a              | Set provisioning status for alerting resources. Cannot be used alone. Requires user to have permissions to access resources.                                       |
 
 To help plan your RBAC rollout strategy, refer to [Plan your RBAC rollout strategy](https://grafana.com/docs/grafana/next/administration/roles-and-permissions/access-control/plan-rbac-rollout-strategy/).

docs/sources/alerting/set-up/configure-rbac/access-folders/index.md

@@ -16,7 +16,7 @@ title: Manage access using folders or data sources
 weight: 200
 ---
 
-## Manage access using folders or data sources
+# Manage access using folders or data sources
 
 You can extend the access provided by a role to alert rules and rule-specific silences by assigning permissions to individual folders or data sources.
 

docs/sources/alerting/set-up/configure-rbac/access-roles/index.md

@@ -55,7 +55,7 @@ Details of the fixed roles and the access they provide for Grafana Alerting are
 | Full read-only access: `fixed:alerting:reader`                                           | All permissions from `fixed:alerting.rules:reader` <br>`fixed:alerting.instances:reader`<br>`fixed:alerting.notifications:reader`                                                                                                                                                                                                               | Read alert rules, alert instances, silences, contact points, and notification policies in Grafana and external providers.                                |
 | Read via Provisioning API + Export Secrets: `fixed:alerting.provisioning.secrets:reader` | `alert.provisioning:read` and `alert.provisioning.secrets:read`                                                                                                                                                                                                                                                                                 | Read alert rules, alert instances, silences, contact points, and notification policies using the provisioning API and use export with decrypted secrets. |
 | Access to alert rules provisioning API: `fixed:alerting.provisioning:writer`             | `alert.provisioning:read` and `alert.provisioning:write`                                                                                                                                                                                                                                                                                        | Manage all alert rules, notification policies, contact points, templates, in the organization using the provisioning API.                                |
-| Set provisioning status: `fixed:alerting.provisioning.status:writer`                     | `alert.provisioning.provenance:write`                                                                                                                                                                                                                                                                                                           | Set provisioning rules for Alerting resources. Should be used together with other regular roles (Notifications Writer and/or Rules Writer.)              |
+| Set provisioning status: `fixed:alerting.provisioning.provenance:writer`                 | `alert.provisioning.provenance:write`                                                                                                                                                                                                                                                                                                           | Set provisioning rules for Alerting resources. Should be used together with other regular roles (Notifications Writer and/or Rules Writer.)              |
 | Contact Point Reader: `fixed:alerting.receivers:reader`                                  | `alert.notifications.receivers:read` for scope `receivers:*`                                                                                                                                                                                                                                                                                    | Read all contact points.                                                                                                                                 |
 | Contact Point Creator: `fixed:alerting.receivers:creator`                                | `alert.notifications.receivers:create`                                                                                                                                                                                                                                                                                                          | Create a new contact point. The user is automatically granted full access to the created contact point.                                                  |
 | Contact Point Writer: `fixed:alerting.receivers:writer`                                  | `alert.notifications.receivers:read`, `alert.notifications.receivers:write`, `alert.notifications.receivers:delete` for scope `receivers:*` and <br> `alert.notifications.receivers:create`                                                                                                                                                     | Create a new contact point and manage all existing contact points.                                                                                       |
@@ -63,8 +63,8 @@ Details of the fixed roles and the access they provide for Grafana Alerting are
 | Templates Writer: `fixed:alerting.templates:writer`                                      | `alert.notifications.templates:read`, `alert.notifications.templates:write`, `alert.notifications.templates:delete`, `alert.notifications.templates.test:write`                                                                                                                                                                                 | Create new and manage existing notification templates. Test templates with custom payloads.                                                              |
 | Time Intervals Reader: `fixed:alerting.time-intervals:reader`                            | `alert.notifications.time-intervals:read`                                                                                                                                                                                                                                                                                                       | Read all time intervals.                                                                                                                                 |
 | Time Intervals Writer: `fixed:alerting.time-intervals:writer`                            | `alert.notifications.time-intervals:read`, `alert.notifications.time-intervals:write`, `alert.notifications.time-intervals:delete`                                                                                                                                                                                                              | Create new and manage existing time intervals.                                                                                                           |
-| Notification Policies Reader: `fixed:alerting.routes:reader`                             | `alert.notifications.routes:read`                                                                                                                                                                                                                                                                                                               | Read all time intervals.                                                                                                                                 |
-| Notification Policies Writer: `fixed:alerting.routes:writer`                             | `alert.notifications.routes:read` `alert.notifications.routes:write`                                                                                                                                                                                                                                                                            | Create new and manage existing time intervals.                                                                                                           |
+| Notification Policies Reader: `fixed:alerting.routes:reader`                             | `alert.notifications.routes:read`                                                                                                                                                                                                                                                                                                               | Read all notification policies.                                                                                                                          |
+| Notification Policies Writer: `fixed:alerting.routes:writer`                             | `alert.notifications.routes:read`<br>`alert.notifications.routes:write`                                                                                                                                                                                                                                                                         | Create new and manage existing notification policies.                                                                                                    |
 
 ## Create custom roles
 

docs/sources/alerting/set-up/configure-roles/index.md

@@ -16,25 +16,27 @@ weight: 150
 
 # Configure roles and permissions
 
+This guide explains how to configure roles and permissions for Grafana Alerting for Grafana OSS users. You'll learn how to manage access using roles, folder permissions, and contact point permissions.
+
 A user is any individual who can log in to Grafana. Each user is associated with a role that includes permissions. Permissions determine the tasks a user can perform in the system. For example, the Admin role includes permissions for an administrator to create and delete users.
 
 For more information, refer to [Organization roles](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/administration/roles-and-permissions/#organization-roles).
 
 ## Manage access using roles
 
-For Grafana OSS, there are three roles: Admin, Editor, and Viewer.
+Grafana OSS has three roles: Admin, Editor, and Viewer.
 
-Details of the roles and the access they provide for Grafana Alerting are below.
+The following table describes the access each role provides for Grafana Alerting.
 
-| Role   | Access                                                                                                                                                                    |
-| ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Admin  | Write access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences), and provisioning. |
-| Editor | Write access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences), and provisioning. |
-| Viewer | Read access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences).                    |
+| Role   | Access                                                                                                                                                                                             |
+| ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Viewer | Read access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences).                                             |
+| Editor | Write access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences), and provisioning.                          |
+| Admin  | Write access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences), and provisioning, as well as assign roles. |
 
 ## Assign roles
 
-To assign roles, admins need to complete the following steps.
+To assign roles, an admin needs to complete the following steps.
 
 1. Navigate to **Administration** > **Users and access** > **Users, Teams, or Service Accounts**.
 1. Search for the user, team or service account you want to add a role for.
@@ -58,32 +60,30 @@ Refer to the following table for details on the additional access provided by fo
 You can't use folders to customize access to notification resources.
 {{< /admonition >}}
 
-To manage folder permissions, complete the following steps.
+To manage folder permissions, complete the following steps:
 
 1. In the left-side menu, click **Dashboards**.
 1. Hover your mouse cursor over a folder and click **Go to folder**.
 1. Click **Manage permissions** from the Folder actions menu.
 1. Update or add permissions as required.
 
-## Manage access using contact point permissions
+## Manage access to contact points
 
-### Before you begin
-
-Extend or limit the access provided by a role to contact points by assigning permissions to individual contact point.
+Extend or limit the access provided by a role to contact points by assigning permissions to individual contact points.
 
 This allows different users, teams, or service accounts to have customized access to read or modify specific contact points.
 
 Refer to the following table for details on the additional access provided by contact point permissions.
 
-| Folder permission | Additional Access                                                                                                                             |
-| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| View              | View and export contact point as well as select it on the Alert rule edit page                                                                |
-| Edit              | Update or delete the contact point                                                                                                            |
-| Admin             | Same additional access as Edit and manage permissions for the contact point. User should have additional permissions to read users and teams. |
+| Contact point permission | Additional Access                                                                                                                             |
+| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| View                     | View and export contact point as well as select it on the Alert rule edit page                                                                |
+| Edit                     | Update or delete the contact point                                                                                                            |
+| Admin                    | Same additional access as Edit and manage permissions for the contact point. User should have additional permissions to read users and teams. |
 
-### Steps
+### Assign contact point permissions
 
-To contact point permissions, complete the following steps.
+To manage contact point permissions, complete the following steps:
 
 1. In the left-side menu, click **Contact points**.
 1. Hover your mouse cursor over a contact point and click **More**.

docs/sources/as-code/infrastructure-as-code/terraform/terraform-plugins.md

@@ -24,7 +24,7 @@ Before you begin, you should have the following available:
 - Administrator permissions in your Grafana instance; for more information on assigning Grafana RBAC roles, refer to [Assign RBAC roles](/docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-control/assign-rbac-roles/).
 
 {{< admonition type="note" >}}
-All of the following Terraform configuration files should be saved in the same directory.
+Save all of the following Terraform configuration files in the same directory.
 {{< /admonition >}}
 
 ## Configure the Grafana provider

docs/sources/datasources/postgres/_index.md

@@ -60,7 +60,6 @@ The following documents will help you get started with the PostgreSQL data sourc
 
 - [Configure the PostgreSQL data source](ref:configure-postgres-data-source)
 - [PostgreSQL query editor](ref:postgres-query-editor)
-- [Troubleshooting](troubleshooting/)
 
 After you have configured the data source you can:
 

docs/sources/datasources/postgres/troubleshooting/index.md

@@ -1,380 +0,0 @@
----
-aliases:
-  - ../../data-sources/postgres/troubleshooting/
-description: Troubleshooting the PostgreSQL data source in Grafana
-keywords:
-  - grafana
-  - postgresql
-  - troubleshooting
-  - errors
-labels:
-  products:
-    - cloud
-    - enterprise
-    - oss
-menuTitle: Troubleshooting
-title: Troubleshoot PostgreSQL data source issues
-weight: 600
----
-
-# Troubleshoot PostgreSQL data source issues
-
-This document provides troubleshooting information for common errors you may encounter when using the PostgreSQL data source in Grafana.
-
-## Connection errors
-
-The following errors occur when Grafana cannot establish or maintain a connection to PostgreSQL.
-
-### Failed to connect to PostgreSQL
-
-**Error message:** `failed to connect to ... : connect: connection refused` or `dial tcp: connect: connection refused`
-
-**Cause:** Grafana cannot establish a network connection to the PostgreSQL server.
-
-**Solution:**
-
-1. Verify that the Host URL is correct in the data source configuration.
-1. Check that PostgreSQL is running and accessible from the Grafana server.
-1. Verify the port is correct (the PostgreSQL default port is `5432`).
-1. Ensure there are no firewall rules blocking the connection.
-1. Check that PostgreSQL is configured to accept connections from the Grafana server in `pg_hba.conf`.
-1. For Grafana Cloud, ensure you have configured [Private data source connect](https://grafana.com/docs/grafana-cloud/connect-externally-hosted/private-data-source-connect/) if your PostgreSQL instance is not publicly accessible.
-
-### Request timed out
-
-**Error message:** "context deadline exceeded" or "i/o timeout"
-
-**Cause:** The connection to PostgreSQL timed out before receiving a response.
-
-**Solution:**
-
-1. Check the network latency between Grafana and PostgreSQL.
-1. Verify that PostgreSQL is not overloaded or experiencing performance issues.
-1. Increase the **Max lifetime** setting in the data source configuration under **Connection limits**.
-1. Reduce the time range or complexity of your query.
-1. Check if any network devices (load balancers, proxies) are timing out the connection.
-
-### Host not found
-
-**Error message:** `failed to connect to ... : hostname resolving error` or `lookup hostname: no such host`
-
-**Cause:** The hostname specified in the data source configuration cannot be resolved.
-
-**Solution:**
-
-1. Verify the hostname is spelled correctly.
-1. Check that DNS resolution is working on the Grafana server.
-1. Try using an IP address instead of a hostname.
-1. Ensure the PostgreSQL server is accessible from the Grafana server's network.
-
-## Authentication errors
-
-The following errors occur when there are issues with authentication credentials or permissions.
-
-### Password authentication failed
-
-**Error message:** `failed to connect to ... : server error: FATAL: password authentication failed for user "username" (SQLSTATE 28P01)`
-
-**Cause:** The username or password is incorrect.
-
-**Solution:**
-
-1. Verify that the username and password are correct in the data source configuration.
-1. Check that the user exists in PostgreSQL.
-1. Verify the password has not expired.
-1. If no password is specified, ensure a [PostgreSQL password file](https://www.postgresql.org/docs/current/static/libpq-pgpass.html) is configured.
-
-### Permission denied
-
-**Error message:** `ERROR: permission denied for table table_name (SQLSTATE 42501)` or `ERROR: permission denied for schema schema_name (SQLSTATE 42501)`
-
-**Cause:** The database user does not have permission to access the requested table or schema.
-
-**Solution:**
-
-1. Verify the user has `SELECT` permissions on the required tables.
-1. Grant the necessary permissions:
-
-   ```sql
-   GRANT USAGE ON SCHEMA schema_name TO grafanareader;
-   GRANT SELECT ON schema_name.table_name TO grafanareader;
-   ```
-
-1. Check that the user has access to the correct database.
-1. Verify the search path includes the schema containing your tables.
-
-### No pg_hba.conf entry
-
-**Error message:** `failed to connect to ... : server error: FATAL: no pg_hba.conf entry for host "ip_address", user "username", database "database_name" (SQLSTATE 28000)`
-
-**Cause:** PostgreSQL is not configured to accept connections from the Grafana server.
-
-**Solution:**
-
-1. Edit the `pg_hba.conf` file on the PostgreSQL server.
-1. Add an entry to allow connections from the Grafana server:
-
-   ```text
-   host    database_name    username    grafana_ip/32    md5
-   ```
-
-1. Reload PostgreSQL configuration: `SELECT pg_reload_conf();`
-1. If using SSL, ensure the correct authentication method is specified (for example, `hostssl` instead of `host`).
-
-## TLS and certificate errors
-
-The following errors occur when there are issues with TLS configuration.
-
-### Certificate verification failed
-
-**Error message:** "x509: certificate signed by unknown authority" or "certificate verify failed"
-
-**Cause:** Grafana cannot verify the TLS certificate presented by PostgreSQL.
-
-**Solution:**
-
-1. Set the **TLS/SSL Mode** to the appropriate level (`require`, `verify-ca`, or `verify-full`).
-1. If using a self-signed certificate, add the CA certificate in **TLS/SSL Auth Details**.
-1. Verify the certificate chain is complete and valid.
-1. Ensure the certificate has not expired.
-1. For testing only, set **TLS/SSL Mode** to `disable` (not recommended for production).
-
-### SSL not supported
-
-**Error message:** `failed to connect to ... : server refused TLS connection` or `server does not support SSL`
-
-**Cause:** The PostgreSQL server is not configured for SSL connections, but the data source requires SSL.
-
-**Solution:**
-
-1. Set **TLS/SSL Mode** to `disable` if SSL is not required.
-1. Alternatively, enable SSL on the PostgreSQL server by configuring `ssl = on` in `postgresql.conf`.
-1. Ensure the server has valid SSL certificates configured.
-
-### Client certificate error
-
-**Error message:** "TLS: failed to find any PEM data in certificate input" or "could not load client certificate"
-
-**Cause:** The client certificate or key is invalid or incorrectly formatted.
-
-**Solution:**
-
-1. Verify the certificate and key are in PEM format.
-1. Ensure the certificate file path is correct and readable by the Grafana process.
-1. Check that the certificate and key match (belong to the same key pair).
-1. If using certificate content, ensure you've pasted the complete certificate including headers.
-
-## Database errors
-
-The following errors occur when there are issues with the database configuration.
-
-### Database does not exist
-
-**Error message:** `failed to connect to ... : server error: FATAL: database "database_name" does not exist (SQLSTATE 3D000)`
-
-**Cause:** The specified database name is incorrect or the database doesn't exist.
-
-**Solution:**
-
-1. Verify the database name in the data source configuration.
-1. Check that the database exists: `\l` in psql or `SELECT datname FROM pg_database;`
-1. Ensure the database name is case-sensitive and matches exactly.
-1. Verify the user has permission to connect to the database.
-
-### Relation does not exist
-
-**Error message:** `ERROR: relation "table_name" does not exist (SQLSTATE 42P01)`
-
-**Cause:** The specified table or view does not exist, or the user cannot access it.
-
-**Solution:**
-
-1. Verify the table name is correct and exists in the database.
-1. Check the schema name if the table is not in the public schema.
-1. Use fully qualified names: `schema_name.table_name`.
-1. Verify the user has `SELECT` permission on the table.
-1. Check the search path: `SHOW search_path;`
-
-## Query errors
-
-The following errors occur when there are issues with SQL syntax or query execution.
-
-### Query syntax error
-
-**Error message:** `ERROR: syntax error at or near "keyword" (SQLSTATE 42601)`
-
-**Cause:** The SQL query contains invalid syntax.
-
-**Solution:**
-
-1. Check your query syntax for typos or invalid keywords.
-1. Verify column and table names are correctly quoted if they contain special characters or are reserved words.
-1. Use double quotes for identifiers: `"column_name"`.
-1. Test the query directly in a PostgreSQL client (psql, pgAdmin).
-
-### Column does not exist
-
-**Error message:** `ERROR: column "column_name" does not exist (SQLSTATE 42703)`
-
-**Cause:** The specified column name is incorrect or doesn't exist in the table.
-
-**Solution:**
-
-1. Verify the column name is spelled correctly.
-1. Check that column names are case-sensitive in PostgreSQL when quoted.
-1. Use the correct quoting for column names: `"Column_Name"` for case-sensitive names.
-1. Verify the column exists in the table: `\d table_name` in psql.
-
-### No time column found
-
-**Error message:** "no time column found" or time series visualization shows no data
-
-**Cause:** The query result does not include a properly formatted time column.
-
-**Solution:**
-
-1. Ensure your query includes a column named `time` that returns a timestamp or epoch value.
-1. Use an alias to rename your time column: `SELECT created_at AS time`.
-1. Ensure the time column is of type `timestamp`, `timestamptz`, or a numeric epoch value.
-1. Order results by the time column: `ORDER BY time ASC`.
-
-### Macro expansion error
-
-**Error message:** "macro '$\_\_timeFilter' not found" or incorrect query results with macros
-
-**Cause:** Grafana macros are not being properly expanded.
-
-**Solution:**
-
-1. Verify the macro syntax is correct, for example `$__timeFilter(time_column)`.
-1. Ensure the column name passed to the macro exists in your table.
-1. Use the **Preview** toggle in Builder mode to see the expanded query.
-1. For time-based macros, ensure the column contains timestamp data.
-
-## Performance issues
-
-The following issues relate to slow query execution or resource constraints.
-
-### Query timeout
-
-**Error message:** "canceling statement due to statement timeout" or "query timeout"
-
-**Cause:** The query took longer than the configured timeout.
-
-**Solution:**
-
-1. Reduce the time range of your query.
-1. Add indexes to columns used in WHERE clauses and joins.
-1. Use the `$__timeFilter` macro to limit data to the dashboard time range.
-1. Increase the statement timeout in PostgreSQL if you have admin access.
-1. Optimize your query to reduce complexity.
-
-### Too many connections
-
-**Error message:** `failed to connect to ... : server error: FATAL: too many connections for role "username" (SQLSTATE 53300)` or `connection pool exhausted`
-
-**Cause:** The maximum number of connections to PostgreSQL has been reached.
-
-**Solution:**
-
-1. Reduce the **Max open** connections setting in the data source configuration.
-1. Increase `max_connections` in PostgreSQL's `postgresql.conf` if you have admin access.
-1. Check for connection leaks in other applications connecting to the same database.
-1. Enable **Auto max idle** to automatically manage idle connections.
-
-### Slow query performance
-
-**Cause:** Queries take a long time to execute.
-
-**Solution:**
-
-1. Reduce the time range of your query.
-1. Add appropriate indexes to your tables.
-1. Use the `$__timeFilter` macro to limit the data scanned.
-1. Increase the **Min time interval** setting to reduce the number of data points.
-1. Use `EXPLAIN ANALYZE` in PostgreSQL to identify query bottlenecks.
-1. Consider using materialized views for complex aggregations.
-
-## Provisioning errors
-
-The following errors occur when provisioning the data source via YAML.
-
-### Invalid provisioning configuration
-
-**Error message:** "metric request error" or data source test fails after provisioning
-
-**Cause:** The provisioning YAML file contains incorrect configuration.
-
-**Solution:**
-
-1. Ensure parameter names match the expected format exactly.
-1. Verify the database name is **not** included in the URL.
-1. Use the correct format for the URL: `hostname:port`.
-1. Check that string values are properly quoted in the YAML file.
-1. Refer to the [provisioning example](../configure/#provision-the-data-source) for the correct format.
-
-Example correct configuration:
-
-```yaml
-datasources:
-  - name: Postgres
-    type: postgres
-    url: localhost:5432
-    user: grafana
-    secureJsonData:
-      password: 'Password!'
-    jsonData:
-      database: grafana
-      sslmode: 'disable'
-```
-
-## Other common issues
-
-The following issues don't produce specific error messages but are commonly encountered.
-
-### Empty query results
-
-**Cause:** The query returns no data.
-
-**Solution:**
-
-1. Verify the time range includes data in your database.
-1. Check that table and column names are correct.
-1. Test the query directly in PostgreSQL.
-1. Ensure filters are not excluding all data.
-1. Verify the `$__timeFilter` macro is using the correct time column.
-
-### TimescaleDB functions not available
-
-**Cause:** TimescaleDB-specific functions like `time_bucket` are not available in the query builder.
-
-**Solution:**
-
-1. Enable the **TimescaleDB** toggle in the data source configuration under **PostgreSQL Options**.
-1. Verify TimescaleDB is installed and enabled in your PostgreSQL database.
-1. Check that the `timescaledb` extension is created: `CREATE EXTENSION IF NOT EXISTS timescaledb;`
-
-### Data appears delayed or missing recent points
-
-**Cause:** The visualization doesn't show the most recent data.
-
-**Solution:**
-
-1. Check the dashboard time range and refresh settings.
-1. Verify the **Min time interval** is not set too high.
-1. Ensure data has been committed to the database (not in an uncommitted transaction).
-1. Check for clock synchronization issues between Grafana and PostgreSQL.
-
-## Get additional help
-
-If you continue to experience issues after following this troubleshooting guide:
-
-1. Check the [PostgreSQL documentation](https://www.postgresql.org/docs/) for database-specific guidance.
-1. Review the [Grafana community forums](https://community.grafana.com/) for similar issues.
-1. Contact Grafana Support if you are a Cloud Pro, Cloud Contracted, or Enterprise user.
-1. When reporting issues, include:
-   - Grafana version
-   - PostgreSQL version
-   - Error messages (redact sensitive information)
-   - Steps to reproduce
-   - Relevant configuration such as data source settings, TLS mode, and connection limits (redact passwords and other credentials)

docs/sources/setup-grafana/configure-grafana/_index.md

@@ -1776,6 +1776,13 @@ Specify the frequency of polling for Alertmanager configuration changes. The def
 
 The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), for example, 30s or 1m.
 
+#### `alertmanager_max_template_output_bytes`
+
+Maximum size in bytes that the expanded result of any single template expression (e.g. {{ .CommonAnnotations.description }}, {{ .ExternalURL }}, etc.) may reach during notification rendering.
+The limit is checked after template execution for each templated field, but before the value is inserted into the final notification payload sent to the receiver.
+If exceeded, the notification will contain output truncated up to the limit and a warning will be logged.
+The default value is 10,485,760 bytes (10Mb).
+
 #### `ha_redis_address`
 
 Redis server address or addresses. It can be a single Redis address if using Redis standalone,

docs/sources/upgrade-guide/when-to-upgrade/index.md

@@ -107,8 +107,8 @@ Here is an overview of version support through 2026:
 | 12.0.x                    | May 5, 2025        | February 5, 2026     | Patch Support      |
 | 12.1.x                    | July 22, 2025      | April 22, 2026       | Patch Support      |
 | 12.2.x                    | September 23, 2025 | June 23, 2026        | Patch Support      |
-| 12.3.x                    | November 18, 2025  | August 18, 2026      | Yet to be released |
-| 12.4.x (Last minor of 12) | February 24, 2026  | November 24, 2026    | Yet to be released |
+| 12.3.x                    | November 19, 2025  | August 19, 2026      | Patch Support      |
+| 12.4.x (Last minor of 12) | February 24, 2026  | May 24, 2027         | Yet to be released |
 | 13.0.0                    | TBD                | TBD                  | Yet to be released |
 
 ## How are these versions supported?

docs/sources/visualizations/dashboards/build-dashboards/annotate-visualizations/index.md

@@ -149,7 +149,10 @@ To add a new annotation query to a dashboard, follow these steps:
    You can also click **Open advanced data source picker** to see more options, including adding a data source (Admins only).
 
 1. If you don't want to use the annotation query right away, clear the **Enabled** checkbox.
-1. If you don't want the annotation query toggle to be displayed in the dashboard, select the **Hidden** checkbox.
+1. Select one of the following options in the **Show annotation controls in** drop-down list to control where annotations are displayed:
+   - **Above dashboard** - The annotation toggle is displayed above the dashboard. This is the default.
+   - **Controls menu** - The annotation toggle is displayed in the dashboard controls menu instead of above the dashboard. The dashboard controls menu appears as a button in the dashboard toolbar.
+   - **Hidden** - The annotation toggle is not displayed on the dashboard.
 1. Select a color for the event markers.
 1. In the **Show in** drop-down, choose one of the following options:
    - **All panels** - The annotations are displayed on all panels that support annotations.

docs/sources/visualizations/dashboards/build-dashboards/create-dynamic-dashboard/index.md

@@ -245,11 +245,12 @@ To configure repeats, follow these steps:
 1. Click **Save**.
 1. Toggle off the edit mode switch.
 
-### Repeating rows and the Dashboard special data source
+### Repeating rows and tabs and the Dashboard special data source
 
 <!-- is this next section still true? -->
 
 If a row includes panels using the special [Dashboard data source](ref:built-in-special-data-sources)&mdash;the data source that uses a result set from another panel in the same dashboard&mdash;then corresponding panels in repeated rows will reference the panel in the original row, not the ones in the repeated rows.
+The same behavior applies to tabs.
 
 For example, in a dashboard:
 

docs/sources/visualizations/dashboards/share-dashboards-panels/_index.md

@@ -223,17 +223,25 @@ To export a dashboard in its current state as a PDF, follow these steps:
 
 1. Click the **X** at the top-right corner to close the share drawer.
 
-### Export a dashboard as JSON
+### Export a dashboard as code
 
 Export a Grafana JSON file that contains everything you need, including layout, variables, styles, data sources, queries, and so on, so that you can later import the dashboard. To export a JSON file, follow these steps:
 
 1. Click **Dashboards** in the main menu.
 1. Open the dashboard you want to export.
-1. Click the **Export** drop-down list in the top-right corner and select **Export as JSON**.
+1. Click the **Export** drop-down list in the top-right corner and select **Export as code**.
 
-   The **Export dashboard JSON** drawer opens.
+   The **Export dashboard** drawer opens.
+
+1. Select the dashboard JSON model that you to export:
+   - **Classic** - Export dashboards created using the [current dashboard schema](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/visualizations/dashboards/build-dashboards/view-dashboard-json-model/).
+   - **V1 Resource** - Export dashboards created using the [current dashboard schema](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/visualizations/dashboards/build-dashboards/view-dashboard-json-model/) wrapped in the `spec` property of the [V1 Kubernetes-style resource](https://play.grafana.org/swagger?api=dashboard.grafana.app-v2alpha1). Choose between **JSON** and **YAML** format.
+   - **V2 Resource** - Export dashboards created using the [V2 Resource schema](https://play.grafana.org/swagger?api=dashboard.grafana.app-v2beta1). Choose between **JSON** and **YAML** format.
+
+1. Do one of the following:
+   - Toggle the **Export for sharing externally** switch to generate the JSON with a different data source UID.
+   - Toggle the **Remove deployment details** switch to make the dashboard externally shareable.
 
-1. Toggle the **Export the dashboard to use in another instance** switch to generate the JSON with a different data source UID.
 1. Click **Download file** or **Copy to clipboard**.
 1. Click the **X** at the top-right corner to close the share drawer.
 

docs/sources/visualizations/explore/logs-integration.md

@@ -43,24 +43,36 @@ If the data source doesn't support loading the full range logs volume, the logs
 
 The following sections provide detailed explanations on how to visualize and interact with individual logs in Explore.
 
-### Logs navigation
+### Infinite scroll
 
-Logs navigation, located at the right side of the log lines, can be used to easily request additional logs by clicking **Older logs** at the bottom of the navigation. This is especially useful when you reach the line limit and you want to see more logs. Each request run from the navigation displays in the navigation as separate page. Every page shows `from` and `to` timestamps of the incoming log lines. You can see previous results by clicking on each page. Explore caches the last five requests run from the logs navigation so you're not re-running the same queries when clicking on the pages, saving time and resources.
+<!-- vale Grafana.GoogleWill = NO -->
 
-![Navigate logs in Explore](/static/img/docs/explore/navigate-logs-8-0.png)
+When you reach the bottom of the list of logs, you will see the message `Scroll to load more`. If you continue scrolling and the displayed logs are within the selected time interval, Grafana will load more logs. When the sort order is "newest first" you receive older logs, and when the sort order is "oldest first" you get newer logs.
+
+<!-- vale Grafana.GoogleWill = YES -->
 
 ### Visualization options
 
 You have the option to customize the display of logs and choose which columns to show. Following is a list of available options.
 
-| Option                    | Description                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-| ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **Time**                  | Shows or hides the time column. This is the timestamp associated with the log line as reported from the data source.                                                                                                                                                                                                                                                                                                                                      |
-| **Unique labels**         | Shows or hides the unique labels column that includes only non-common labels. All common labels are displayed above.                                                                                                                                                                                                                                                                                                                                      |
-| **Wrap lines**            | Set this to `true` if you want the display to use line wrapping. If set to `false`, it will result in horizontal scrolling.                                                                                                                                                                                                                                                                                                                               |
-| **Prettify JSON**         | Set this to `true` to pretty print all JSON logs. This setting does not affect logs in any format other than JSON.                                                                                                                                                                                                                                                                                                                                        |
-| **Deduplication**         | Log data can be very repetitive. Explore hides duplicate log lines using a few different deduplication algorithms. **Exact** matches are done on the whole line except for date fields. **Numbers** matches are done on the line after stripping out numbers such as durations, IP addresses, and so on. **Signature** is the most aggressive deduplication as it strips all letters and numbers and matches on the remaining whitespace and punctuation. |
-| **Display results order** | You can change the order of received logs from the default descending order (newest first) to ascending order (oldest first).                                                                                                                                                                                                                                                                                                                             |
+<!-- vale Grafana.Spelling = NO -->
+
+| Option                                | Description                                                                                                                                                                                                                                                                                                                                                                         |
+| ------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Expand / Collapse                     | Expand or collapse the controls toolbar.                                                                                                                                                                                                                                                                                                                                            |
+| Scroll to bottom                      | Jump to the bottom of the logs table.                                                                                                                                                                                                                                                                                                                                               |
+| Oldest Logs First / Newest logs first | Sort direction (ascending or descending).                                                                                                                                                                                                                                                                                                                                           |
+| Search logs / Close search            | Click to open/close the client side string search of the displayed logs result.                                                                                                                                                                                                                                                                                                     |
+| Deduplication                         | **None** does not perform any deduplication, **Exact** matches are done on the whole line except for date fields. **Numbers** matches are done on the line after stripping out numbers such as durations, IP addresses, and so on. **Signature** is the most aggressive deduplication as it strips all letters and numbers and matches on the remaining whitespace and punctuation. |
+| Filter levels                         | Filter logs in display by log level: All levels, Info, Debut, Warning, Error.                                                                                                                                                                                                                                                                                                       |
+| Set Timestamp format                  | Hide timestamps (disabled), Show milliseconds timestamps, Show nanoseconds timestamps.                                                                                                                                                                                                                                                                                              |
+| Set line wrap                         | Disable line wrapping, Enable line wrapping, Enable line wrapping and prettify JSON.                                                                                                                                                                                                                                                                                                |
+| Enable highlighting                   | Plain text, Highlight text.                                                                                                                                                                                                                                                                                                                                                         |
+| Font size                             | Small font (default), Large font.                                                                                                                                                                                                                                                                                                                                                   |
+| Unescaped newlines                    | Only displayed if the logs contain unescaped new lines. Click to unescape and display as new lines.                                                                                                                                                                                                                                                                                 |
+| Download logs                         | Plain text (txt), JavaScript Object Notation (JSON), Comma-separated values (CSV)                                                                                                                                                                                                                                                                                                   |
+
+<!-- vale Grafana.Spelling = YES -->
 
 ### Download log lines
 
@@ -143,16 +155,31 @@ Click the **eye icon** to select a subset of fields to visualize in the logs lis
 
 Each field has a **stats icon**, which displays ad-hoc statistics in relation to all displayed logs.
 
+For data sources that support log types, such as Loki, instead of a single view containing all fields, fields will be displayed grouped by their type: Indexed Labels, Parsed fields, and Structured Metadata.
+
 #### Links
 
 Grafana provides data links or correlations, allowing you to convert any part of a log message into an internal or external link. These links enable you to navigate to related data or external resources, offering a seamless and convenient way to explore additional information.
 
 {{< figure src="/static/img/docs/explore/data-link-9-4.png" max-width="800px" caption="Data link in Explore" >}}
 
+#### Log details modes
+
+There are two modes available to view log details:
+
+- **Inline** The default, displays log details below the log line.
+- **Sidebar** Displays log details in a sidebar view.
+
+No matter which display mode you are currently viewing, you can change it by clicking the mode control icon.
+
 ### Log context
 
 Log context is a feature that displays additional lines of context surrounding a log entry that matches a specific search query. This helps in understanding the context of the log entry and is similar to the `-C` parameter in the `grep` command.
 
+If you're using Loki for your logs, to modify your log context queries, you can use the Loki log context query editor at the top of the table. You can activate this editor by clicking the menu for the log line, and selecting **Show context**. Within the **Log Context** view, you have the option to modify your search by removing one or more label filters from the log stream. If your original query used a parser, you can refine your search by leveraging extracted label filters.
+
+Change the **Context time window** option to look for logs within a specific time interval around your log line.
+
 Toggle **Wrap lines** if you encounter long lines of text that make it difficult to read and analyze the context around log entries. By enabling this toggle, Grafana automatically wraps long lines of text to fit within the visible width of the viewer, making the log entries easier to read and understand.
 
 Click **Open in split view** to execute the context query for a log entry in a split screen in the Explore view. Clicking this button opens a new Explore pane with the context query displayed alongside the log entry, making it easier to analyze and understand the surrounding context.

docs/sources/visualizations/panels-visualizations/visualizations/logs/index.md

@@ -31,7 +31,7 @@ refs:
 
 _Logs_ are structured records of events or messages generated by a system or application—that is, a series of text records with status updates from your system or app. They generally include timestamps, messages, and context information like the severity of the logged event.
 
-The logs visualization displays these records from data sources that support logs, such as Elastic, Influx, and Loki. The logs visualization has colored indicators of log status, as well as collapsible log events that help you analyze the information generated.
+The logs visualization displays these records from data sources that support logs, such as Elastic, Influx, and Loki. The logs visualization shows, by default, the timestamp, a colored string representing the log status, the log line body, as well as collapsible log events that help you analyze the information generated.
 
 {{< figure src="/media/docs/grafana/panels-visualizations/screenshot-logs-v12.3.png" max-width="750px" alt="Logs visualization" >}}
 
@@ -100,16 +100,16 @@ Use these settings to refine your visualization:
 
 |      Option     |   Description   |
 | --------------- | --------------- |
-| Time   | Show or hide the time column. This is the timestamp associated with the log line as reported from the data source. |
+| Show timestamps | Show or hide the time column. This is the timestamp associated with the log line as reported from the data source. |
 | Unique labels | Show or hide the unique labels column, which shows only non-common labels. |
-| Common labels | Show or hide the common labels. |
 | Wrap lines | Turn line wrapping on or off. |
-| Enable logs highlighting | Experimental. Use a predefined coloring scheme to highlight relevant parts of the log lines. Subtle colors are added to the log lines to improve readability and help with identifying important information faster. |
+| Prettify JSON | Toggle the switch on to pretty print all JSON logs. This setting does not affect logs in any format other than JSON. |
+| Enable highlighting | Use a predefined syntax coloring grammar to highlight relevant parts of the log lines |
 | Enable log details | Toggle the switch on to see an extendable area with log details including labels and detected fields. Each field or label has a stats icon to display ad-hoc statistics in relation to all displayed logs. The default setting is on. |
-| Log details panel mode | Choose to display the log details in a sidebar panel or inline, below the log line. The default mode depends on viewport size: the default mode for smaller viewports is inline, while for larger ones, it's sidebar. You can also change mode dynamically in the panel by clicking the mode control. |
-| Enable infinite scrolling | Request more results by scrolling to the bottom of the logs list. When you reach the bottom of the list of logs, if you continue scrolling and the displayed logs are within the selected time interval, you can request to load more logs. When the sort order is **Newest first**, you receive older logs, and when the sort order is **Oldest first** you get newer logs. |
-| Show controls | Display controls to jump to the last or first log line, and filter by log level. |
-| Font size | Select between the **Default** font size and **Small** font sizes.|
+| Log Details panel mode | Choose to display the log details in a sidebar panel or inline, below the log line. |
+| Enable infinite scrolling | Request more results by scrolling to the bottom of the logs list. |
+| Show controls | Display controls to jump to the last or first log line, and filters by log level |
+| Font size | Select between the default font size and small font size. |
 | Deduplication | Hide log messages that are duplicates of others shown, according to your selected criteria. Choose from: <ul><li>**Exact** - Ignoring ISO datetimes.</li><li>**Numerical** - Ignoring only those that differ by numbers such as IPs or latencies.</li><li>**Signatures** - Removing successive lines with identical punctuation and white space.</li></ul> |
 | Order | Set whether to show results **Newest first** or **Oldest first**. |
 

e2e-playwright/panels-suite/table-kitchenSink.spec.ts

@@ -343,6 +343,33 @@ test.describe('Panels test: Table - Kitchen Sink', { tag: ['@panels', '@table']
     // TODO -- saving for another day.
   });
 
+  test('Tests nested table expansion', async ({ gotoDashboardPage, selectors, page }) => {
+    const dashboardPage = await gotoDashboardPage({
+      uid: DASHBOARD_UID,
+      queryParams: new URLSearchParams({ editPanel: '4' }),
+    });
+
+    await expect(
+      dashboardPage.getByGrafanaSelector(selectors.components.Panels.Panel.title('Nested tables'))
+    ).toBeVisible();
+
+    await waitForTableLoad(page);
+
+    await expect(page.locator('[role="row"]')).toHaveCount(3); // header + 2 rows
+
+    const firstRowExpander = dashboardPage
+      .getByGrafanaSelector(selectors.components.Panels.Visualization.TableNG.RowExpander)
+      .first();
+
+    await firstRowExpander.click();
+    await expect(page.locator('[role="row"]')).not.toHaveCount(3); // more rows are present now, it is dynamic tho.
+
+    // TODO: test sorting
+
+    await firstRowExpander.click();
+    await expect(page.locator('[role="row"]')).toHaveCount(3); // back to original state
+  });
+
   test('Tests tooltip interactions', async ({ gotoDashboardPage, selectors }) => {
     const dashboardPage = await gotoDashboardPage({
       uid: DASHBOARD_UID,

eslint-suppressions.json

@@ -804,11 +804,6 @@
       "count": 2
     }
   },
-  "packages/grafana-ui/src/components/Table/TableNG/utils.ts": {
-    "@typescript-eslint/consistent-type-assertions": {
-      "count": 1
-    }
-  },
   "packages/grafana-ui/src/components/Table/TableRT/Filter.tsx": {
     "@typescript-eslint/no-explicit-any": {
       "count": 1
@@ -1822,7 +1817,7 @@
   },
   "public/app/features/dashboard-scene/edit-pane/DashboardEditPaneSplitter.tsx": {
     "react-hooks/rules-of-hooks": {
-      "count": 4
+      "count": 5
     }
   },
   "public/app/features/dashboard-scene/inspect/HelpWizard/HelpWizard.tsx": {
@@ -1835,11 +1830,6 @@
       "count": 1
     }
   },
-  "public/app/features/dashboard-scene/inspect/InspectJsonTab.tsx": {
-    "no-restricted-syntax": {
-      "count": 1
-    }
-  },
   "public/app/features/dashboard-scene/pages/DashboardScenePage.tsx": {
     "@typescript-eslint/consistent-type-assertions": {
       "count": 2
@@ -2920,11 +2910,6 @@
       "count": 1
     }
   },
-  "public/app/features/plugins/admin/components/PluginDetailsPage.tsx": {
-    "@typescript-eslint/consistent-type-assertions": {
-      "count": 1
-    }
-  },
   "public/app/features/plugins/admin/helpers.ts": {
     "no-restricted-syntax": {
       "count": 2

go.mod

@@ -87,7 +87,7 @@ require (
 	github.com/googleapis/gax-go/v2 v2.15.0 // @grafana/grafana-backend-group
 	github.com/gorilla/mux v1.8.1 // @grafana/grafana-backend-group
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // @grafana/grafana-app-platform-squad
-	github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba // @grafana/alerting-backend
+	github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 // @grafana/alerting-backend
 	github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f // @grafana/identity-access-team
 	github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 // @grafana/identity-access-team
 	github.com/grafana/dataplane/examples v0.0.1 // @grafana/observability-metrics

go.sum

@@ -1613,8 +1613,8 @@ github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7Fsg
 github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba h1:psKWNETD5nGxmFAlqnWsXoRyUwSa2GHNEMSEDKGKfQ4=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 h1:ZzG/gCclEit9w0QUfQt9GURcOycAIGcsQAhY1u0AEX0=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f h1:Cbm6OKkOcJ+7CSZsGsEJzktC/SIa5bxVeYKQLuYK86o=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f/go.mod h1:axY0cdOg3q0TZHwpHnIz5x16xZ8ZBxJHShsSHHXcHQg=
 github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 h1:Muoy+FMGrHj3GdFbvsMzUT7eusgii9PKf9L1ZaXDDbY=

go.work.sum

@@ -526,6 +526,8 @@ github.com/campoy/embedmd v1.0.0 h1:V4kI2qTJJLf4J29RzI/MAt2c3Bl4dQSYPuflzwFH2hY=
 github.com/campoy/embedmd v1.0.0/go.mod h1:oxyr9RCiSXg0M3VJ3ks0UGfp98BpSSGr0kpiX3MzVl8=
 github.com/cenkalti/backoff/v5 v5.0.2/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g=
+github.com/centrifugal/centrifuge v0.37.2/go.mod h1:aj4iRJGhzi3SlL8iUtVezxway1Xf8g+hmNQkLLO7sS8=
+github.com/centrifugal/protocol v0.16.2/go.mod h1:Q7OpS/8HMXDnL7f9DpNx24IhG96MP88WPpVTTCdrokI=
 github.com/chenzhuoyu/base64x v0.0.0-20230717121745-296ad89f973d h1:77cEq6EriyTZ0g/qfRdp61a3Uu/AWrgIq2s0ClJV1g0=
 github.com/chenzhuoyu/base64x v0.0.0-20230717121745-296ad89f973d/go.mod h1:8EPpVsBuRksnlj1mLy4AWzRNQYxauNi62uWcE3to6eA=
 github.com/chenzhuoyu/iasm v0.9.0 h1:9fhXjVzq5hUy2gkhhgHl95zG2cEAhw9OSGs8toWWAwo=
@@ -1369,6 +1371,7 @@ github.com/rabbitmq/amqp091-go v1.9.0 h1:qrQtyzB4H8BQgEuJwhmVQqVHB9O4+MNDJCCAcpc
 github.com/rabbitmq/amqp091-go v1.9.0/go.mod h1:+jPrT9iY2eLjRaMSRHUhc3z14E/l85kv/f+6luSD3pc=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
+github.com/redis/rueidis v1.0.64/go.mod h1:Lkhr2QTgcoYBhxARU7kJRO8SyVlgUuEkcJO1Y8MCluA=
 github.com/relvacode/iso8601 v1.6.0 h1:eFXUhMJN3Gz8Rcq82f9DTMW0svjtAVuIEULglM7QHTU=
 github.com/relvacode/iso8601 v1.6.0/go.mod h1:FlNp+jz+TXpyRqgmM7tnzHHzBnz776kmAH2h3sZCn0I=
 github.com/richardartoul/molecule v1.0.0 h1:+LFA9cT7fn8KF39zy4dhOnwcOwRoqKiBkPqKqya+8+U=

packages/grafana-api-clients/src/clients/rtkq/legacy/endpoints.gen.ts

@@ -658,10 +658,6 @@ const injectedRtkApi = api
         query: (queryArg) => ({ url: `/dashboards/db`, method: 'POST', body: queryArg.saveDashboardCommand }),
         invalidatesTags: ['dashboards'],
       }),
-      getHomeDashboard: build.query<GetHomeDashboardApiResponse, GetHomeDashboardApiArg>({
-        query: () => ({ url: `/dashboards/home` }),
-        providesTags: ['dashboards'],
-      }),
       importDashboard: build.mutation<ImportDashboardApiResponse, ImportDashboardApiArg>({
         query: (queryArg) => ({ url: `/dashboards/import`, method: 'POST', body: queryArg.importDashboardRequest }),
         invalidatesTags: ['dashboards'],
@@ -2574,8 +2570,6 @@ export type PostDashboardApiResponse = /** status 200 (empty) */ {
 export type PostDashboardApiArg = {
   saveDashboardCommand: SaveDashboardCommand;
 };
-export type GetHomeDashboardApiResponse = /** status 200 (empty) */ GetHomeDashboardResponse;
-export type GetHomeDashboardApiArg = void;
 export type ImportDashboardApiResponse =
   /** status 200 (empty) */ ImportDashboardResponseResponseObjectReturnedWhenImportingADashboard;
 export type ImportDashboardApiArg = {
@@ -4399,51 +4393,6 @@ export type SaveDashboardCommand = {
   overwrite?: boolean;
   userId?: number;
 };
-export type AnnotationActions = {
-  canAdd?: boolean;
-  canDelete?: boolean;
-  canEdit?: boolean;
-};
-export type AnnotationPermission = {
-  dashboard?: AnnotationActions;
-  organization?: AnnotationActions;
-};
-export type DashboardMeta = {
-  annotationsPermissions?: AnnotationPermission;
-  apiVersion?: string;
-  canAdmin?: boolean;
-  canDelete?: boolean;
-  canEdit?: boolean;
-  canSave?: boolean;
-  canStar?: boolean;
-  created?: string;
-  createdBy?: string;
-  expires?: string;
-  /** Deprecated: use FolderUID instead */
-  folderId?: number;
-  folderTitle?: string;
-  folderUid?: string;
-  folderUrl?: string;
-  hasAcl?: boolean;
-  isFolder?: boolean;
-  isSnapshot?: boolean;
-  isStarred?: boolean;
-  provisioned?: boolean;
-  provisionedExternalId?: string;
-  publicDashboardEnabled?: boolean;
-  slug?: string;
-  type?: string;
-  updated?: string;
-  updatedBy?: string;
-  url?: string;
-  version?: number;
-};
-export type GetHomeDashboardResponse = {
-  dashboard?: Json;
-  meta?: DashboardMeta;
-} & {
-  redirectUri?: string;
-};
 export type ImportDashboardResponseResponseObjectReturnedWhenImportingADashboard = {
   dashboardId?: number;
   description?: string;
@@ -4535,6 +4484,45 @@ export type PublicDashboardDto = {
   timeSelectionEnabled?: boolean;
   uid?: string;
 };
+export type AnnotationActions = {
+  canAdd?: boolean;
+  canDelete?: boolean;
+  canEdit?: boolean;
+};
+export type AnnotationPermission = {
+  dashboard?: AnnotationActions;
+  organization?: AnnotationActions;
+};
+export type DashboardMeta = {
+  annotationsPermissions?: AnnotationPermission;
+  apiVersion?: string;
+  canAdmin?: boolean;
+  canDelete?: boolean;
+  canEdit?: boolean;
+  canSave?: boolean;
+  canStar?: boolean;
+  created?: string;
+  createdBy?: string;
+  expires?: string;
+  /** Deprecated: use FolderUID instead */
+  folderId?: number;
+  folderTitle?: string;
+  folderUid?: string;
+  folderUrl?: string;
+  hasAcl?: boolean;
+  isFolder?: boolean;
+  isSnapshot?: boolean;
+  isStarred?: boolean;
+  provisioned?: boolean;
+  provisionedExternalId?: string;
+  publicDashboardEnabled?: boolean;
+  slug?: string;
+  type?: string;
+  updated?: string;
+  updatedBy?: string;
+  url?: string;
+  version?: number;
+};
 export type DashboardFullWithMeta = {
   dashboard?: Json;
   meta?: DashboardMeta;
@@ -6619,8 +6607,6 @@ export const {
   useSearchDashboardSnapshotsQuery,
   useLazySearchDashboardSnapshotsQuery,
   usePostDashboardMutation,
-  useGetHomeDashboardQuery,
-  useLazyGetHomeDashboardQuery,
   useImportDashboardMutation,
   useInterpolateDashboardMutation,
   useListPublicDashboardsQuery,

packages/grafana-data/src/types/featureToggles.gen.ts

@@ -1185,10 +1185,20 @@ export interface FeatureToggles {
   */
   onlyStoreActionSets?: boolean;
   /**
+  * Show insights for plugins in the plugin details page
+  * @default false
+  */
+  pluginInsights?: boolean;
+  /**
   * Enables a new panel time settings drawer
   */
   panelTimeSettings?: boolean;
   /**
+  * Enables the raw DSL query editor in the Elasticsearch data source
+  * @default false
+  */
+  elasticsearchRawDSLQuery?: boolean;
+  /**
   * Enables app platform API for annotations
   * @default false
   */

packages/grafana-data/src/types/logs.ts

@@ -273,7 +273,7 @@ export interface DataSourceWithSupplementaryQueriesSupport<TQuery extends DataQu
   /**
    * Returns supplementary query types that data source supports.
    */
-  getSupportedSupplementaryQueryTypes(): SupplementaryQueryType[];
+  getSupportedSupplementaryQueryTypes(dsRequest?: DataQueryRequest<DataQuery>): SupplementaryQueryType[];
   /**
    * Returns a supplementary query to be used to fetch supplementary data based on the provided type and original query.
    * If the provided query is not suitable for the provided supplementary query type, undefined should be returned.
@@ -283,7 +283,8 @@ export interface DataSourceWithSupplementaryQueriesSupport<TQuery extends DataQu
 
 export const hasSupplementaryQuerySupport = <TQuery extends DataQuery>(
   datasource: DataSourceApi | (DataSourceApi & DataSourceWithSupplementaryQueriesSupport<TQuery>),
-  type: SupplementaryQueryType
+  type: SupplementaryQueryType,
+  dsRequest?: DataQueryRequest<DataQuery>
 ): datasource is DataSourceApi & DataSourceWithSupplementaryQueriesSupport<TQuery> => {
   if (!datasource) {
     return false;
@@ -293,7 +294,7 @@ export const hasSupplementaryQuerySupport = <TQuery extends DataQuery>(
     ('getDataProvider' in datasource || 'getSupplementaryRequest' in datasource) &&
     'getSupplementaryQuery' in datasource &&
     'getSupportedSupplementaryQueryTypes' in datasource &&
-    datasource.getSupportedSupplementaryQueryTypes().includes(type)
+    datasource.getSupportedSupplementaryQueryTypes(dsRequest).includes(type)
   );
 };
 

packages/grafana-e2e-selectors/src/selectors/components.ts

@@ -499,6 +499,9 @@ export const versionedComponents = {
         },
       },
       TableNG: {
+        RowExpander: {
+          '12.4.0': 'data-testid tableng row expander',
+        },
         Filters: {
           HeaderButton: {
             '12.1.0': 'data-testid tableng header filter',

packages/grafana-o11y-ds-frontend/src/TraceToMetrics/TraceToMetricsSettings.tsx

@@ -35,6 +35,10 @@ export interface TraceToMetricsData extends DataSourceJsonData {
 interface Props extends DataSourcePluginOptionsEditorProps<TraceToMetricsData> {}
 
 export function TraceToMetricsSettings({ options, onOptionsChange }: Props) {
+  const supportedDataSourceTypes = [
+    'prometheus',
+    'victoriametrics-metrics-datasource', // external
+  ];
   const styles = useStyles2(getStyles);
 
   return (
@@ -47,10 +51,10 @@ export function TraceToMetricsSettings({ options, onOptionsChange }: Props) {
         >
           <DataSourcePicker
             inputId="trace-to-metrics-data-source-picker"
-            pluginId="prometheus"
             current={options.jsonData.tracesToMetrics?.datasourceUid}
             noDefault={true}
             width={40}
+            filter={(ds) => supportedDataSourceTypes.includes(ds.type)}
             onChange={(ds: DataSourceInstanceSettings) =>
               updateDatasourcePluginJsonDataOption({ onOptionsChange, options }, 'tracesToMetrics', {
                 ...options.jsonData.tracesToMetrics,

packages/grafana-schema/src/raw/composable/elasticsearch/dataquery/x/ElasticsearchDataQuery_types.gen.ts

@@ -387,6 +387,10 @@ export interface ElasticsearchDataQuery extends common.DataQuery {
    * List of bucket aggregations
    */
   bucketAggs?: Array<BucketAggregation>;
+  /**
+   * Editor type
+   */
+  editorType?: string;
   /**
    * List of metric aggregations
    */
@@ -395,6 +399,10 @@ export interface ElasticsearchDataQuery extends common.DataQuery {
    * Lucene query
    */
   query?: string;
+  /**
+   * Raw DSL query
+   */
+  rawDSLQuery?: string;
   /**
    * Name of time field
    */

packages/grafana-test-utils/src/fixtures/folders.ts

@@ -1,6 +1,6 @@
 import { Chance } from 'chance';
 
-import { DashboardsTreeItem, DashboardViewItem, UIDashboardViewItem } from '../types/browse-dashboards';
+import { DashboardsTreeItem, DashboardViewItem, ManagerKind, UIDashboardViewItem } from '../types/browse-dashboards';
 
 function wellFormedEmptyFolder(
   seed = 1,
@@ -64,13 +64,14 @@ function wellFormedFolder(
 }
 
 export function treeViewersCanEdit() {
-  const [, { folderA, folderC }] = wellFormedTree();
+  const [, { folderA, folderC, folderD }] = wellFormedTree();
 
   return [
-    [folderA, folderC],
+    [folderA, folderC, folderD],
     {
       folderA,
       folderC,
+      folderD,
     },
   ] as const;
 }
@@ -90,6 +91,8 @@ export function wellFormedTree() {
   const folderB = wellFormedFolder(seed++);
   const folderB_empty = wellFormedEmptyFolder(seed++);
   const folderC = wellFormedFolder(seed++);
+  // folderD is marked as managed by repo (git-synced) for testing disabled folder behavior
+  const folderD = wellFormedFolder(seed++, {}, { managedBy: ManagerKind.Repo });
   const dashbdD = wellFormedDashboard(seed++);
   const dashbdE = wellFormedDashboard(seed++);
 
@@ -107,6 +110,7 @@ export function wellFormedTree() {
       folderB,
       folderB_empty,
       folderC,
+      folderD,
       dashbdD,
       dashbdE,
     ],
@@ -123,6 +127,7 @@ export function wellFormedTree() {
       folderB,
       folderB_empty,
       folderC,
+      folderD,
       dashbdD,
       dashbdE,
     },

packages/grafana-test-utils/src/handlers/api/folders/handlers.ts

@@ -4,6 +4,7 @@ import { HttpResponse, http } from 'msw';
 import { treeViewersCanEdit, wellFormedTree } from '../../../fixtures/folders';
 
 const [mockTree, { folderB }] = wellFormedTree();
+// folderD is included in mockTree and will be returned by the handlers with managedBy: 'repo'
 const [mockTreeThatViewersCanEdit] = treeViewersCanEdit();
 const collator = new Intl.Collator();
 
@@ -48,6 +49,7 @@ const listFoldersHandler = () =>
           id: random.integer({ min: 1, max: 1000 }),
           uid: folder.item.uid,
           title: folder.item.kind === 'folder' ? folder.item.title : "invalid - this shouldn't happen",
+          ...('managedBy' in folder.item && folder.item.managedBy ? { managedBy: folder.item.managedBy } : {}),
         };
       })
       .sort((a, b) => collator.compare(a.title, b.title)) // API always sorts by title
@@ -76,6 +78,7 @@ const getFolderHandler = () =>
       uid: folder?.item.uid,
       ...additionalProperties,
       ...(accessControlQueryParam ? { accessControl: mockAccessControl } : {}),
+      ...('managedBy' in folder.item && folder.item.managedBy ? { managedBy: folder.item.managedBy } : {}),
     });
   });
 

packages/grafana-test-utils/src/handlers/apis/folder.grafana.app/v1beta1/handlers.ts

@@ -5,6 +5,7 @@ import { wellFormedTree } from '../../../../fixtures/folders';
 import { getErrorResponse } from '../../../helpers';
 
 const [mockTree, { folderB }] = wellFormedTree();
+// folderD is included in mockTree and will be returned by the handlers with managedBy: 'repo'
 
 const baseResponse = {
   kind: 'Folder',
@@ -24,7 +25,7 @@ const folderToAppPlatform = (folder: (typeof mockTree)[number]['item'], id?: num
         // TODO: Generalise annotations in fixture data
         'grafana.app/createdBy': 'user:1',
         'grafana.app/updatedBy': 'user:2',
-        'grafana.app/managedBy': 'user',
+        'grafana.app/managedBy': 'managedBy' in folder ? folder.managedBy : 'user',
         'grafana.app/updatedTimestamp': '2024-01-01T00:00:00Z',
         'grafana.app/folder': folder.kind === 'folder' ? folder.parentUID : undefined,
       },

packages/grafana-test-utils/src/types/browse-dashboards.ts

@@ -3,7 +3,7 @@
 // @grafana/schema?
 // New package @grafana/core? @grafana/types?
 
-enum ManagerKind {
+export enum ManagerKind {
   Repo = 'repo',
   Terraform = 'terraform',
   Kubectl = 'kubectl',

packages/grafana-ui/src/components/Dropdown/Dropdown.tsx

@@ -97,7 +97,13 @@ export const Dropdown = React.memo(({ children, overlay, placement, offset, root
               see https://github.com/jsx-eslint/eslint-plugin-jsx-a11y/blob/main/docs/rules/no-static-element-interactions.md#case-the-event-handler-is-only-being-used-to-capture-bubbled-events
             */}
             {/* eslint-disable-next-line jsx-a11y/no-static-element-interactions, jsx-a11y/click-events-have-key-events */}
-            <div ref={refs.setFloating} style={floatingStyles} onClick={onOverlayClicked} onKeyDown={handleKeys}>
+            <div
+              ref={refs.setFloating}
+              style={floatingStyles}
+              onClick={onOverlayClicked}
+              onKeyDown={handleKeys}
+              {...getFloatingProps()}
+            >
               <CSSTransition
                 nodeRef={transitionRef}
                 appear={true}

packages/grafana-ui/src/components/PanelChrome/HoverWidget.tsx

@@ -16,17 +16,22 @@ interface Props {
   title?: string;
   offset?: number;
   dragClass?: string;
+  onDragStart?: (event: React.PointerEvent<HTMLDivElement>) => void;
   onOpenMenu?: () => void;
 }
 
-export function HoverWidget({ menu, title, dragClass, children, offset = -32, onOpenMenu }: Props) {
+export function HoverWidget({ menu, title, dragClass, children, offset = -32, onOpenMenu, onDragStart }: Props) {
   const styles = useStyles2(getStyles);
   const draggableRef = useRef<HTMLDivElement>(null);
   const selectors = e2eSelectors.components.Panels.Panel.HoverWidget;
   // Capture the pointer to keep the widget visible while dragging
-  const onPointerDown = useCallback((e: React.PointerEvent<HTMLDivElement>) => {
-    draggableRef.current?.setPointerCapture(e.pointerId);
-  }, []);
+  const onPointerDown = useCallback(
+    (e: React.PointerEvent<HTMLDivElement>) => {
+      draggableRef.current?.setPointerCapture(e.pointerId);
+      onDragStart?.(e);
+    },
+    [onDragStart]
+  );
 
   const onPointerUp = useCallback((e: React.PointerEvent<HTMLDivElement>) => {
     draggableRef.current?.releasePointerCapture(e.pointerId);

packages/grafana-ui/src/components/PanelChrome/PanelChrome.tsx

@@ -384,6 +384,7 @@ export function PanelChrome({
                 menu={menu}
                 title={typeof title === 'string' ? title : undefined}
                 dragClass={dragClass}
+                onDragStart={onDragStart}
                 offset={hoverHeaderOffset}
                 onOpenMenu={onOpenMenu}
               >

packages/grafana-ui/src/components/Table/TableNG/TableNG.tsx

@@ -154,8 +154,18 @@ export function TableNG(props: TableNGProps) {
 
   const resizeHandler = useColumnResize(onColumnResize);
 
-  const rows = useMemo(() => frameToRecords(data), [data]);
   const hasNestedFrames = useMemo(() => getIsNestedTable(data.fields), [data]);
+  const nestedFramesFieldName = useMemo(() => {
+    if (!hasNestedFrames) {
+      return;
+    }
+    const firstNestedField = data.fields.find((f) => f.type === FieldType.nestedFrames);
+    if (!firstNestedField) {
+      return;
+    }
+    return getDisplayName(firstNestedField);
+  }, [data, hasNestedFrames]);
+  const rows = useMemo(() => frameToRecords(data, nestedFramesFieldName), [data, nestedFramesFieldName]);
   const getTextColorForBackground = useMemo(() => memoize(_getTextColorForBackground, { maxSize: 1000 }), []);
 
   const {
@@ -374,7 +384,11 @@ export function TableNG(props: TableNGProps) {
           return null;
         }
 
-        const expandedRecords = applySort(frameToRecords(nestedData), nestedData.fields, sortColumns);
+        const expandedRecords = applySort(
+          frameToRecords(nestedData, nestedFramesFieldName),
+          nestedData.fields,
+          sortColumns
+        );
         if (!expandedRecords.length) {
           return (
             <div className={styles.noDataNested}>
@@ -398,7 +412,7 @@ export function TableNG(props: TableNGProps) {
       width: COLUMN.EXPANDER_WIDTH,
       minWidth: COLUMN.EXPANDER_WIDTH,
     }),
-    [commonDataGridProps, data.fields.length, expandedRows, sortColumns, styles]
+    [commonDataGridProps, data.fields.length, expandedRows, sortColumns, styles, nestedFramesFieldName]
   );
 
   const fromFields = useCallback(

packages/grafana-ui/src/components/Table/TableNG/components/RowExpander.tsx

@@ -1,6 +1,7 @@
 import { css } from '@emotion/css';
 
 import { GrafanaTheme2 } from '@grafana/data';
+import { selectors } from '@grafana/e2e-selectors';
 import { t } from '@grafana/i18n';
 
 import { useStyles2 } from '../../../../themes/ThemeContext';
@@ -16,13 +17,21 @@ export function RowExpander({ onCellExpand, isExpanded }: RowExpanderNGProps) {
     }
   }
   return (
-    <div role="button" tabIndex={0} className={styles.expanderCell} onClick={onCellExpand} onKeyDown={handleKeyDown}>
+    <div
+      role="button"
+      tabIndex={0}
+      className={styles.expanderCell}
+      onClick={onCellExpand}
+      onKeyDown={handleKeyDown}
+      data-testid={selectors.components.Panels.Visualization.TableNG.RowExpander}
+    >
       <Icon
         aria-label={
           isExpanded
             ? t('grafana-ui.row-expander-ng.aria-label-collapse', 'Collapse row')
             : t('grafana-ui.row-expander.aria-label-expand', 'Expand row')
         }
+        aria-expanded={isExpanded}
         name={isExpanded ? 'angle-down' : 'angle-right'}
         size="lg"
       />

packages/grafana-ui/src/components/Table/TableNG/types.ts

@@ -79,7 +79,6 @@ export interface TableRow {
 
   // Nested table properties
   data?: DataFrame;
-  __nestedFrames?: DataFrame[];
   __expanded?: boolean; // For row expansion state
 
   // Generic typing for column values
@@ -262,7 +261,7 @@ export type TableCellStyles = (theme: GrafanaTheme2, options: TableCellStyleOpti
 export type Comparator = (a: TableCellValue, b: TableCellValue) => number;
 
 // Type for converting a DataFrame into an array of TableRows
-export type FrameToRowsConverter = (frame: DataFrame) => TableRow[];
+export type FrameToRowsConverter = (frame: DataFrame, nestedFramesFieldName?: string) => TableRow[];
 
 // Type for mapping column names to their field types
 export type ColumnTypes = Record<string, FieldType>;

packages/grafana-ui/src/components/Table/TableNG/utils.ts

@@ -675,10 +675,12 @@ export function applySort(
 /**
  * @internal
  */
-export const frameToRecords = (frame: DataFrame): TableRow[] => {
+export const frameToRecords = (frame: DataFrame, nestedFramesFieldName?: string): TableRow[] => {
   const fnBody = `
     const rows = Array(frame.length);
     const values = frame.fields.map(f => f.values);
+    const hasNestedFrames = '${nestedFramesFieldName ?? ''}'.length > 0;
+
     let rowCount = 0;
     for (let i = 0; i < frame.length; i++) {
       rows[rowCount] = {
@@ -686,11 +688,14 @@ export const frameToRecords = (frame: DataFrame): TableRow[] => {
         __index: i,
         ${frame.fields.map((field, fieldIdx) => `${JSON.stringify(getDisplayName(field))}: values[${fieldIdx}][i]`).join(',')}
       };
-      rowCount += 1;
-      if (rows[rowCount-1]['__nestedFrames']){
-        const childFrame = rows[rowCount-1]['__nestedFrames'];
-        rows[rowCount] = {__depth: 1, __index: i, data: childFrame[0]}
-        rowCount += 1;
+      rowCount++;
+
+      if (hasNestedFrames) {
+        const childFrame = rows[rowCount-1][${JSON.stringify(nestedFramesFieldName)}];
+        if (childFrame){
+          rows[rowCount] = {__depth: 1, __index: i, data: childFrame[0]}
+          rowCount++;
+        }
       }
     }
     return rows;
@@ -698,8 +703,9 @@ export const frameToRecords = (frame: DataFrame): TableRow[] => {
 
   // Creates a function that converts a DataFrame into an array of TableRows
   // Uses new Function() for performance as it's faster than creating rows using loops
-  const convert = new Function('frame', fnBody) as FrameToRowsConverter;
-  return convert(frame);
+  // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+  const convert = new Function('frame', 'nestedFramesFieldName', fnBody) as FrameToRowsConverter;
+  return convert(frame, nestedFramesFieldName);
 };
 
 /* ----------------------------- Data grid comparator ---------------------------- */

pkg/api/dashboard.go

@@ -493,7 +493,9 @@ func (hs *HTTPServer) postDashboard(c *contextmodel.ReqContext, cmd dashboards.S
 
 // swagger:route GET /dashboards/home dashboards getHomeDashboard
 //
-// Get home dashboard.
+// NOTE: the home dashboard is configured in preferences.  This API will be removed in G13
+//
+// Deprecated: true
 //
 // Responses:
 // 200: getHomeDashboardResponse

pkg/api/dashboard_test.go

@@ -112,17 +112,15 @@ func TestGetHomeDashboard(t *testing.T) {
 }
 
 func newTestLive(t *testing.T) *live.GrafanaLive {
-	features := featuremgmt.WithFeatures()
 	cfg := setting.NewCfg()
 	cfg.AppURL = "http://localhost:3000/"
-	gLive, err := live.ProvideService(nil, cfg,
+	gLive, err := live.ProvideService(cfg,
 		routing.NewRouteRegister(),
 		nil, nil, nil, nil,
-		nil,
 		&usagestats.UsageStatsMock{T: t},
-		features, acimpl.ProvideAccessControl(features),
-		&dashboards.FakeDashboardService{},
-		nil, nil)
+		featuremgmt.WithFeatures(),
+		&dashboards.FakeDashboardService{}, nil)
+
 	require.NoError(t, err)
 	return gLive
 }

pkg/api/http_server.go

@@ -638,7 +638,7 @@ func (hs *HTTPServer) addMiddlewaresAndStaticRoutes() {
 	m := hs.web
 
 	m.Use(requestmeta.SetupRequestMetadata())
-	m.Use(middleware.RequestTracing(hs.tracer, middleware.SkipTracingPaths))
+	m.Use(middleware.RequestTracing(hs.tracer, middleware.ShouldTraceWithExceptions))
 	m.Use(middleware.RequestMetrics(hs.Features, hs.Cfg, hs.promRegister))
 
 	m.UseMiddleware(hs.LoggerMiddleware.Middleware())

pkg/api/org_users.go

@@ -294,6 +294,7 @@ func (hs *HTTPServer) SearchOrgUsersWithPaging(c *contextmodel.ReqContext) respo
 }
 
 func (hs *HTTPServer) searchOrgUsersHelper(c *contextmodel.ReqContext, query *org.SearchOrgUsersQuery) (*org.SearchOrgUsersQueryResult, error) {
+	query.ExcludeHiddenUsers = true
 	result, err := hs.orgService.SearchOrgUsers(c.Req.Context(), query)
 	if err != nil {
 		return nil, err
@@ -303,9 +304,6 @@ func (hs *HTTPServer) searchOrgUsersHelper(c *contextmodel.ReqContext, query *or
 	userIDs := map[string]bool{}
 	authLabelsUserIDs := make([]int64, 0, len(result.OrgUsers))
 	for _, user := range result.OrgUsers {
-		if dtos.IsHiddenUser(user.Login, c.SignedInUser, hs.Cfg) {
-			continue
-		}
 		user.AvatarURL = dtos.GetGravatarUrl(hs.Cfg, user.Email)
 
 		userIDs[fmt.Sprint(user.UserID)] = true

pkg/api/org_users_test.go

@@ -171,11 +171,16 @@ func TestIntegrationOrgUsersAPIEndpoint_userLoggedIn(t *testing.T) {
 			orgService.ExpectedSearchOrgUsersResult = &org.SearchOrgUsersQueryResult{
 				OrgUsers: []*org.OrgUserDTO{
 					{Login: testUserLogin, Email: "testUser@grafana.com"},
-					{Login: "user1", Email: "user1@grafana.com"},
 					{Login: "user2", Email: "user2@grafana.com"},
 				},
 			}
 
+			orgService.SearchOrgUsersFn = func(ctx context.Context, query *org.SearchOrgUsersQuery) (*org.SearchOrgUsersQueryResult, error) {
+				require.True(t, query.ExcludeHiddenUsers)
+				return orgService.ExpectedSearchOrgUsersResult, nil
+			}
+			defer func() { orgService.SearchOrgUsersFn = nil }()
+
 			sc.handlerFunc = hs.GetOrgUsersForCurrentOrg
 			sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
 
@@ -191,6 +196,18 @@ func TestIntegrationOrgUsersAPIEndpoint_userLoggedIn(t *testing.T) {
 
 		loggedInUserScenarioWithRole(t, "When calling GET as an admin on", "GET", "api/org/users/lookup",
 			"api/org/users/lookup", org.RoleAdmin, func(sc *scenarioContext) {
+				orgService.ExpectedSearchOrgUsersResult = &org.SearchOrgUsersQueryResult{
+					OrgUsers: []*org.OrgUserDTO{
+						{Login: testUserLogin, Email: "testUser@grafana.com"},
+						{Login: "user2", Email: "user2@grafana.com"},
+					},
+				}
+				orgService.SearchOrgUsersFn = func(ctx context.Context, query *org.SearchOrgUsersQuery) (*org.SearchOrgUsersQueryResult, error) {
+					require.True(t, query.ExcludeHiddenUsers)
+					return orgService.ExpectedSearchOrgUsersResult, nil
+				}
+				defer func() { orgService.SearchOrgUsersFn = nil }()
+
 				sc.handlerFunc = hs.GetOrgUsersForCurrentOrgLookup
 				sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
 

pkg/apimachinery/identity/context.go

@@ -162,6 +162,7 @@ var serviceIdentityTokenPermissions = []string{
 	"collections.grafana.app:*", // user stars
 	"plugins.grafana.app:*",
 	"historian.alerting.grafana.app:*",
+	"advisor.grafana.app:*",
 
 	// Secrets Manager uses a custom verb for secret decryption, and its authorizer does not allow wildcard permissions.
 	"secret.grafana.app/securevalues:decrypt",

pkg/apis/query/v0alpha1/query.go

@@ -10,6 +10,9 @@ import (
 	"github.com/grafana/grafana/pkg/expr"
 )
 
+// Get results as raw protobuf
+const PROTOBUF_CONTENT_TYPE = "application/vnd.grafana.pluginv2.QueryDataResponse"
+
 // Generic query request with shared time across all values
 // Copied from: https://github.com/grafana/grafana/blob/main/pkg/api/dtos/models.go#L62
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

pkg/apiserver/auditing/noop.go

@@ -19,11 +19,18 @@ func (NoopBackend) Shutdown() {}
 
 func (NoopBackend) String() string { return "" }
 
+// NoopPolicyRuleProvider is a no-op implementation of PolicyRuleProvider
+type NoopPolicyRuleProvider struct{}
+
+func ProvideNoopPolicyRuleProvider() PolicyRuleProvider { return &NoopPolicyRuleProvider{} }
+
+func (NoopPolicyRuleProvider) PolicyRuleProvider(PolicyRuleEvaluators) audit.PolicyRuleEvaluator {
+	return NoopPolicyRuleEvaluator{}
+}
+
 // NoopPolicyRuleEvaluator is a no-op implementation of audit.PolicyRuleEvaluator
 type NoopPolicyRuleEvaluator struct{}
 
-func ProvideNoopPolicyRuleEvaluator() audit.PolicyRuleEvaluator { return &NoopPolicyRuleEvaluator{} }
-
 func (NoopPolicyRuleEvaluator) EvaluatePolicyRule(authorizer.Attributes) audit.RequestAuditConfig {
 	return audit.RequestAuditConfig{Level: auditinternal.LevelNone}
 }

pkg/apiserver/auditing/policy.go

@@ -0,0 +1,59 @@
+package auditing
+
+import (
+	"slices"
+
+	"github.com/grafana/grafana/pkg/apimachinery/utils"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	auditinternal "k8s.io/apiserver/pkg/apis/audit"
+	"k8s.io/apiserver/pkg/audit"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+)
+
+// PolicyRuleEvaluators is a map of API group+version to audit.PolicyRuleEvaluator
+type PolicyRuleEvaluators = map[schema.GroupVersion]audit.PolicyRuleEvaluator
+
+type PolicyRuleProvider interface {
+	PolicyRuleProvider(evaluators PolicyRuleEvaluators) audit.PolicyRuleEvaluator
+}
+
+// PolicyRuleEvaluator alias for easier imports.
+type PolicyRuleEvaluator = audit.PolicyRuleEvaluator
+
+// DefaultGrafanaPolicyRuleEvaluator provides a sane default configuration for audit logging for API group+versions.
+type defaultGrafanaPolicyRuleEvaluator struct{}
+
+var _ PolicyRuleEvaluator = &defaultGrafanaPolicyRuleEvaluator{}
+
+func NewDefaultGrafanaPolicyRuleEvaluator() audit.PolicyRuleEvaluator {
+	return defaultGrafanaPolicyRuleEvaluator{}
+}
+
+func (defaultGrafanaPolicyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) audit.RequestAuditConfig {
+	// Skip non-resource and watch requests otherwise it is too noisy.
+	if !attrs.IsResourceRequest() || attrs.GetVerb() == utils.VerbWatch {
+		return audit.RequestAuditConfig{
+			Level: auditinternal.LevelNone,
+		}
+	}
+
+	// Skip auditing if the user is part of the privileged group.
+	// The loopback client uses this group, so requests initiated in `/api/` would be duplicated.
+	if u := attrs.GetUser(); u != nil && slices.Contains(u.GetGroups(), user.SystemPrivilegedGroup) {
+		return audit.RequestAuditConfig{
+			Level: auditinternal.LevelNone,
+		}
+	}
+
+	return audit.RequestAuditConfig{
+		Level: auditinternal.LevelMetadata,
+		OmitStages: []auditinternal.Stage{
+			// Only log on StageResponseComplete
+			auditinternal.StageRequestReceived,
+			auditinternal.StageResponseStarted,
+			auditinternal.StagePanic,
+		},
+		OmitManagedFields: false, // Setting it to true causes extra copying/unmarshalling.
+	}
+}

pkg/apiserver/auditing/policy_test.go

@@ -0,0 +1,73 @@
+package auditing_test
+
+import (
+	"testing"
+
+	"github.com/grafana/grafana/pkg/apimachinery/utils"
+	"github.com/grafana/grafana/pkg/apiserver/auditing"
+	"github.com/stretchr/testify/require"
+	auditinternal "k8s.io/apiserver/pkg/apis/audit"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+)
+
+func TestDefaultGrafanaPolicyRuleEvaluator(t *testing.T) {
+	t.Parallel()
+
+	evaluator := auditing.NewDefaultGrafanaPolicyRuleEvaluator()
+	require.NotNil(t, evaluator)
+
+	t.Run("returns audit level none for non-resource requests", func(t *testing.T) {
+		t.Parallel()
+
+		attrs := authorizer.AttributesRecord{
+			ResourceRequest: false,
+		}
+
+		config := evaluator.EvaluatePolicyRule(attrs)
+		require.Equal(t, auditinternal.LevelNone, config.Level)
+	})
+
+	t.Run("returns audit level none for watch requests", func(t *testing.T) {
+		t.Parallel()
+
+		attrs := authorizer.AttributesRecord{
+			ResourceRequest: true,
+			Verb:            utils.VerbWatch,
+		}
+
+		config := evaluator.EvaluatePolicyRule(attrs)
+		require.Equal(t, auditinternal.LevelNone, config.Level)
+	})
+
+	t.Run("returns audit level none for requests from privileged group", func(t *testing.T) {
+		t.Parallel()
+
+		attrs := authorizer.AttributesRecord{
+			ResourceRequest: true,
+			Verb:            utils.VerbCreate,
+			User: &user.DefaultInfo{
+				Groups: []string{"test-group", user.SystemPrivilegedGroup},
+			},
+		}
+
+		config := evaluator.EvaluatePolicyRule(attrs)
+		require.Equal(t, auditinternal.LevelNone, config.Level)
+	})
+
+	t.Run("return audit level metadata for other resource requests", func(t *testing.T) {
+		t.Parallel()
+
+		attrs := authorizer.AttributesRecord{
+			ResourceRequest: true,
+			Verb:            utils.VerbCreate,
+			User: &user.DefaultInfo{
+				Name:   "test-user",
+				Groups: []string{"test-group"},
+			},
+		}
+
+		config := evaluator.EvaluatePolicyRule(attrs)
+		require.Equal(t, auditinternal.LevelMetadata, config.Level)
+	})
+}

pkg/middleware/request_tracing.go

@@ -73,16 +73,20 @@ func RouteOperationName(req *http.Request) (string, bool) {
 	return "", false
 }
 
-// Paths that don't need tracing spans applied to them because of the
-// little value that would provide us
-func SkipTracingPaths(req *http.Request) bool {
-	return strings.HasPrefix(req.URL.Path, "/public/") ||
+func ShouldTraceWithExceptions(req *http.Request) bool {
+	// Paths that don't need tracing spans applied to them because of the
+	// little value that would provide us
+	if strings.HasPrefix(req.URL.Path, "/public/") ||
 		req.URL.Path == "/robots.txt" ||
 		req.URL.Path == "/favicon.ico" ||
-		req.URL.Path == "/api/health"
+		req.URL.Path == "/api/health" {
+		return false
+	}
+
+	return true
 }
 
-func TraceAllPaths(req *http.Request) bool {
+func ShouldTraceAllPaths(req *http.Request) bool {
 	return true
 }
 

pkg/registry/apis/dashboard/register.go

@@ -222,7 +222,7 @@ func RegisterAPIService(
 	return builder
 }
 
-func NewAPIService(ac authlib.AccessClient, features featuremgmt.FeatureToggles, folderClientProvider client.K8sHandlerProvider, datasourceProvider schemaversion.DataSourceIndexProvider, libraryElementProvider schemaversion.LibraryElementIndexProvider, resourcePermissionsSvc *dynamic.NamespaceableResourceInterface) *DashboardsAPIBuilder {
+func NewAPIService(ac authlib.AccessClient, features featuremgmt.FeatureToggles, folderClientProvider client.K8sHandlerProvider, datasourceProvider schemaversion.DataSourceIndexProvider, libraryElementProvider schemaversion.LibraryElementIndexProvider, resourcePermissionsSvc *dynamic.NamespaceableResourceInterface, search *SearchHandler) *DashboardsAPIBuilder {
 	migration.Initialize(datasourceProvider, libraryElementProvider, migration.DefaultCacheTTL)
 	return &DashboardsAPIBuilder{
 		minRefreshInterval:     "10s",
@@ -231,6 +231,7 @@ func NewAPIService(ac authlib.AccessClient, features featuremgmt.FeatureToggles,
 		dashboardService:       &dashsvc.DashboardServiceImpl{}, // for validation helpers only
 		folderClientProvider:   folderClientProvider,
 		resourcePermissionsSvc: resourcePermissionsSvc,
+		search:                 search,
 		isStandalone:           true,
 	}
 }

pkg/registry/apis/datasource/sub_query.go

@@ -6,15 +6,16 @@ import (
 	"fmt"
 	"net/http"
 
+	"google.golang.org/protobuf/proto"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apiserver/pkg/registry/rest"
 
+	"github.com/grafana/grafana-app-sdk/logging"
 	"github.com/grafana/grafana-plugin-sdk-go/backend"
 	data "github.com/grafana/grafana-plugin-sdk-go/experimental/apis/data/v0alpha1"
 	"github.com/grafana/grafana/pkg/apimachinery/errutil"
 	query "github.com/grafana/grafana/pkg/apis/query/v0alpha1"
 	"github.com/grafana/grafana/pkg/services/datasources"
-
 	"github.com/grafana/grafana/pkg/web"
 )
 
@@ -93,26 +94,49 @@ func (r *subQueryREST) Connect(ctx context.Context, name string, opts runtime.Ob
 			Headers:       map[string]string{},
 		})
 
+		code := query.GetResponseCode(rsp)
+
 		// all errors get converted into k8 errors when sent in responder.Error and lose important context like downstream info
 		var e errutil.Error
 		if errors.As(err, &e) && e.Source == errutil.SourceDownstream {
-			responder.Object(int(backend.StatusBadRequest),
-				&query.QueryDataResponse{QueryDataResponse: backend.QueryDataResponse{Responses: map[string]backend.DataResponse{
-					"A": {
-						Error:       errors.New(e.LogMessage),
-						ErrorSource: backend.ErrorSourceDownstream,
-						Status:      backend.StatusBadRequest,
-					},
-				}}},
-			)
-			return
+			err = nil
+			rsp = &backend.QueryDataResponse{Responses: map[string]backend.DataResponse{
+				"A": {
+					Error:       errors.New(e.LogMessage),
+					ErrorSource: backend.ErrorSourceDownstream,
+					Status:      backend.StatusBadRequest,
+				},
+			}}
 		}
-
 		if err != nil {
 			responder.Error(err)
 			return
 		}
-		responder.Object(query.GetResponseCode(rsp),
+
+		// Respond with raw protobuf when requested
+		for _, accept := range req.Header.Values("Accept") {
+			if accept == query.PROTOBUF_CONTENT_TYPE { // pluginv2.QueryDataResponse
+				p, err := backend.ToProto().QueryDataResponse(rsp)
+				if err != nil {
+					responder.Error(err)
+					return
+				}
+				data, err := proto.Marshal(p)
+				if err != nil {
+					responder.Error(err)
+					return
+				}
+				w.Header().Add("Content-Type", query.PROTOBUF_CONTENT_TYPE)
+				w.WriteHeader(code)
+				_, err = w.Write(data)
+				if err != nil {
+					logging.FromContext(ctx).Warn("unable to write protobuf result", "err", err)
+				}
+				return
+			}
+		}
+
+		responder.Object(code,
 			&query.QueryDataResponse{QueryDataResponse: *rsp},
 		)
 	}), nil

pkg/registry/apis/iam/authorizer/resource_permissions.go

@@ -40,7 +40,7 @@ func NewResourcePermissionsAuthorizer(
 	return &ResourcePermissionsAuthorizer{
 		accessClient:   accessClient,
 		parentProvider: parentProvider,
-		logger:         log.New("iam.resource-permissions-authorizer"),
+		logger:         log.New("iam.authorizer.resource-permissions"),
 	}
 }
 
@@ -216,8 +216,7 @@ func (r *ResourcePermissionsAuthorizer) FilterList(ctx context.Context, list run
 					// Skip item on error fetching parent
 					r.logger.Warn("filter list: error fetching parent, skipping item",
 						"error", err.Error(),
-						"namespace",
-						item.Namespace,
+						"namespace", item.Namespace,
 						"group", target.ApiGroup,
 						"resource", target.Resource,
 						"name", target.Name,

pkg/registry/apis/iam/register.go

@@ -21,6 +21,7 @@ import (
 	"k8s.io/kube-openapi/pkg/spec3"
 	"k8s.io/kube-openapi/pkg/validation/spec"
 
+	"github.com/grafana/authlib/authn"
 	"github.com/grafana/authlib/types"
 
 	iamv0 "github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1"
@@ -142,6 +143,8 @@ func NewAPIService(
 	features featuremgmt.FeatureToggles,
 	zClient zanzana.Client,
 	reg prometheus.Registerer,
+	tokenExchanger authn.TokenExchanger,
+	authorizerDialConfigs map[schema.GroupResource]iamauthorizer.DialConfig,
 ) *IdentityAccessManagementAPIBuilder {
 	store := legacy.NewLegacySQLStores(dbProvider)
 	resourcePermissionsStorage := resourcepermission.ProvideStorageBackend(dbProvider)
@@ -150,9 +153,8 @@ func NewAPIService(
 	resourceAuthorizer := gfauthorizer.NewResourceAuthorizer(accessClient)
 	coreRoleAuthorizer := iamauthorizer.NewCoreRoleAuthorizer(accessClient)
 
-	// TODO: in a follow up PR, make this configurable
 	resourceParentProvider := iamauthorizer.NewApiParentProvider(
-		iamauthorizer.NewRemoteConfigProvider(map[schema.GroupResource]iamauthorizer.DialConfig{}, nil),
+		iamauthorizer.NewRemoteConfigProvider(authorizerDialConfigs, tokenExchanger),
 		iamauthorizer.Versions,
 	)
 

pkg/registry/apis/provisioning/jobs/progress_test.go

@@ -154,9 +154,12 @@ func TestJobProgressRecorderWarningStatus(t *testing.T) {
 	// Verify the final status includes warnings
 	require.NotNil(t, finalStatus.Warnings)
 	assert.Len(t, finalStatus.Warnings, 3)
-	assert.Contains(t, finalStatus.Warnings[0], "deprecated API used")
-	assert.Contains(t, finalStatus.Warnings[1], "missing optional field")
-	assert.Contains(t, finalStatus.Warnings[2], "validation warning")
+	expectedWarnings := []string{
+		"deprecated API used (file: dashboards/test.json, name: test-resource, action: updated)",
+		"missing optional field (file: dashboards/test2.json, name: test-resource-2, action: created)",
+		"validation warning (file: datasources/test.yaml, name: test-resource-3, action: created)",
+	}
+	assert.ElementsMatch(t, finalStatus.Warnings, expectedWarnings)
 
 	// Verify the state is set to Warning
 	assert.Equal(t, provisioning.JobStateWarning, finalStatus.State)

pkg/registry/apis/provisioning/register.go

@@ -328,91 +328,124 @@ func (b *APIBuilder) GetAuthorizer() authorizer.Authorizer {
 				return authorizer.DecisionDeny, "failed to find requester", err
 			}
 
-			// Different routes may need different permissions.
-			// * Reading and modifying a repository's configuration requires administrator privileges.
-			// * Reading a repository's limited configuration (/stats & /settings) requires viewer privileges.
-			// * Reading a repository's files requires viewer privileges.
-			// * Reading a repository's refs requires viewer privileges.
-			// * Editing a repository's files requires editor privileges.
-			// * Syncing a repository requires editor privileges.
-			// * Exporting a repository requires administrator privileges.
-			// * Migrating a repository requires administrator privileges.
-			// * Testing a repository configuration requires administrator privileges.
-			// * Viewing a repository's history requires editor privileges.
-
-			switch a.GetResource() {
-			case provisioning.RepositoryResourceInfo.GetName():
-				// TODO: Support more fine-grained permissions than the basic roles. Especially on Enterprise.
-				switch a.GetSubresource() {
-				case "", "test", "jobs":
-					// Doing something with the repository itself.
-					if id.GetOrgRole().Includes(identity.RoleAdmin) {
-						return authorizer.DecisionAllow, "", nil
-					}
-					return authorizer.DecisionDeny, "admin role is required", nil
-
-				case "refs":
-					// This is strictly a read operation. It is handy on the frontend for viewers.
-					if id.GetOrgRole().Includes(identity.RoleViewer) {
-						return authorizer.DecisionAllow, "", nil
-					}
-					return authorizer.DecisionDeny, "viewer role is required", nil
-				case "files":
-					// Access to files is controlled by the AccessClient
-					return authorizer.DecisionAllow, "", nil
-
-				case "resources", "sync", "history":
-					// These are strictly read operations.
-					// Sync can also be somewhat destructive, but it's expected to be fine to import changes.
-					if id.GetOrgRole().Includes(identity.RoleEditor) {
-						return authorizer.DecisionAllow, "", nil
-					} else {
-						return authorizer.DecisionDeny, "editor role is required", nil
-					}
-				case "status":
-					if id.GetOrgRole().Includes(identity.RoleViewer) && a.GetVerb() == apiutils.VerbGet {
-						return authorizer.DecisionAllow, "", nil
-					}
-					return authorizer.DecisionDeny, "users cannot update the status of a repository", nil
-				default:
-					if id.GetIsGrafanaAdmin() {
-						return authorizer.DecisionAllow, "", nil
-					}
-					return authorizer.DecisionDeny, "unmapped subresource defaults to no access", nil
-				}
-
-			case "stats":
-				// This can leak information one shouldn't necessarily have access to.
-				if id.GetOrgRole().Includes(identity.RoleAdmin) {
-					return authorizer.DecisionAllow, "", nil
-				}
-				return authorizer.DecisionDeny, "admin role is required", nil
-
-			case "settings":
-				// This is strictly a read operation. It is handy on the frontend for viewers.
-				if id.GetOrgRole().Includes(identity.RoleViewer) {
-					return authorizer.DecisionAllow, "", nil
-				}
-				return authorizer.DecisionDeny, "viewer role is required", nil
-
-			case provisioning.JobResourceInfo.GetName(),
-				provisioning.HistoricJobResourceInfo.GetName():
-				// Jobs are shown on the configuration page.
-				if id.GetOrgRole().Includes(identity.RoleAdmin) {
-					return authorizer.DecisionAllow, "", nil
-				}
-				return authorizer.DecisionDeny, "admin role is required", nil
-
-			default:
-				// We haven't bothered with this kind yet.
-				if id.GetIsGrafanaAdmin() {
-					return authorizer.DecisionAllow, "", nil
-				}
-				return authorizer.DecisionDeny, "unmapped kind defaults to no access", nil
-			}
+			return b.authorizeResource(ctx, a, id)
 		})
 }
 
+// authorizeResource handles authorization for different resources.
+// Different routes may need different permissions.
+// * Reading and modifying a repository's configuration requires administrator privileges.
+// * Reading a repository's limited configuration (/stats & /settings) requires viewer privileges.
+// * Reading a repository's files requires viewer privileges.
+// * Reading a repository's refs requires viewer privileges.
+// * Editing a repository's files requires editor privileges.
+// * Syncing a repository requires editor privileges.
+// * Exporting a repository requires administrator privileges.
+// * Migrating a repository requires administrator privileges.
+// * Testing a repository configuration requires administrator privileges.
+// * Viewing a repository's history requires editor privileges.
+func (b *APIBuilder) authorizeResource(ctx context.Context, a authorizer.Attributes, id identity.Requester) (authorizer.Decision, string, error) {
+	switch a.GetResource() {
+	case provisioning.RepositoryResourceInfo.GetName():
+		return b.authorizeRepositorySubresource(a, id)
+	case "stats":
+		return b.authorizeStats(id)
+	case "settings":
+		return b.authorizeSettings(id)
+	case provisioning.JobResourceInfo.GetName(), provisioning.HistoricJobResourceInfo.GetName():
+		return b.authorizeJobs(id)
+	default:
+		return b.authorizeDefault(id)
+	}
+}
+
+// authorizeRepositorySubresource handles authorization for repository subresources.
+func (b *APIBuilder) authorizeRepositorySubresource(a authorizer.Attributes, id identity.Requester) (authorizer.Decision, string, error) {
+	// TODO: Support more fine-grained permissions than the basic roles. Especially on Enterprise.
+	switch a.GetSubresource() {
+	case "", "test":
+		// Doing something with the repository itself.
+		if id.GetOrgRole().Includes(identity.RoleAdmin) {
+			return authorizer.DecisionAllow, "", nil
+		}
+		return authorizer.DecisionDeny, "admin role is required", nil
+
+	case "jobs":
+		// Posting jobs requires editor privileges (for syncing).
+		if id.GetOrgRole().Includes(identity.RoleAdmin) || id.GetOrgRole().Includes(identity.RoleEditor) {
+			return authorizer.DecisionAllow, "", nil
+		}
+		return authorizer.DecisionDeny, "editor role is required", nil
+
+	case "refs":
+		// This is strictly a read operation. It is handy on the frontend for viewers.
+		if id.GetOrgRole().Includes(identity.RoleViewer) {
+			return authorizer.DecisionAllow, "", nil
+		}
+		return authorizer.DecisionDeny, "viewer role is required", nil
+
+	case "files":
+		// Access to files is controlled by the AccessClient
+		return authorizer.DecisionAllow, "", nil
+
+	case "resources", "sync", "history":
+		// These are strictly read operations.
+		// Sync can also be somewhat destructive, but it's expected to be fine to import changes.
+		if id.GetOrgRole().Includes(identity.RoleEditor) {
+			return authorizer.DecisionAllow, "", nil
+		}
+		return authorizer.DecisionDeny, "editor role is required", nil
+
+	case "status":
+		if id.GetOrgRole().Includes(identity.RoleViewer) && a.GetVerb() == apiutils.VerbGet {
+			return authorizer.DecisionAllow, "", nil
+		}
+		return authorizer.DecisionDeny, "users cannot update the status of a repository", nil
+
+	default:
+		if id.GetIsGrafanaAdmin() {
+			return authorizer.DecisionAllow, "", nil
+		}
+		return authorizer.DecisionDeny, "unmapped subresource defaults to no access", nil
+	}
+}
+
+// authorizeStats handles authorization for stats resource.
+func (b *APIBuilder) authorizeStats(id identity.Requester) (authorizer.Decision, string, error) {
+	// This can leak information one shouldn't necessarily have access to.
+	if id.GetOrgRole().Includes(identity.RoleAdmin) {
+		return authorizer.DecisionAllow, "", nil
+	}
+	return authorizer.DecisionDeny, "admin role is required", nil
+}
+
+// authorizeSettings handles authorization for settings resource.
+func (b *APIBuilder) authorizeSettings(id identity.Requester) (authorizer.Decision, string, error) {
+	// This is strictly a read operation. It is handy on the frontend for viewers.
+	if id.GetOrgRole().Includes(identity.RoleViewer) {
+		return authorizer.DecisionAllow, "", nil
+	}
+	return authorizer.DecisionDeny, "viewer role is required", nil
+}
+
+// authorizeJobs handles authorization for job resources.
+func (b *APIBuilder) authorizeJobs(id identity.Requester) (authorizer.Decision, string, error) {
+	// Jobs are shown on the configuration page.
+	if id.GetOrgRole().Includes(identity.RoleAdmin) {
+		return authorizer.DecisionAllow, "", nil
+	}
+	return authorizer.DecisionDeny, "admin role is required", nil
+}
+
+// authorizeDefault handles authorization for unmapped resources.
+func (b *APIBuilder) authorizeDefault(id identity.Requester) (authorizer.Decision, string, error) {
+	// We haven't bothered with this kind yet.
+	if id.GetIsGrafanaAdmin() {
+		return authorizer.DecisionAllow, "", nil
+	}
+	return authorizer.DecisionDeny, "unmapped kind defaults to no access", nil
+}
+
 func (b *APIBuilder) GetGroupVersion() schema.GroupVersion {
 	return provisioning.SchemeGroupVersion
 }

pkg/registry/apis/provisioning/resources/dualwriter.go

@@ -3,6 +3,7 @@ package resources
 import (
 	"context"
 	"fmt"
+	"net/http"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -315,7 +316,19 @@ func (r *DualReadWriter) MoveResource(ctx context.Context, opts DualWriteOptions
 }
 
 func (r *DualReadWriter) moveDirectory(ctx context.Context, opts DualWriteOptions) (*ParsedResource, error) {
-	// For directory moves, we just perform the repository move without parsing
+	// Reject directory move operations for configured branch - use bulk operations instead
+	if r.isConfiguredBranch(opts) {
+		return nil, &apierrors.StatusError{
+			ErrStatus: metav1.Status{
+				Status:  metav1.StatusFailure,
+				Code:    http.StatusMethodNotAllowed,
+				Reason:  metav1.StatusReasonMethodNotAllowed,
+				Message: "directory move operations are not available for configured branch. Use bulk move operations via the jobs API instead",
+			},
+		}
+	}
+
+	// For branch operations, we just perform the repository move without updating Grafana DB
 	// Always use the provisioning identity when writing
 	ctx, _, err := identity.WithProvisioningIdentity(ctx, r.repo.Config().Namespace)
 	if err != nil {
@@ -349,35 +362,6 @@ func (r *DualReadWriter) moveDirectory(ctx context.Context, opts DualWriteOption
 		},
 	}
 
-	// Handle folder management for main branch
-	if r.shouldUpdateGrafanaDB(opts, nil) {
-		// Ensure destination folder path exists
-		if _, err := r.folders.EnsureFolderPathExist(ctx, opts.Path); err != nil {
-			return nil, fmt.Errorf("ensure destination folder path exists: %w", err)
-		}
-
-		// Try to delete the old folder structure from grafana (if it exists)
-		// This handles cleanup when folders are moved to new locations
-		oldFolderName, err := r.folders.EnsureFolderPathExist(ctx, opts.OriginalPath)
-		if err != nil {
-			return nil, fmt.Errorf("ensure original folder path exists: %w", err)
-		}
-
-		if oldFolderName != "" {
-			oldFolder, err := r.folders.GetFolder(ctx, oldFolderName)
-			if err != nil && !apierrors.IsNotFound(err) {
-				return nil, fmt.Errorf("get old folder for cleanup: %w", err)
-			}
-
-			if err == nil {
-				err = r.folders.Client().Delete(ctx, oldFolder.GetName(), metav1.DeleteOptions{})
-				if err != nil && !apierrors.IsNotFound(err) {
-					return nil, fmt.Errorf("delete old folder from storage: %w", err)
-				}
-			}
-		}
-	}
-
 	return parsed, nil
 }
 
@@ -551,41 +535,22 @@ func (r *DualReadWriter) authorizeCreateFolder(ctx context.Context, _ string) er
 }
 
 func (r *DualReadWriter) deleteFolder(ctx context.Context, opts DualWriteOptions) (*ParsedResource, error) {
-	// if the ref is set, it is not the active branch, so just delete the files from the branch
-	// and do not delete the items from grafana itself
-	if !r.shouldUpdateGrafanaDB(opts, nil) {
-		err := r.repo.Delete(ctx, opts.Path, opts.Ref, opts.Message)
-		if err != nil {
-			return nil, fmt.Errorf("error deleting folder from repository: %w", err)
+	// Reject directory delete operations for configured branch - use bulk operations instead
+	if r.isConfiguredBranch(opts) {
+		return nil, &apierrors.StatusError{
+			ErrStatus: metav1.Status{
+				Status:  metav1.StatusFailure,
+				Code:    http.StatusMethodNotAllowed,
+				Reason:  metav1.StatusReasonMethodNotAllowed,
+				Message: "directory delete operations are not available for configured branch. Use bulk delete operations via the jobs API instead",
+			},
 		}
-
-		return folderDeleteResponse(ctx, opts.Path, opts.Ref, r.repo)
 	}
 
-	// before deleting from the repo, first get all children resources to delete from grafana afterwards
-	treeEntries, err := r.repo.ReadTree(ctx, "")
+	// For branch operations, just delete from the repository without updating Grafana DB
+	err := r.repo.Delete(ctx, opts.Path, opts.Ref, opts.Message)
 	if err != nil {
-		return nil, fmt.Errorf("read repository tree: %w", err)
-	}
-	// note: parsedFolders will include the folder itself
-	parsedResources, parsedFolders, err := r.getChildren(ctx, opts.Path, treeEntries)
-	if err != nil {
-		return nil, fmt.Errorf("parse resources in folder: %w", err)
-	}
-
-	// delete from the repo
-	err = r.repo.Delete(ctx, opts.Path, opts.Ref, opts.Message)
-	if err != nil {
-		return nil, fmt.Errorf("delete folder from repository: %w", err)
-	}
-
-	// delete from grafana
-	ctx, _, err = identity.WithProvisioningIdentity(ctx, r.repo.Config().Namespace)
-	if err != nil {
-		return nil, err
-	}
-	if err := r.deleteChildren(ctx, parsedResources, parsedFolders); err != nil {
-		return nil, fmt.Errorf("delete folder from grafana: %w", err)
+		return nil, fmt.Errorf("error deleting folder from repository: %w", err)
 	}
 
 	return folderDeleteResponse(ctx, opts.Path, opts.Ref, r.repo)
@@ -640,60 +605,11 @@ func folderDeleteResponse(ctx context.Context, path, ref string, repo repository
 	return parsed, nil
 }
 
-func (r *DualReadWriter) getChildren(ctx context.Context, folderPath string, treeEntries []repository.FileTreeEntry) ([]*ParsedResource, []Folder, error) {
-	var resourcesInFolder []repository.FileTreeEntry
-	var foldersInFolder []Folder
-	for _, entry := range treeEntries {
-		// make sure the path is supported (i.e. not ignored by git sync) and that the path is the folder itself or a child of the folder
-		if IsPathSupported(entry.Path) != nil || !safepath.InDir(entry.Path, folderPath) {
-			continue
-		}
-		// folders cannot be parsed as resources, so handle them separately
-		if entry.Blob {
-			resourcesInFolder = append(resourcesInFolder, entry)
-		} else {
-			folder := ParseFolder(entry.Path, r.repo.Config().Name)
-			foldersInFolder = append(foldersInFolder, folder)
-		}
-	}
-
-	parsedResources := make([]*ParsedResource, len(resourcesInFolder))
-	for i, entry := range resourcesInFolder {
-		fileInfo, err := r.repo.Read(ctx, entry.Path, "")
-		if err != nil && !apierrors.IsNotFound(err) {
-			return nil, nil, fmt.Errorf("could not find resource in repository: %w", err)
-		}
-
-		parsed, err := r.parser.Parse(ctx, fileInfo)
-		if err != nil {
-			return nil, nil, fmt.Errorf("could not parse resource: %w", err)
-		}
-
-		parsedResources[i] = parsed
-	}
-
-	return parsedResources, foldersInFolder, nil
-}
-
-func (r *DualReadWriter) deleteChildren(ctx context.Context, childrenResources []*ParsedResource, folders []Folder) error {
-	for _, parsed := range childrenResources {
-		err := parsed.Client.Delete(ctx, parsed.Obj.GetName(), metav1.DeleteOptions{})
-		if err != nil && !apierrors.IsNotFound(err) {
-			return fmt.Errorf("failed to delete nested resource from grafana: %w", err)
-		}
-	}
-
-	// we need to delete the folders furthest down in the tree first, as folder deletion will fail if there is anything inside of it
-	safepath.SortByDepth(folders, func(f Folder) string { return f.Path }, false)
-
-	for _, f := range folders {
-		err := r.folders.Client().Delete(ctx, f.ID, metav1.DeleteOptions{})
-		if err != nil {
-			return fmt.Errorf("failed to delete folder from grafana: %w", err)
-		}
-	}
-
-	return nil
+// isConfiguredBranch returns true if the ref targets the configured branch
+// (empty ref means configured branch, or ref explicitly matches configured branch)
+func (r *DualReadWriter) isConfiguredBranch(opts DualWriteOptions) bool {
+	configuredBranch := r.repo.Config().Branch()
+	return opts.Ref == "" || opts.Ref == configuredBranch
 }
 
 // shouldUpdateGrafanaDB returns true if we have an empty ref (targeting the configured branch)
@@ -703,9 +619,5 @@ func (r *DualReadWriter) shouldUpdateGrafanaDB(opts DualWriteOptions, parsed *Pa
 		return false
 	}
 
-	if opts.Ref != "" && opts.Ref != opts.Branch {
-		return false
-	}
-
-	return true
+	return r.isConfiguredBranch(opts)
 }

pkg/registry/apis/wireset.go

@@ -37,7 +37,7 @@ var WireSetExts = wire.NewSet(
 
 	// Auditing Options
 	auditing.ProvideNoopBackend,
-	auditing.ProvideNoopPolicyRuleEvaluator,
+	auditing.ProvideNoopPolicyRuleProvider,
 )
 
 var provisioningExtras = wire.NewSet(

pkg/registry/apps/advisor/accesscontrol.go

@@ -0,0 +1,150 @@
+package advisor
+
+import (
+	"github.com/grafana/grafana/pkg/services/accesscontrol"
+	"github.com/grafana/grafana/pkg/services/org"
+)
+
+const (
+	// Check
+	ActionAdvisorCheckCreate = "advisor.checks:create" // CREATE.
+	ActionAdvisorCheckWrite  = "advisor.checks:write"  // UPDATE.
+	ActionAdvisorCheckRead   = "advisor.checks:read"   // GET + LIST.
+	ActionAdvisorCheckDelete = "advisor.checks:delete" // DELETE.
+
+	// CheckTypes
+	ActionAdvisorCheckTypesCreate = "advisor.checktypes:create" // CREATE.
+	ActionAdvisorCheckTypesWrite  = "advisor.checktypes:write"  // UPDATE.
+	ActionAdvisorCheckTypesRead   = "advisor.checktypes:read"   // GET + LIST.
+	ActionAdvisorCheckTypesDelete = "advisor.checktypes:delete" // DELETE.
+
+	// Register
+	ActionAdvisorRegisterCreate = "advisor.register:create" // CREATE (register check types).
+)
+
+var (
+	ScopeProviderAdvisorCheck      = accesscontrol.NewScopeProvider("advisor.checks")
+	ScopeProviderAdvisorCheckTypes = accesscontrol.NewScopeProvider("advisor.checktypes")
+	ScopeProviderAdvisorRegister   = accesscontrol.NewScopeProvider("advisor.register")
+
+	ScopeAllAdvisorCheck      = ScopeProviderAdvisorCheck.GetResourceAllScope()
+	ScopeAllAdvisorCheckTypes = ScopeProviderAdvisorCheckTypes.GetResourceAllScope()
+	ScopeAllAdvisorRegister   = ScopeProviderAdvisorRegister.GetResourceAllScope()
+)
+
+func registerAccessControlRoles(service accesscontrol.Service) error {
+	// Check
+	checkReader := accesscontrol.RoleRegistration{
+		Role: accesscontrol.RoleDTO{
+			Name:        "fixed:advisor.checks:reader",
+			DisplayName: "Advisor Check Reader",
+			Description: "Read and list advisor checks.",
+			Group:       "Advisor",
+			Permissions: []accesscontrol.Permission{
+				{
+					Action: ActionAdvisorCheckRead,
+					Scope:  ScopeAllAdvisorCheck,
+				},
+			},
+		},
+		Grants: []string{string(org.RoleAdmin)},
+	}
+
+	checkWriter := accesscontrol.RoleRegistration{
+		Role: accesscontrol.RoleDTO{
+			Name:        "fixed:advisor.checks:writer",
+			DisplayName: "Advisor Check Writer",
+			Description: "Create, update and delete advisor checks.",
+			Group:       "Advisor",
+			Permissions: []accesscontrol.Permission{
+				{
+					Action: ActionAdvisorCheckCreate,
+					Scope:  ScopeAllAdvisorCheck,
+				},
+				{
+					Action: ActionAdvisorCheckRead,
+					Scope:  ScopeAllAdvisorCheck,
+				},
+				{
+					Action: ActionAdvisorCheckWrite,
+					Scope:  ScopeAllAdvisorCheck,
+				},
+				{
+					Action: ActionAdvisorCheckDelete,
+					Scope:  ScopeAllAdvisorCheck,
+				},
+			},
+		},
+		Grants: []string{string(org.RoleAdmin)},
+	}
+
+	// CheckTypes
+	checkTypesReader := accesscontrol.RoleRegistration{
+		Role: accesscontrol.RoleDTO{
+			Name:        "fixed:advisor.checktypes:reader",
+			DisplayName: "Advisor Check Types Reader",
+			Description: "Read and list advisor check types.",
+			Group:       "Advisor",
+			Permissions: []accesscontrol.Permission{
+				{
+					Action: ActionAdvisorCheckTypesRead,
+					Scope:  ScopeAllAdvisorCheckTypes,
+				},
+			},
+		},
+		Grants: []string{string(org.RoleAdmin)},
+	}
+
+	checkTypesWriter := accesscontrol.RoleRegistration{
+		Role: accesscontrol.RoleDTO{
+			Name:        "fixed:advisor.checktypes:writer",
+			DisplayName: "Advisor Check Types Writer",
+			Description: "Create, update and delete advisor check types.",
+			Group:       "Advisor",
+			Permissions: []accesscontrol.Permission{
+				{
+					Action: ActionAdvisorCheckTypesCreate,
+					Scope:  ScopeAllAdvisorCheckTypes,
+				},
+				{
+					Action: ActionAdvisorCheckTypesRead,
+					Scope:  ScopeAllAdvisorCheckTypes,
+				},
+				{
+					Action: ActionAdvisorCheckTypesWrite,
+					Scope:  ScopeAllAdvisorCheckTypes,
+				},
+				{
+					Action: ActionAdvisorCheckTypesDelete,
+					Scope:  ScopeAllAdvisorCheckTypes,
+				},
+			},
+		},
+		Grants: []string{string(org.RoleAdmin)},
+	}
+
+	// Register
+	registerWriter := accesscontrol.RoleRegistration{
+		Role: accesscontrol.RoleDTO{
+			Name:        "fixed:advisor.register:writer",
+			DisplayName: "Advisor Register Writer",
+			Description: "Register default advisor check types.",
+			Group:       "Advisor",
+			Permissions: []accesscontrol.Permission{
+				{
+					Action: ActionAdvisorRegisterCreate,
+					Scope:  ScopeAllAdvisorRegister,
+				},
+			},
+		},
+		Grants: []string{string(org.RoleAdmin)},
+	}
+
+	return service.DeclareFixedRoles(
+		checkReader,
+		checkWriter,
+		checkTypesReader,
+		checkTypesWriter,
+		registerWriter,
+	)
+}

pkg/registry/apps/advisor/register.go

@@ -1,17 +1,17 @@
 package advisor
 
 import (
-	"github.com/grafana/grafana-app-sdk/app"
+	"fmt"
+
+	authlib "github.com/grafana/authlib/types"
 	appsdkapiserver "github.com/grafana/grafana-app-sdk/k8s/apiserver"
-	"github.com/grafana/grafana-app-sdk/simple"
-	advisorapi "github.com/grafana/grafana/apps/advisor/pkg/apis"
 	advisorapp "github.com/grafana/grafana/apps/advisor/pkg/app"
 	"github.com/grafana/grafana/apps/advisor/pkg/app/checkregistry"
+	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/apiserver/appinstaller"
+	grafanaauthorizer "github.com/grafana/grafana/pkg/services/apiserver/auth/authorizer"
 	"github.com/grafana/grafana/pkg/services/org"
 	"github.com/grafana/grafana/pkg/setting"
-	"k8s.io/apiserver/pkg/authorization/authorizer"
-	"k8s.io/client-go/rest"
 )
 
 var (
@@ -20,37 +20,26 @@ var (
 )
 
 type AdvisorAppInstaller struct {
-	appsdkapiserver.AppInstaller
-}
-
-// GetAuthorizer returns the authorizer for the plugins app.
-func (a *AdvisorAppInstaller) GetAuthorizer() authorizer.Authorizer {
-	return advisorapp.GetAuthorizer()
+	*advisorapp.AdvisorAppInstaller
 }
 
 func ProvideAppInstaller(
+	accessControlService accesscontrol.Service,
+	accessClient authlib.AccessClient,
 	checkRegistry checkregistry.CheckService,
 	cfg *setting.Cfg,
 	orgService org.Service,
 ) (*AdvisorAppInstaller, error) {
-	provider := simple.NewAppProvider(advisorapi.LocalManifest(), nil, advisorapp.New)
-	pluginConfig := cfg.PluginSettings["grafana-advisor-app"]
-	specificConfig := checkregistry.AdvisorAppConfig{
-		CheckRegistry: checkRegistry,
-		PluginConfig:  pluginConfig,
-		StackID:       cfg.StackID,
-		OrgService:    orgService,
+	if err := registerAccessControlRoles(accessControlService); err != nil {
+		return nil, fmt.Errorf("registering access control roles: %w", err)
 	}
-	appCfg := app.Config{
-		KubeConfig:     rest.Config{},
-		ManifestData:   *advisorapi.LocalManifest().ManifestData,
-		SpecificConfig: specificConfig,
-	}
-	installer := &AdvisorAppInstaller{}
-	i, err := appsdkapiserver.NewDefaultAppInstaller(provider, appCfg, advisorapi.NewGoTypeAssociator())
+
+	authorizer := grafanaauthorizer.NewResourceAuthorizer(accessClient)
+	i, err := advisorapp.ProvideAppInstaller(authorizer, checkRegistry, cfg, orgService)
 	if err != nil {
 		return nil, err
 	}
-	installer.AppInstaller = i
-	return installer, nil
+	return &AdvisorAppInstaller{
+		AdvisorAppInstaller: i,
+	}, nil
 }