diff --git a/src/components/AddNewCheckButton/AddNewCheckButton.tsx b/src/components/AddNewCheckButton/AddNewCheckButton.tsx
index 91726af41..7134d065d 100644
--- a/src/components/AddNewCheckButton/AddNewCheckButton.tsx
+++ b/src/components/AddNewCheckButton/AddNewCheckButton.tsx
@@ -2,19 +2,20 @@ import React from 'react';
 import { Button } from '@grafana/ui';
 
 import { ROUTES } from 'routing/types';
-import { useCanWriteSM } from 'hooks/useDSPermission';
+import { getUserPermissions } from 'data/permissions';
 import { useNavigation } from 'hooks/useNavigation';
 
 export function AddNewCheckButton() {
   const navigate = useNavigation();
-  const canEdit = useCanWriteSM();
-
-  if (!canEdit) {
-    return null;
-  }
+  const { canWriteChecks } = getUserPermissions();
 
   return (
-    <Button variant="primary" onClick={() => navigate(ROUTES.ChooseCheckGroup)} type="button">
+    <Button
+      variant="primary"
+      onClick={() => navigate(ROUTES.ChooseCheckGroup)}
+      type="button"
+      disabled={!canWriteChecks}
+    >
       Add new check
     </Button>
   );
diff --git a/src/components/AppInitializer.tsx b/src/components/AppInitializer.tsx
index c4d894708..26e801119 100644
--- a/src/components/AppInitializer.tsx
+++ b/src/components/AppInitializer.tsx
@@ -6,9 +6,11 @@ import { DataTestIds } from 'test/dataTestIds';
 
 import { hasGlobalPermission } from 'utils';
 import { ROUTES } from 'routing/types';
+import { getUserPermissions } from 'data/permissions';
 import { useAppInitializer } from 'hooks/useAppInitializer';
 import { useMeta } from 'hooks/useMeta';
 import { MismatchedDatasourceModal } from 'components/MismatchedDatasourceModal';
+import { ContactAdminAlert } from 'page/ContactAdminAlert';
 
 interface Props {
   redirectTo?: ROUTES;
@@ -19,7 +21,10 @@ interface Props {
 export const AppInitializer = ({ redirectTo, buttonText }: PropsWithChildren<Props>) => {
   const { jsonData } = useMeta();
   const styles = useStyles2(getStyles);
-  const canInitialize = hasGlobalPermission(`datasources:create`);
+  const { canWritePlugin } = getUserPermissions();
+
+  const canReadDs = hasGlobalPermission(`datasources:read`);
+  const canInitialize = canWritePlugin && hasGlobalPermission(`datasources:create`);
 
   const {
     error,
@@ -35,11 +40,13 @@ export const AppInitializer = ({ redirectTo, buttonText }: PropsWithChildren<Pro
     setDataSouceModalOpen,
   } = useAppInitializer(redirectTo);
 
+  if (!canReadDs) {
+    return <ContactAdminAlert missingPermissions={['datasources:read']} />;
+  }
+
   if (!canInitialize) {
     return (
-      <Alert title="" severity="info">
-        Contact your administrator to get you started.
-      </Alert>
+      <ContactAdminAlert missingPermissions={['grafana-synthetic-monitoring-app.plugin:write', 'datasources:create']} />
     );
   }
 
diff --git a/src/components/CheckForm/CheckForm.tsx b/src/components/CheckForm/CheckForm.tsx
index 96e16914d..71f8cddb8 100644
--- a/src/components/CheckForm/CheckForm.tsx
+++ b/src/components/CheckForm/CheckForm.tsx
@@ -12,9 +12,10 @@ import { createNavModel } from 'utils';
 import { ROUTES } from 'routing/types';
 import { generateRoutePath } from 'routing/utils';
 import { AdHocCheckResponse } from 'datasource/responses.types';
+import { getUserPermissions } from 'data/permissions';
 import { useCheckTypeGroupOption } from 'hooks/useCheckTypeGroupOptions';
 import { useCheckTypeOptions } from 'hooks/useCheckTypeOptions';
-import { useCanReadLogs, useCanWriteSM } from 'hooks/useDSPermission';
+import { useCanReadLogs } from 'hooks/useDSPermission';
 import { useLimits } from 'hooks/useLimits';
 import { toFormValues } from 'components/CheckEditor/checkFormTransformations';
 import { CheckJobName } from 'components/CheckEditor/FormComponents/CheckJobName';
@@ -72,7 +73,7 @@ type CheckFormProps = {
 };
 
 export const CheckForm = ({ check, disabled }: CheckFormProps) => {
-  const canEdit = useCanWriteSM();
+  const { canWriteChecks } = getUserPermissions();
   const canReadLogs = useCanReadLogs();
   const [openTestCheckModal, setOpenTestCheckModal] = useState(false);
   const [adhocTestData, setAdhocTestData] = useState<AdHocCheckResponse>();
@@ -90,7 +91,7 @@ export const CheckForm = ({ check, disabled }: CheckFormProps) => {
     isOverCheckLimit ||
     (checkType === CheckType.Browser && isOverBrowserLimit) ||
     ([CheckType.MULTI_HTTP, CheckType.Scripted].includes(checkType) && isOverScriptedLimit);
-  const isDisabled = disabled || !canEdit || getLimitDisabled({ isExistingCheck, isLoading, overLimit });
+  const isDisabled = disabled || !canWriteChecks || getLimitDisabled({ isExistingCheck, isLoading, overLimit });
 
   const formMethods = useForm<CheckFormValues>({
     defaultValues: toFormValues(initialCheck, checkType),
diff --git a/src/components/ConfigActions.test.tsx b/src/components/ConfigActions.test.tsx
deleted file mode 100644
index 514290f93..000000000
--- a/src/components/ConfigActions.test.tsx
+++ /dev/null
@@ -1,61 +0,0 @@
-import React from 'react';
-import { screen } from '@testing-library/react';
-import { render } from 'test/render';
-
-import { hasGlobalPermission } from 'utils';
-import { ConfigActions } from 'components/ConfigActions';
-
-jest.mock('utils', () => {
-  return {
-    ...jest.requireActual('utils'),
-    hasGlobalPermission: jest.fn().mockReturnValue(true),
-  };
-});
-
-it('shows disable option when activated', async () => {
-  render(<ConfigActions initialized />);
-
-  const disableButton = await screen.findByText('Disable synthetic monitoring');
-  expect(disableButton).toBeInTheDocument();
-});
-
-it('shows enable action when disabled', async () => {
-  render(<ConfigActions />, {
-    meta: {
-      enabled: false,
-    },
-  });
-
-  const enableButton = await screen.findByText('Enable plugin');
-  expect(enableButton).toBeInTheDocument();
-});
-
-it('shows setup action when not intialized', async () => {
-  render(<ConfigActions />);
-  const setupButton = await screen.findByText('Setup');
-  expect(setupButton).toBeInTheDocument();
-});
-
-it(`doesn't show any config actions when the user doesn't have write permissions`, async () => {
-  jest.mocked(hasGlobalPermission).mockReturnValue(false);
-
-  render(<ConfigActions initialized />);
-
-  expect(screen.queryByText('Disable synthetic monitoring')).not.toBeInTheDocument();
-  expect(screen.queryByText('Enable plugin')).not.toBeInTheDocument();
-  expect(screen.queryByText('Setup')).not.toBeInTheDocument();
-});
-
-it(`doesn't show any config actions when the user doesn't have write permissions and meta enabled is false`, async () => {
-  jest.mocked(hasGlobalPermission).mockReturnValue(false);
-
-  render(<ConfigActions />, {
-    meta: {
-      enabled: false,
-    },
-  });
-
-  expect(screen.queryByText('Disable synthetic monitoring')).not.toBeInTheDocument();
-  expect(screen.queryByText('Enable plugin')).not.toBeInTheDocument();
-  expect(screen.queryByText('Setup')).not.toBeInTheDocument();
-});
diff --git a/src/components/ConfigActions.tsx b/src/components/ConfigActions.tsx
deleted file mode 100644
index 17ad11ad2..000000000
--- a/src/components/ConfigActions.tsx
+++ /dev/null
@@ -1,59 +0,0 @@
-import React, { useState } from 'react';
-import { getBackendSrv } from '@grafana/runtime';
-import { Button, LinkButton } from '@grafana/ui';
-
-import { hasGlobalPermission } from 'utils';
-import { ROUTES } from 'routing/types';
-import { getRoute } from 'routing/utils';
-import { useMeta } from 'hooks/useMeta';
-
-import { DisablePluginModal } from './DisablePluginModal';
-
-export const ConfigActions = ({ initialized }: { initialized?: boolean }) => {
-  const [showDisableModal, setShowDisableModal] = useState(false);
-  const meta = useMeta();
-  const canEdit = hasGlobalPermission(`plugins:write`);
-
-  const handleEnable = async () => {
-    await getBackendSrv()
-      .fetch({
-        url: `/api/plugins/${meta.id}/settings`,
-        method: 'POST',
-        data: {
-          enabled: true,
-          pinned: true,
-        },
-      })
-      .toPromise();
-    window.location.reload();
-  };
-
-  if (!canEdit) {
-    return null;
-  }
-
-  if (!meta.enabled) {
-    return (
-      <Button variant="primary" onClick={handleEnable}>
-        Enable plugin
-      </Button>
-    );
-  }
-
-  if (initialized) {
-    return (
-      <>
-        <Button variant="destructive" onClick={() => setShowDisableModal(true)}>
-          Disable synthetic monitoring
-        </Button>
-        <DisablePluginModal isOpen={showDisableModal} onDismiss={() => setShowDisableModal(false)} />
-      </>
-    );
-  }
-
-  return (
-    <LinkButton variant="primary" href={getRoute(ROUTES.Home)}>
-      Setup
-    </LinkButton>
-  );
-};
diff --git a/src/components/DeleteProbeButton/DeleteProbeButton.tsx b/src/components/DeleteProbeButton/DeleteProbeButton.tsx
index 2910201b5..13e930873 100644
--- a/src/components/DeleteProbeButton/DeleteProbeButton.tsx
+++ b/src/components/DeleteProbeButton/DeleteProbeButton.tsx
@@ -19,8 +19,10 @@ export function DeleteProbeButton({ probe, onDeleteSuccess: _onDeleteSuccess }:
   }, [_onDeleteSuccess]);
 
   const { mutateAsync: deleteProbe, isPending } = useDeleteProbe({ onSuccess: onDeleteSuccess });
-  const canEdit = useCanEditProbe(probe);
-  const canDelete = canEdit && !probe.checks.length;
+
+  const { canDeleteProbes } = useCanEditProbe();
+
+  const canDelete = canDeleteProbes && !probe.checks.length;
   const styles = getStyles();
   const [error, setError] = useState<undefined | { name: string; message: string }>();
 
@@ -37,7 +39,7 @@ export function DeleteProbeButton({ probe, onDeleteSuccess: _onDeleteSuccess }:
   };
 
   if (!canDelete) {
-    const tooltipContent = canEdit ? (
+    const tooltipContent = canDeleteProbes ? (
       <>
         Unable to delete the probe because it is currently in use.
         <br />
@@ -53,7 +55,7 @@ export function DeleteProbeButton({ probe, onDeleteSuccess: _onDeleteSuccess }:
 
     // Both tooltip component and button prob is used for accessibility reasons
     return (
-      <Tooltip content={tooltipContent} interactive={canEdit && !canDelete}>
+      <Tooltip content={tooltipContent} interactive={canDeleteProbes && !canDelete}>
         <Button type="button" variant="destructive" tooltip={tooltipContent} disabled>
           Delete probe
         </Button>
diff --git a/src/components/LinkedDatasourceView.tsx b/src/components/LinkedDatasourceView.tsx
index e9b32b381..0d2d7e803 100644
--- a/src/components/LinkedDatasourceView.tsx
+++ b/src/components/LinkedDatasourceView.tsx
@@ -1,7 +1,8 @@
 import React from 'react';
 import { Alert, Card, Tag } from '@grafana/ui';
 
-import { useCanWriteLogs, useCanWriteMetrics, useCanWriteSM } from 'hooks/useDSPermission';
+import { getUserPermissions } from 'data/permissions';
+import { useCanWriteLogs, useCanWriteMetrics } from 'hooks/useDSPermission';
 import { useLogsDS } from 'hooks/useLogsDS';
 import { useMetricsDS } from 'hooks/useMetricsDS';
 import { useSMDS } from 'hooks/useSMDS';
@@ -15,14 +16,14 @@ export const LinkedDatasourceView = ({ type }: LinkedDatasourceViewProps) => {
   const logsDS = useLogsDS();
   const smDS = useSMDS();
 
-  const canEditSM = useCanWriteSM();
+  const { canWriteSM } = getUserPermissions();
   const canEditLogs = useCanWriteLogs();
   const canEditMetrics = useCanWriteMetrics();
 
   const canEditMap = {
     prometheus: canEditMetrics,
     loki: canEditLogs,
-    'synthetic-monitoring-datasource': canEditSM,
+    'synthetic-monitoring-datasource': canWriteSM,
   };
 
   const dsMap = {
diff --git a/src/components/ProbeCard/ProbeCard.test.tsx b/src/components/ProbeCard/ProbeCard.test.tsx
index 7e7c818fb..5e9aabd39 100644
--- a/src/components/ProbeCard/ProbeCard.test.tsx
+++ b/src/components/ProbeCard/ProbeCard.test.tsx
@@ -6,7 +6,7 @@ import { userEvent } from '@testing-library/user-event';
 import { DataTestIds } from 'test/dataTestIds';
 import { OFFLINE_PROBE, ONLINE_PROBE, PRIVATE_PROBE, PUBLIC_PROBE } from 'test/fixtures/probes';
 import { render } from 'test/render';
-import { probeToExtendedProbe, runTestAsViewer } from 'test/utils';
+import { probeToExtendedProbe, runTestAsRBACReader, runTestAsViewer } from 'test/utils';
 
 import { type ExtendedProbe } from 'types';
 import { ROUTES } from 'routing/types';
@@ -92,6 +92,18 @@ it(`Displays the correct information for a private probe as a viewer`, async ()
   expect(button).toHaveTextContent('View');
 });
 
+it(`Displays the correct information for a private probe as a RBAC viewer`, async () => {
+  runTestAsRBACReader();
+  const probe = probeToExtendedProbe(PRIVATE_PROBE);
+
+  render(<ProbeCard probe={probe} />);
+  await screen.findByText(probe.name, { exact: false });
+
+  const button = screen.getByTestId('probe-card-action-button');
+  expect(button).toBeInTheDocument();
+  expect(button).toHaveTextContent('View');
+});
+
 it(`Displays the correct information for a public probe`, async () => {
   const probe = probeToExtendedProbe(PUBLIC_PROBE);
 
diff --git a/src/components/ProbeCard/ProbeCard.tsx b/src/components/ProbeCard/ProbeCard.tsx
index 0e81c3de1..6824d5561 100644
--- a/src/components/ProbeCard/ProbeCard.tsx
+++ b/src/components/ProbeCard/ProbeCard.tsx
@@ -15,8 +15,8 @@ import { ProbeLabels } from './ProbeLabels';
 import { ProbeStatus } from './ProbeStatus';
 
 export const ProbeCard = ({ probe }: { probe: ExtendedProbe }) => {
-  const canEdit = useCanEditProbe(probe);
-  const probeEditHref = generateRoutePath(canEdit ? ROUTES.EditProbe : ROUTES.ViewProbe, { id: probe.id! });
+  const { canWriteProbes } = useCanEditProbe(probe);
+  const probeEditHref = generateRoutePath(canWriteProbes ? ROUTES.EditProbe : ROUTES.ViewProbe, { id: probe.id! });
   const labelsString = labelsToString(probe.labels);
   const styles = useStyles2(getStyles2);
 
@@ -55,7 +55,7 @@ export const ProbeCard = ({ probe }: { probe: ExtendedProbe }) => {
       </Card.Description>
 
       <Card.Actions>
-        {canEdit ? (
+        {canWriteProbes ? (
           <>
             <LinkButton
               data-testid="probe-card-action-button"
diff --git a/src/components/ProbeEditor/ProbeEditor.test.tsx b/src/components/ProbeEditor/ProbeEditor.test.tsx
index 6f488af29..4bddbcd9c 100644
--- a/src/components/ProbeEditor/ProbeEditor.test.tsx
+++ b/src/components/ProbeEditor/ProbeEditor.test.tsx
@@ -3,7 +3,7 @@ import { config } from '@grafana/runtime';
 import { screen } from '@testing-library/react';
 import { PRIVATE_PROBE, PUBLIC_PROBE } from 'test/fixtures/probes';
 import { render } from 'test/render';
-import { fillProbeForm, probeToExtendedProbe, runTestAsViewer, UPDATED_VALUES } from 'test/utils';
+import { fillProbeForm, probeToExtendedProbe, runTestAsRBACReader, runTestAsViewer, UPDATED_VALUES } from 'test/utils';
 
 import { ExtendedProbe, FeatureName, Probe } from 'types';
 import { TEMPLATE_PROBE } from 'page/NewProbe';
@@ -108,6 +108,12 @@ it('the form is uneditable when logged in as a viewer', async () => {
   await assertUneditable();
 });
 
+it('the form is uneditable when logged in as a RBAC viewer', async () => {
+  runTestAsRBACReader();
+  await renderProbeEditor();
+  await assertUneditable();
+});
+
 it('the form actions are unavailable when viewing a public probe', async () => {
   await renderProbeEditor({ probe: PUBLIC_PROBE });
   await assertNoActions();
@@ -124,6 +130,12 @@ it('should render the form in read mode when passing `forceReadMode`', async ()
   await assertUneditable();
 });
 
+it('the form actions are unavailable as a RBAC viewer', async () => {
+  runTestAsRBACReader();
+  await renderProbeEditor();
+  await assertNoActions();
+});
+
 async function assertUneditable() {
   const nameInput = await screen.findByLabelText('Probe Name', { exact: false });
   expect(nameInput).toBeDisabled();
diff --git a/src/components/ProbeEditor/ProbeEditor.tsx b/src/components/ProbeEditor/ProbeEditor.tsx
index 4a91e7508..a13e41874 100644
--- a/src/components/ProbeEditor/ProbeEditor.tsx
+++ b/src/components/ProbeEditor/ProbeEditor.tsx
@@ -36,8 +36,8 @@ export const ProbeEditor = ({
   forceViewMode, // When true, the form is in view mode
 }: ProbeEditorProps) => {
   const styles = useStyles2(getStyles);
-  const canEdit = useCanEditProbe(probe);
-  const writeMode = canEdit && !forceViewMode;
+  const { canWriteProbes } = useCanEditProbe(probe);
+  const writeMode = canWriteProbes && !forceViewMode;
   const form = useForm<Probe>({ defaultValues: probe, resolver: zodResolver(ProbeSchema) });
   const { latitude, longitude } = form.watch();
   const handleSubmit = form.handleSubmit((formValues: Probe) => onSubmit(formValues));
@@ -164,7 +164,7 @@ export const ProbeEditor = ({
                     />
                   </Field>
                 </div>
-                {canEdit && <LabelField<Probe> disabled={!writeMode} labelDestination={'probe'} />}
+                {canWriteProbes && <LabelField<Probe> disabled={!writeMode} labelDestination={'probe'} />}
                 <div className={styles.marginBottom}>
                   <Legend>Capabilities</Legend>
                   <HorizontalCheckboxField
@@ -189,7 +189,7 @@ export const ProbeEditor = ({
                   </FeatureFlag>
                 </div>
                 <div className={styles.buttonWrapper}>
-                  {canEdit && (
+                  {canWriteProbes && (
                     <>
                       <Button
                         icon={loading ? 'fa fa-spinner' : undefined}
diff --git a/src/components/ProbeStatus/ProbeStatus.test.tsx b/src/components/ProbeStatus/ProbeStatus.test.tsx
index a6b396611..4209fb54b 100644
--- a/src/components/ProbeStatus/ProbeStatus.test.tsx
+++ b/src/components/ProbeStatus/ProbeStatus.test.tsx
@@ -2,7 +2,7 @@ import React from 'react';
 import { screen, waitFor } from '@testing-library/react';
 import { OFFLINE_PROBE, ONLINE_PROBE, PRIVATE_PROBE } from 'test/fixtures/probes';
 import { render } from 'test/render';
-import { probeToExtendedProbe, runTestAsViewer } from 'test/utils';
+import { probeToExtendedProbe, runTestAsRBACReader, runTestAsViewer } from 'test/utils';
 
 import { formatDate } from 'utils';
 
@@ -16,6 +16,14 @@ it(`hides the reset button when the user is a viewer`, async () => {
   expect(resetButton).not.toBeInTheDocument();
 });
 
+it(`hides the reset button when the user is a RBAC viewer`, async () => {
+  runTestAsRBACReader();
+  // We need to wait for contexts to finish loading to avoid issue with act
+  await waitFor(() => render(<ProbeStatus probe={probeToExtendedProbe(PRIVATE_PROBE)} onReset={jest.fn()} />));
+  const resetButton = await getResetButton(true);
+  expect(resetButton).not.toBeInTheDocument();
+});
+
 it(`shows the reset probe access token when the user is an editor`, async () => {
   render(<ProbeStatus probe={probeToExtendedProbe(PRIVATE_PROBE)} onReset={jest.fn()} />);
   const resetButton = await getResetButton();
diff --git a/src/components/ProbeStatus/ProbeStatus.tsx b/src/components/ProbeStatus/ProbeStatus.tsx
index bca9aa637..bad761781 100644
--- a/src/components/ProbeStatus/ProbeStatus.tsx
+++ b/src/components/ProbeStatus/ProbeStatus.tsx
@@ -25,8 +25,8 @@ interface BadgeStatus {
 
 export const ProbeStatus = ({ probe, onReset, readOnly }: ProbeStatusProps) => {
   const [showResetModal, setShowResetModal] = useState(false);
-  const canEdit = useCanEditProbe(probe);
-  const writeMode = canEdit && !readOnly;
+  const { canWriteProbes } = useCanEditProbe(probe);
+  const writeMode = canWriteProbes && !readOnly;
 
   const styles = useStyles2(getStyles);
   const { mutate: onResetToken } = useResetProbeToken({
@@ -51,7 +51,7 @@ export const ProbeStatus = ({ probe, onReset, readOnly }: ProbeStatusProps) => {
           <Legend className={styles.legend}>Status:</Legend>
           <Badge color={badgeStatus.color} icon={badgeStatus.icon} text={badgeStatus.text} />
         </div>
-        {canEdit && (
+        {canWriteProbes && (
           <Container>
             <Button variant="destructive" disabled={!writeMode} onClick={() => setShowResetModal(true)}>
               Reset Access Token
diff --git a/src/configPage/PluginConfigPage/PluginConfigPage.tsx b/src/configPage/PluginConfigPage/PluginConfigPage.tsx
index 57ff0caa2..d7818cfb6 100644
--- a/src/configPage/PluginConfigPage/PluginConfigPage.tsx
+++ b/src/configPage/PluginConfigPage/PluginConfigPage.tsx
@@ -5,10 +5,10 @@ import { css } from '@emotion/css';
 import { DataTestIds } from 'test/dataTestIds';
 
 import { ProvisioningJsonData } from 'types';
-import { hasGlobalPermission } from 'utils';
 import { ROUTES } from 'routing/types';
 import { getRoute } from 'routing/utils';
 import type { SMDataSource } from 'datasource/DataSource';
+import { usePluginPermissionCanWrite } from 'hooks/usePluginPermissionsCanWrite';
 
 import { DataSourceInfo, useLinkedDataSources } from './PluginConfigPage.hooks';
 import { enablePlugin } from './PluginConfigPage.utils';
@@ -37,7 +37,9 @@ export function PluginConfigPage({
   const appConfigUrl = getRoute(ROUTES.Config);
   const appHomeUrl = getRoute(ROUTES.Home);
   const [isEnabling, setIsEnabling] = useState(false);
-  const isEnableDisabled = !hasGlobalPermission(`plugins:write`);
+
+  const canWritePlugin = usePluginPermissionCanWrite();
+
   const { api, linked, isLoading } = useLinkedDataSources();
   const initialized = isInitialized(api?.dataSource);
 
@@ -146,8 +148,8 @@ export function PluginConfigPage({
       {isEnabled && <LinkButton href={appHomeUrl}>Go to the Synthetic Monitoring app</LinkButton>}
       {!isEnabled && (
         <Button
-          disabled={isEnableDisabled}
-          tooltip={isEnableDisabled ? 'Insufficient permissions for enabling plugins ' : undefined}
+          disabled={!canWritePlugin}
+          tooltip={!canWritePlugin ? 'Insufficient permissions for enabling plugins ' : undefined}
           icon={isEnabling ? 'fa fa-spinner' : undefined}
           onClick={handleEnable}
         >
diff --git a/src/data/permissions.ts b/src/data/permissions.ts
new file mode 100644
index 000000000..b5cf42d41
--- /dev/null
+++ b/src/data/permissions.ts
@@ -0,0 +1,54 @@
+import { OrgRole } from '@grafana/data';
+import { config } from '@grafana/runtime';
+
+import { PluginPermissions } from 'types';
+
+const roleHierarchy: Record<OrgRole, OrgRole[]> = {
+  [OrgRole.Viewer]: [OrgRole.Viewer, OrgRole.Editor, OrgRole.Admin],
+  [OrgRole.Editor]: [OrgRole.Editor, OrgRole.Admin],
+  [OrgRole.Admin]: [OrgRole.Admin],
+  [OrgRole.None]: [],
+};
+
+const hasMinFallbackRole = (fallbackOrgRole: OrgRole) => {
+  const { orgRole } = config.bootData.user;
+
+  if (!orgRole) {
+    return false;
+  }
+
+  return roleHierarchy[fallbackOrgRole]?.includes(orgRole) || false;
+};
+
+const isUserActionAllowed = (permission: PluginPermissions, fallbackOrgRole: OrgRole): boolean => {
+  const { permissions: userPermissions } = config.bootData.user;
+
+  if (config.featureToggles.accessControlOnCall) {
+    return Boolean(userPermissions?.[permission]);
+  }
+
+  return hasMinFallbackRole(fallbackOrgRole);
+};
+
+export const getUserPermissions = () => ({
+  canReadChecks: isUserActionAllowed('grafana-synthetic-monitoring-app.checks:read', OrgRole.Viewer),
+  canWriteChecks: isUserActionAllowed('grafana-synthetic-monitoring-app.checks:write', OrgRole.Editor),
+  canDeleteChecks: isUserActionAllowed('grafana-synthetic-monitoring-app.checks:delete', OrgRole.Editor),
+
+  canReadProbes: isUserActionAllowed('grafana-synthetic-monitoring-app.probes:read', OrgRole.Viewer),
+  canWriteProbes: isUserActionAllowed('grafana-synthetic-monitoring-app.probes:write', OrgRole.Editor),
+  canDeleteProbes: isUserActionAllowed('grafana-synthetic-monitoring-app.probes:delete', OrgRole.Editor),
+
+  canReadAlerts: isUserActionAllowed('grafana-synthetic-monitoring-app.alerts:read', OrgRole.Viewer),
+  canWriteAlerts: isUserActionAllowed('grafana-synthetic-monitoring-app.alerts:write', OrgRole.Editor),
+  canDeleteAlerts: isUserActionAllowed('grafana-synthetic-monitoring-app.alerts:delete', OrgRole.Editor),
+
+  canReadThresholds: isUserActionAllowed('grafana-synthetic-monitoring-app.thresholds:read', OrgRole.Viewer),
+  canWriteThresholds: isUserActionAllowed('grafana-synthetic-monitoring-app.thresholds:write', OrgRole.Editor),
+
+  canWriteTokens: isUserActionAllowed('grafana-synthetic-monitoring-app.access-tokens:write', OrgRole.Admin),
+
+  canWritePlugin: isUserActionAllowed('grafana-synthetic-monitoring-app.plugin:write', OrgRole.Admin),
+
+  canWriteSM: isUserActionAllowed('grafana-synthetic-monitoring-app:write', OrgRole.Editor),
+});
diff --git a/src/datasource/plugin.json b/src/datasource/plugin.json
index a0a4a31e4..6db4d0a40 100644
--- a/src/datasource/plugin.json
+++ b/src/datasource/plugin.json
@@ -9,7 +9,7 @@
       "path": "viewer-token",
       "method": "*",
       "url": "{{.JsonData.apiHost}}/api/v1/register/viewer-token",
-      "reqRole": "Editor",
+      "reqAction": "grafana-synthetic-monitoring-app:write",
       "headers": [
         {
           "name": "Authorization",
@@ -21,7 +21,7 @@
       "path": "save",
       "method": "*",
       "url": "{{.JsonData.apiHost}}/api/v1/register/save",
-      "reqRole": "Editor",
+      "reqAction": "grafana-synthetic-monitoring-app.plugin:write",
       "headers": [
         {
           "name": "Authorization",
@@ -33,7 +33,7 @@
       "path": "sm",
       "method": "GET",
       "url": "{{.JsonData.apiHost}}/api/v1/",
-      "reqRole": "Viewer",
+      "reqAction": "grafana-synthetic-monitoring-app:read",
       "headers": [
         {
           "name": "Authorization",
@@ -45,7 +45,7 @@
       "path": "sm",
       "method": "POST",
       "url": "{{.JsonData.apiHost}}/api/v1/",
-      "reqRole": "Editor",
+      "reqAction": "grafana-synthetic-monitoring-app:write",
       "headers": [
         {
           "name": "Authorization",
@@ -57,7 +57,7 @@
       "path": "sm",
       "method": "DELETE",
       "url": "{{.JsonData.apiHost}}/api/v1/",
-      "reqRole": "Editor",
+      "reqAction": "grafana-synthetic-monitoring-app:write",
       "headers": [
         {
           "name": "Authorization",
diff --git a/src/hooks/useAlertAccessControl.ts b/src/hooks/useAlertAccessControl.ts
new file mode 100644
index 000000000..838557af3
--- /dev/null
+++ b/src/hooks/useAlertAccessControl.ts
@@ -0,0 +1,18 @@
+import { getUserPermissions } from 'data/permissions';
+
+import { useDSPermission } from './useDSPermission';
+import { useMetricsDS } from './useMetricsDS';
+
+export function useAlertAccessControl() {
+  const { canReadAlerts, canWriteAlerts, canDeleteAlerts } = getUserPermissions();
+  const canEditAlertInDs = useDSPermission(`metrics`, `alert.instances.external:write`);
+
+  const metricsDs = useMetricsDS();
+
+  return {
+    canReadAlerts: canReadAlerts && !!metricsDs,
+    hasWriterRole: canWriteAlerts,
+    canWriteAlerts: canWriteAlerts && canEditAlertInDs && !!metricsDs,
+    canDeleteAlerts: canDeleteAlerts && canEditAlertInDs && !!metricsDs,
+  };
+}
diff --git a/src/hooks/useCanEditProbe.ts b/src/hooks/useCanEditProbe.ts
index 281d30402..3a183b9bd 100644
--- a/src/hooks/useCanEditProbe.ts
+++ b/src/hooks/useCanEditProbe.ts
@@ -1,13 +1,12 @@
 import { Probe } from 'types';
-
-import { useCanWriteSM } from './useDSPermission';
+import { getUserPermissions } from 'data/permissions';
 
 export function useCanEditProbe(probe?: Probe) {
-  const canEdit = useCanWriteSM();
+  const { canWriteProbes, canDeleteProbes } = getUserPermissions();
 
-  if (!probe) {
-    return canEdit;
+  if (probe?.public) {
+    return { canWriteProbes: false, canDeleteProbes: false };
   }
 
-  return canEdit && !probe.public;
+  return { canWriteProbes, canDeleteProbes };
 }
diff --git a/src/hooks/useDSPermission.ts b/src/hooks/useDSPermission.ts
index a011b6773..02f7c1654 100644
--- a/src/hooks/useDSPermission.ts
+++ b/src/hooks/useDSPermission.ts
@@ -1,6 +1,3 @@
-import { OrgRole } from '@grafana/data';
-import { config } from '@grafana/runtime';
-
 import { usePermissionsContext } from 'contexts/PermissionsContext';
 
 type DSOptions = `sm` | `metrics` | `logs`;
@@ -37,16 +34,3 @@ export function useCanWriteLogs() {
 export function useCanReadSM() {
   return useDSPermission(`sm`, `datasources:read`);
 }
-
-// we've rolled this back to respect org roles
-// this will change when we do proper plugin RBAC in the near future
-// Note: this is used by `PluginConfigPage`, which is not wrapped in any app context
-export function useCanWriteSM() {
-  const orgRole = config.bootData.user.orgRole;
-
-  if (orgRole) {
-    return [OrgRole.Editor, OrgRole.Admin].includes(orgRole);
-  }
-
-  return false;
-}
diff --git a/src/hooks/usePluginPermissionsCanWrite.ts b/src/hooks/usePluginPermissionsCanWrite.ts
new file mode 100644
index 000000000..da046c01f
--- /dev/null
+++ b/src/hooks/usePluginPermissionsCanWrite.ts
@@ -0,0 +1,8 @@
+import { hasGlobalPermission } from 'utils';
+import { getUserPermissions } from 'data/permissions';
+
+export function usePluginPermissionCanWrite() {
+  const { canWritePlugin } = getUserPermissions();
+
+  return hasGlobalPermission(`plugins:write`) && canWritePlugin;
+}
diff --git a/src/page/AlertingPage.tsx b/src/page/AlertingPage.tsx
index a6a95f381..ecf6edbd6 100644
--- a/src/page/AlertingPage.tsx
+++ b/src/page/AlertingPage.tsx
@@ -5,11 +5,13 @@ import { Alert, Button, Modal, Spinner, Stack, useStyles2 } from '@grafana/ui';
 import { css } from '@emotion/css';
 
 import { AlertFormValues, AlertRule } from 'types';
+import { useAlertAccessControl } from 'hooks/useAlertAccessControl';
 import { useAlerts } from 'hooks/useAlerts';
-import { useCanReadMetrics, useDSPermission } from 'hooks/useDSPermission';
 import { transformAlertFormValues } from 'components/alertingTransformations';
 import { AlertRuleForm } from 'components/AlertRuleForm';
 
+import { ContactAdminAlert } from './ContactAdminAlert';
+
 type SplitAlertRules = {
   recordingRules: AlertRule[];
   alertingRules: AlertRule[];
@@ -25,7 +27,7 @@ export const AlertingPage = () => {
 
 const Alerting = () => {
   const styles = useStyles2(getStyles);
-  const canRead = useCanReadMetrics();
+  const { canReadAlerts } = useAlertAccessControl();
 
   return (
     <div>
@@ -39,7 +41,11 @@ const Alerting = () => {
           Learn more about alerting for Synthetic Monitoring.
         </a>
       </p>
-      {canRead ? <AlertingPageContent /> : <InsufficientPermissions />}
+      {canReadAlerts ? (
+        <AlertingPageContent />
+      ) : (
+        <ContactAdminAlert title="Insufficient Permissions" missingPermissions={['datasources:read']} />
+      )}
     </div>
   );
 };
@@ -49,7 +55,7 @@ const AlertingPageContent = () => {
   const [updatingDefaultRules, setUpdatingDefaultRules] = useState(false);
   const [showResetModal, setShowResetModal] = useState(false);
   const { alertRules, setDefaultRules, setRules, alertError } = useAlerts();
-  const canEdit = useDSPermission(`metrics`, `alert.instances.external:write`);
+  const { canWriteAlerts, hasWriterRole } = useAlertAccessControl();
 
   const { recordingRules, alertingRules } = alertRules?.reduce<SplitAlertRules>(
     (rules, currentRule) => {
@@ -93,13 +99,16 @@ const AlertingPageContent = () => {
           {alertError}
         </Alert>
       )}
+      {hasWriterRole && !canWriteAlerts && (
+        <ContactAdminAlert title="Insufficient Permissions" missingPermissions={['alert.instances.external:write']} />
+      )}
       {alertRules?.length === 0 && !Boolean(alertError) && (
         <div className={styles.emptyCard}>
           <span className={styles.defaultAlerts}>
             You do not have any default alerts for Synthetic Monitoring yet. Click below to get some default alerts. You
             can also create custom alerts for checks using Grafana Cloud Alerting.
           </span>
-          <Button size="md" disabled={updatingDefaultRules || !canEdit} onClick={populateDefaultAlerts}>
+          <Button size="md" disabled={updatingDefaultRules || !canWriteAlerts} onClick={populateDefaultAlerts}>
             Populate default alerts
           </Button>
         </div>
@@ -109,12 +118,17 @@ const AlertingPageContent = () => {
           key={`${alertRule.alert}-${index}`}
           rule={alertRule}
           onSubmit={getUpdateRules(index)}
-          canEdit={canEdit}
+          canEdit={canWriteAlerts}
         />
       ))}
       {Boolean(alertRules?.length) ? (
         <Stack justifyContent="flex-end">
-          <Button disabled={!canEdit} variant="destructive" type="button" onClick={() => setShowResetModal(true)}>
+          <Button
+            disabled={!canWriteAlerts}
+            variant="destructive"
+            type="button"
+            onClick={() => setShowResetModal(true)}
+          >
             Reset to defaults
           </Button>
         </Stack>
@@ -142,14 +156,6 @@ const AlertingPageContent = () => {
   );
 };
 
-const InsufficientPermissions = () => {
-  return (
-    <Alert title="Insufficient permissions" severity="info">
-      You do not have the appropriate permissions to read the alert rules. To request access contact your administrator.
-    </Alert>
-  );
-};
-
 const getStyles = (theme: GrafanaTheme2) => ({
   emptyCard: css({
     backgroundColor: theme.colors.background.secondary,
diff --git a/src/page/CheckList/components/BulkActions.tsx b/src/page/CheckList/components/BulkActions.tsx
index 804995e32..b2490971a 100644
--- a/src/page/CheckList/components/BulkActions.tsx
+++ b/src/page/CheckList/components/BulkActions.tsx
@@ -4,8 +4,8 @@ import { Button, ButtonCascader, ConfirmModal, useStyles2 } from '@grafana/ui';
 import { css } from '@emotion/css';
 
 import { Check } from 'types';
+import { getUserPermissions } from 'data/permissions';
 import { useBulkDeleteChecks, useBulkUpdateChecks } from 'data/useChecks';
-import { useCanWriteSM } from 'hooks/useDSPermission';
 import { BulkActionsModal } from 'page/CheckList/components/BulkActionsModal';
 
 interface BulkActionsProps {
@@ -19,7 +19,7 @@ enum BulkAction {
 }
 
 export const BulkActions = ({ checks, onResolved }: BulkActionsProps) => {
-  const canEdit = useCanWriteSM();
+  const { canWriteChecks, canDeleteChecks } = getUserPermissions();
   const styles = useStyles2(getStyles);
   const [bulkEditAction, setBulkEditAction] = useState<BulkAction | null>(null);
   const [showDeleteModal, setShowDeleteModal] = useState(false);
@@ -62,7 +62,7 @@ export const BulkActions = ({ checks, onResolved }: BulkActionsProps) => {
                 value: BulkAction.Remove,
               },
             ]}
-            disabled={!canEdit}
+            disabled={!canWriteChecks}
             onChange={(value: string[]) => {
               const action = value[0] as BulkAction;
               setBulkEditAction(action);
@@ -71,10 +71,22 @@ export const BulkActions = ({ checks, onResolved }: BulkActionsProps) => {
             Bulk Edit Probes
           </ButtonCascader>
         )}
-        <Button type="button" variant="primary" fill="text" onClick={handleEnableSelectedChecks} disabled={!canEdit}>
+        <Button
+          type="button"
+          variant="primary"
+          fill="text"
+          onClick={handleEnableSelectedChecks}
+          disabled={!canWriteChecks}
+        >
           Enable
         </Button>
-        <Button type="button" variant="secondary" fill="text" onClick={handleDisableSelectedChecks} disabled={!canEdit}>
+        <Button
+          type="button"
+          variant="secondary"
+          fill="text"
+          onClick={handleDisableSelectedChecks}
+          disabled={!canWriteChecks}
+        >
           Disable
         </Button>
 
@@ -83,7 +95,7 @@ export const BulkActions = ({ checks, onResolved }: BulkActionsProps) => {
           variant="destructive"
           fill="text"
           onClick={() => setShowDeleteModal(true)}
-          disabled={!canEdit}
+          disabled={!canDeleteChecks}
         >
           Delete
         </Button>
diff --git a/src/page/CheckList/components/CheckItemActionButtons.tsx b/src/page/CheckList/components/CheckItemActionButtons.tsx
index 9075f78e7..99b780091 100644
--- a/src/page/CheckList/components/CheckItemActionButtons.tsx
+++ b/src/page/CheckList/components/CheckItemActionButtons.tsx
@@ -6,8 +6,8 @@ import { css } from '@emotion/css';
 import { Check } from 'types';
 import { ROUTES } from 'routing/types';
 import { generateRoutePath, getRoute } from 'routing/utils';
+import { getUserPermissions } from 'data/permissions';
 import { useDeleteCheck } from 'data/useChecks';
-import { useCanReadMetrics, useCanWriteSM } from 'hooks/useDSPermission';
 
 interface CheckItemActionButtonsProps {
   check: Check;
@@ -15,8 +15,7 @@ interface CheckItemActionButtonsProps {
 }
 
 export const CheckItemActionButtons = ({ check, viewDashboardAsIcon }: CheckItemActionButtonsProps) => {
-  const canEdit = useCanWriteSM();
-  const canReadMetrics = useCanReadMetrics();
+  const { canReadChecks, canWriteChecks, canDeleteChecks } = getUserPermissions();
   const styles = useStyles2(getStyles);
   const [showDeleteModal, setShowDeleteModal] = useState(false);
 
@@ -24,7 +23,7 @@ export const CheckItemActionButtons = ({ check, viewDashboardAsIcon }: CheckItem
 
   return (
     <div className={styles.actionButtonGroup}>
-      {canReadMetrics && (
+      {canReadChecks && (
         <>
           {viewDashboardAsIcon ? (
             <LinkButton
@@ -46,7 +45,7 @@ export const CheckItemActionButtons = ({ check, viewDashboardAsIcon }: CheckItem
         href={`${generateRoutePath(ROUTES.EditCheck, { id: check.id! })}`}
         icon={`pen`}
         tooltip="Edit check"
-        disabled={!canEdit}
+        disabled={!canWriteChecks}
         variant="secondary"
         fill={`text`}
       />
@@ -54,7 +53,7 @@ export const CheckItemActionButtons = ({ check, viewDashboardAsIcon }: CheckItem
         tooltip="Delete check"
         name="trash-alt"
         onClick={() => setShowDeleteModal(true)}
-        disabled={!canEdit}
+        disabled={!canDeleteChecks}
       />
       <ConfirmModal
         isOpen={showDeleteModal}
diff --git a/src/page/CheckList/components/CheckListHeader.tsx b/src/page/CheckList/components/CheckListHeader.tsx
index 66a5257fb..a15d1dd9b 100644
--- a/src/page/CheckList/components/CheckListHeader.tsx
+++ b/src/page/CheckList/components/CheckListHeader.tsx
@@ -5,7 +5,7 @@ import { css } from '@emotion/css';
 
 import { CheckFiltersType, CheckListViewType, FilterType } from 'page/CheckList/CheckList.types';
 import { Check, CheckSort } from 'types';
-import { useCanWriteSM } from 'hooks/useDSPermission';
+import { getUserPermissions } from 'data/permissions';
 import { AddNewCheckButton } from 'components/AddNewCheckButton';
 import { BulkActions } from 'page/CheckList/components/BulkActions';
 import { CheckFilters } from 'page/CheckList/components/CheckFilters';
@@ -68,7 +68,8 @@ export const CheckListHeader = ({
   sortType,
   viewType,
 }: CheckListHeaderProps) => {
-  const canEdit = useCanWriteSM();
+  const { canWriteChecks, canWriteThresholds } = getUserPermissions();
+
   const styles = useStyles2(getStyles);
   const [showThresholdModal, setShowThresholdModal] = useState(false);
   const hasChecks = checks.length > 0;
@@ -95,14 +96,13 @@ export const CheckListHeader = ({
             checkFilters={checkFilters}
             onChange={onFilterChange}
           />
-          {canEdit && (
-            <>
-              <Button variant="secondary" fill="outline" onClick={() => setShowThresholdModal((v) => !v)}>
-                Set Thresholds
-              </Button>
-              <AddNewCheckButton />
-            </>
+          {canWriteThresholds && (
+            <Button variant="secondary" fill="outline" onClick={() => setShowThresholdModal((v) => !v)}>
+              Set Thresholds
+            </Button>
           )}
+
+          {canWriteChecks && <AddNewCheckButton />}
         </div>
       </div>
       <div className={styles.row}>
diff --git a/src/page/ConfigPageLayout/tabs/AccessTokensTab.tsx b/src/page/ConfigPageLayout/tabs/AccessTokensTab.tsx
index d6d2ed31d..8a23ed514 100644
--- a/src/page/ConfigPageLayout/tabs/AccessTokensTab.tsx
+++ b/src/page/ConfigPageLayout/tabs/AccessTokensTab.tsx
@@ -2,14 +2,15 @@ import React, { useState } from 'react';
 import { Alert, Button, Modal, Space, TextLink } from '@grafana/ui';
 
 import { FaroEvent, reportError, reportEvent } from 'faro';
-import { useCanWriteSM } from 'hooks/useDSPermission';
+import { getUserPermissions } from 'data/permissions';
 import { useSMDS } from 'hooks/useSMDS';
 import { Clipboard } from 'components/Clipboard';
+import { ContactAdminAlert } from 'page/ContactAdminAlert';
 
 import { ConfigContent } from '../ConfigContent';
 
 export function AccessTokensTab() {
-  const canCreateAccessToken = useCanWriteSM();
+  const { canWriteTokens } = getUserPermissions();
   const smDS = useSMDS();
   const [showModal, setShowModal] = useState(false);
   const [error, setError] = useState<string | undefined>();
@@ -30,6 +31,13 @@ export function AccessTokensTab() {
 
   return (
     <ConfigContent title="Access tokens">
+      {!canWriteTokens && (
+        <ContactAdminAlert
+          title="Contact your administrator to generate Access Tokens"
+          missingPermissions={['grafana-synthetic-monitoring-app.access-tokens:write']}
+        />
+      )}
+
       <ConfigContent.Section title="Synthetic Monitoring">
         You can use an SM access token to authenticate with the synthetic monitoring api. Check out the{' '}
         <TextLink icon="github" href="https://github.com/grafana/synthetic-monitoring-api-go-client" external>
@@ -42,8 +50,8 @@ export function AccessTokensTab() {
         documentation to learn more about how to interact with the synthetic monitoring API.
         <Space v={2} />
         <Button
-          tooltip={!canCreateAccessToken ? 'You do not have permission to generate access tokens.' : undefined}
-          disabled={!canCreateAccessToken}
+          tooltip={!canWriteTokens ? 'You do not have permission to generate access tokens.' : undefined}
+          disabled={!canWriteTokens}
           onClick={() => showTokenModal()}
         >
           Generate access token
diff --git a/src/page/ConfigPageLayout/tabs/GeneralTab.tsx b/src/page/ConfigPageLayout/tabs/GeneralTab.tsx
index 786c2b8d5..5d5493885 100644
--- a/src/page/ConfigPageLayout/tabs/GeneralTab.tsx
+++ b/src/page/ConfigPageLayout/tabs/GeneralTab.tsx
@@ -4,8 +4,8 @@ import { config } from '@grafana/runtime';
 import { Alert, Space, TextLink, useStyles2 } from '@grafana/ui';
 import { css } from '@emotion/css';
 
+import { getUserPermissions } from 'data/permissions';
 import { useBackendAddress } from 'hooks/useBackendAddress';
-import { useCanWriteSM } from 'hooks/useDSPermission';
 import { useMeta } from 'hooks/useMeta';
 import { LinkedDatasourceView } from 'components/LinkedDatasourceView';
 
@@ -16,7 +16,7 @@ export function GeneralTab() {
   const meta = useMeta();
   // This may be false in play.grafana.net
   const isSignedIn = config.bootData.user?.isSignedIn ?? false;
-  const canWriteSM = useCanWriteSM();
+  const { canWriteSM } = getUserPermissions();
   const [backendAddress, backendAddressDescription] = useBackendAddress(true);
   const styles = useStyles2(getStyles);
 
diff --git a/src/page/ConfigPageLayout/tabs/TerraformTab.tsx b/src/page/ConfigPageLayout/tabs/TerraformTab.tsx
index 75bc47fb6..4b5233564 100644
--- a/src/page/ConfigPageLayout/tabs/TerraformTab.tsx
+++ b/src/page/ConfigPageLayout/tabs/TerraformTab.tsx
@@ -6,14 +6,17 @@ import { css } from '@emotion/css';
 import { FaroEvent, reportEvent } from 'faro';
 import { ROUTES } from 'routing/types';
 import { generateRoutePath } from 'routing/utils';
+import { getUserPermissions } from 'data/permissions';
 import { useTerraformConfig } from 'hooks/useTerraformConfig';
 import { Clipboard } from 'components/Clipboard';
+import { ContactAdminAlert } from 'page/ContactAdminAlert';
 
 import { ConfigContent } from '../ConfigContent';
 
 export function TerraformTab() {
   const { config, checkCommands, probeCommands, error, isLoading } = useTerraformConfig();
   const styles = useStyles2(getStyles);
+  const { canReadChecks, canReadProbes } = getUserPermissions();
   useEffect(() => {
     reportEvent(FaroEvent.SHOW_TERRAFORM_CONFIG);
   }, []);
@@ -22,6 +25,18 @@ export function TerraformTab() {
     return <ConfigContent loading={isLoading} title="Terraform config" />;
   }
 
+  if (!canReadChecks && !canReadProbes) {
+    return (
+      <ContactAdminAlert
+        title="Contact your administrator to gain access to Terraform data"
+        missingPermissions={[
+          'grafana-synthetic-monitoring-app.checks:read',
+          'grafana-synthetic-monitoring-app.probes:read',
+        ]}
+      />
+    );
+  }
+
   return (
     <ConfigContent title="Terraform config">
       {error && <Alert title={error.message} />}
diff --git a/src/page/ContactAdminAlert.tsx b/src/page/ContactAdminAlert.tsx
new file mode 100644
index 000000000..14da28286
--- /dev/null
+++ b/src/page/ContactAdminAlert.tsx
@@ -0,0 +1,46 @@
+import React from 'react';
+import { GrafanaTheme2 } from '@grafana/data';
+import { Alert, AlertVariant, Stack, useStyles2 } from '@grafana/ui';
+import { css } from '@emotion/css';
+
+interface ContactAdminAlertProps {
+  title?: string;
+  missingPermissions?: string[];
+  severity?: AlertVariant;
+}
+
+export const ContactAdminAlert = ({
+  title = 'Contact your administrator to get you started.',
+  missingPermissions,
+  severity = 'info',
+}: ContactAdminAlertProps) => {
+  const styles = useStyles2(getStyles);
+  return (
+    <div className={styles.container}>
+      <Alert title={title} severity={severity}>
+        {missingPermissions && (
+          <Stack direction={'column'}>
+            You need the following permission(s):
+            <Stack wrap={'nowrap'} direction={'column'}>
+              {missingPermissions.map((permission) => (
+                <code className={styles.permission} key={permission}>
+                  {permission}
+                </code>
+              ))}
+            </Stack>
+          </Stack>
+        )}
+      </Alert>
+    </div>
+  );
+};
+
+const getStyles = (theme: GrafanaTheme2) => ({
+  container: css({
+    textAlign: 'left',
+  }),
+
+  permission: css({
+    width: 'fit-content',
+  }),
+});
diff --git a/src/page/EditCheck/__tests__/EditCheck.test.tsx b/src/page/EditCheck/__tests__/EditCheck.test.tsx
index ad5bdfe07..8cadbcc97 100644
--- a/src/page/EditCheck/__tests__/EditCheck.test.tsx
+++ b/src/page/EditCheck/__tests__/EditCheck.test.tsx
@@ -2,7 +2,7 @@ import { screen } from '@testing-library/react';
 import { BASIC_HTTP_CHECK } from 'test/fixtures/checks';
 import { apiRoute } from 'test/handlers';
 import { server } from 'test/server';
-import { runTestAsViewer } from 'test/utils';
+import { runTestAsRBACReader, runTestAsViewer } from 'test/utils';
 
 import { renderEditForm } from 'page/__testHelpers__/checkForm';
 
@@ -54,4 +54,10 @@ describe(`<EditCheck />`, () => {
     await renderEditForm(BASIC_HTTP_CHECK.id);
     expect(screen.getByRole(`button`, { name: `Submit` })).toBeDisabled();
   });
+
+  it(`disables the form when the user is a RBAC viewer`, async () => {
+    runTestAsRBACReader();
+    await renderEditForm(BASIC_HTTP_CHECK.id);
+    expect(screen.getByRole(`button`, { name: `Submit` })).toBeDisabled();
+  });
 });
diff --git a/src/page/EditProbe/EditProbe.tsx b/src/page/EditProbe/EditProbe.tsx
index 3b707db2d..1f1ceb723 100644
--- a/src/page/EditProbe/EditProbe.tsx
+++ b/src/page/EditProbe/EditProbe.tsx
@@ -22,14 +22,14 @@ export const EditProbe = ({ forceViewMode }: { forceViewMode?: boolean }) => {
   const [probe, setProbe] = useState<ExtendedProbe>();
   const [errorMessage, setErrorMessage] = useState<string>('');
   const navigate = useNavigate();
-  const canEdit = useCanEditProbe(probe);
+  const { canWriteProbes } = useCanEditProbe(probe);
 
   useEffect(() => {
     // This is mainly here to handle legacy links redirect
-    if (probe && !canEdit && !forceViewMode) {
+    if (probe && !canWriteProbes && !forceViewMode) {
       navigate(generateRoutePath(ROUTES.ViewProbe, { id: probe.id! }), { replace: true });
     }
-  }, [canEdit, navigate, probe, forceViewMode]);
+  }, [canWriteProbes, navigate, probe, forceViewMode]);
   if (errorMessage) {
     return (
       <PluginPageNotFound breadcrumb="Probe not found">
@@ -41,9 +41,9 @@ export const EditProbe = ({ forceViewMode }: { forceViewMode?: boolean }) => {
 
   return (
     <PluginPage
-      pageNav={{ text: getTitle(probe, canEdit && !forceViewMode) }}
+      pageNav={{ text: getTitle(probe, canWriteProbes && !forceViewMode) }}
       actions={
-        canEdit &&
+        canWriteProbes &&
         probe &&
         forceViewMode && (
           <LinkButton variant="secondary" icon="pen" href={generateRoutePath(ROUTES.EditProbe, { id: probe.id! })}>
@@ -90,8 +90,8 @@ const EditProbeFetch = ({
 
 const EditProbeContent = ({ probe, forceViewMode }: { forceViewMode?: boolean; probe: ExtendedProbe }) => {
   const navigate = useNavigation();
-  const canEdit = useCanEditProbe(probe);
-  const writeMode = canEdit && !forceViewMode;
+  const { canDeleteProbes } = useCanEditProbe(probe);
+  const writeMode = canDeleteProbes && !forceViewMode;
   const [showTokenModal, setShowTokenModal] = useState(false);
   const [probeToken, setProbeToken] = useState(``);
 
diff --git a/src/page/Probes/Probes.tsx b/src/page/Probes/Probes.tsx
index 1fe3f7b94..165e5cd52 100644
--- a/src/page/Probes/Probes.tsx
+++ b/src/page/Probes/Probes.tsx
@@ -7,8 +7,8 @@ import { DataTestIds } from 'test/dataTestIds';
 import { ExtendedProbe } from 'types';
 import { ROUTES } from 'routing/types';
 import { getRoute } from 'routing/utils';
+import { getUserPermissions } from 'data/permissions';
 import { useExtendedProbes } from 'data/useProbes';
-import { useCanWriteSM } from 'hooks/useDSPermission';
 import { CenteredSpinner } from 'components/CenteredSpinner';
 import { DocsLink } from 'components/DocsLink';
 import { ProbeList } from 'components/ProbeList';
@@ -34,8 +34,8 @@ export const Probes = () => {
 };
 
 const Actions = () => {
-  const canEdit = useCanWriteSM();
-  if (!canEdit) {
+  const { canWriteProbes } = getUserPermissions();
+  if (!canWriteProbes) {
     return null;
   }
 
diff --git a/src/page/SubsectionWelcomePage.tsx b/src/page/SubsectionWelcomePage.tsx
index dcb39779f..8ee536a22 100644
--- a/src/page/SubsectionWelcomePage.tsx
+++ b/src/page/SubsectionWelcomePage.tsx
@@ -10,8 +10,8 @@ import { Card } from 'components/Card';
 
 interface Props {
   children: React.ReactNode;
-  redirectTo: ROUTES;
-  buttonText: string;
+  redirectTo?: ROUTES;
+  buttonText?: string;
 }
 
 export const SubsectionWelcomePage = ({ children, redirectTo, buttonText }: PropsWithChildren<Props>) => {
@@ -24,7 +24,7 @@ export const SubsectionWelcomePage = ({ children, redirectTo, buttonText }: Prop
           <Stack justifyContent={'center'} alignItems={'center'} direction={'column'} gap={3}>
             <Text element={`h2`}>Get started monitoring your services</Text>
             <div>{children}</div>
-            <AppInitializer redirectTo={redirectTo} buttonText={buttonText} />
+            {buttonText && <AppInitializer redirectTo={redirectTo} buttonText={buttonText} />}
           </Stack>
         </Card>
       </Stack>
diff --git a/src/page/UnauthorizedPage.tsx b/src/page/UnauthorizedPage.tsx
new file mode 100644
index 000000000..f0dd03e68
--- /dev/null
+++ b/src/page/UnauthorizedPage.tsx
@@ -0,0 +1,16 @@
+import React from 'react';
+import { PluginPage } from '@grafana/runtime';
+
+import { ContactAdminAlert } from './ContactAdminAlert';
+
+interface UnauthorizedPageProps {
+  permissions: string[];
+}
+
+export const UnauthorizedPage = ({ permissions }: UnauthorizedPageProps) => {
+  return (
+    <PluginPage>
+      <ContactAdminAlert missingPermissions={permissions} />
+    </PluginPage>
+  );
+};
diff --git a/src/plugin.json b/src/plugin.json
index b46b2ef57..a924a56c9 100644
--- a/src/plugin.json
+++ b/src/plugin.json
@@ -26,7 +26,7 @@
       "path": "install",
       "method": "*",
       "url": "{{ .JsonData.apiHost }}/api/v1/register/install",
-      "reqRole": "Editor",
+      "reqAction": "grafana-synthetic-monitoring-app.plugin:write",
       "headers": [
         {
           "name": "Authorization",
@@ -40,6 +40,7 @@
       "type": "page",
       "name": "Home",
       "path": "/a/grafana-synthetic-monitoring-app/home",
+      "action": "grafana-synthetic-monitoring-app:read",
       "addToNav": true,
       "defaultNav": true
     },
@@ -47,24 +48,28 @@
       "type": "page",
       "name": "Checks",
       "path": "/a/grafana-synthetic-monitoring-app/checks",
+      "action": "grafana-synthetic-monitoring-app.checks:read",
       "addToNav": true
     },
     {
       "type": "page",
       "name": "Probes",
       "path": "/a/grafana-synthetic-monitoring-app/probes",
+      "action": "grafana-synthetic-monitoring-app.probes:read",
       "addToNav": true
     },
     {
       "type": "page",
       "name": "Alerts",
       "path": "/a/grafana-synthetic-monitoring-app/alerts",
+      "action": "grafana-synthetic-monitoring-app.alerts:read",
       "addToNav": true
     },
     {
       "type": "page",
       "name": "Config",
       "path": "/a/grafana-synthetic-monitoring-app/config",
+      "action": "grafana-synthetic-monitoring-app:write",
       "addToNav": true
     },
     {
@@ -73,6 +78,206 @@
       "path": "datasource/plugin.json"
     }
   ],
+  "roles": [
+    {
+      "role": {
+        "name": "Checks reader",
+        "description": "Read checks in the Synthetic Monitoring app",
+        "permissions": [
+          { "action": "plugins.app:access", "scope": "plugins:id:grafana-synthetic-monitoring-app" },
+          { "action": "grafana-synthetic-monitoring-app:read" },
+
+          { "action": "grafana-synthetic-monitoring-app.checks:read" }
+        ]
+      },
+      "grants": ["Viewer"]
+    },
+    {
+      "role": {
+        "name": "Checks writer",
+        "description": "Create, edit and delete checks in the Synthetic Monitoring app",
+        "permissions": [
+          { "action": "plugins.app:access", "scope": "plugins:id:grafana-synthetic-monitoring-app" },
+          { "action": "grafana-synthetic-monitoring-app:read" },
+          { "action": "grafana-synthetic-monitoring-app:write" },
+
+          { "action": "grafana-synthetic-monitoring-app.checks:write" },
+          { "action": "grafana-synthetic-monitoring-app.checks:read" },
+          { "action": "grafana-synthetic-monitoring-app.checks:delete" }
+        ]
+      },
+      "grants": ["Admin", "Editor"]
+    },
+    {
+      "role": {
+        "name": "Probes reader",
+        "description": "Read probes in the Synthetic Monitoring app",
+        "permissions": [
+          { "action": "plugins.app:access", "scope": "plugins:id:grafana-synthetic-monitoring-app" },
+          { "action": "grafana-synthetic-monitoring-app:read" },
+
+          { "action": "grafana-synthetic-monitoring-app.probes:read" }
+        ]
+      },
+      "grants": ["Viewer"]
+    },
+    {
+      "role": {
+        "name": "Probes writer",
+        "description": "Create, edit and delete probes in the Synthetic Monitoring app",
+        "permissions": [
+          { "action": "plugins.app:access", "scope": "plugins:id:grafana-synthetic-monitoring-app" },
+          { "action": "grafana-synthetic-monitoring-app:read" },
+          { "action": "grafana-synthetic-monitoring-app:write" },
+
+          { "action": "grafana-synthetic-monitoring-app.probes:write" },
+          { "action": "grafana-synthetic-monitoring-app.probes:read" },
+          { "action": "grafana-synthetic-monitoring-app.probes:delete" }
+        ]
+      },
+      "grants": ["Admin", "Editor"]
+    },
+    {
+      "role": {
+        "name": "Alerts reader",
+        "description": "Read alerts in the Synthetic Monitoring app",
+        "permissions": [
+          { "action": "plugins.app:access", "scope": "plugins:id:grafana-synthetic-monitoring-app" },
+          { "action": "grafana-synthetic-monitoring-app:read" },
+
+          { "action": "grafana-synthetic-monitoring-app.alerts:read" }
+        ]
+      },
+      "grants": ["Viewer"]
+    },
+    {
+      "role": {
+        "name": "Alerts writer",
+        "description": "Create, edit and delete alerts in the Synthetic Monitoring app",
+        "permissions": [
+          { "action": "plugins.app:access", "scope": "plugins:id:grafana-synthetic-monitoring-app" },
+          { "action": "grafana-synthetic-monitoring-app:read" },
+          { "action": "grafana-synthetic-monitoring-app:write" },
+
+          { "action": "grafana-synthetic-monitoring-app.alerts:write" },
+          { "action": "grafana-synthetic-monitoring-app.alerts:read" },
+          { "action": "grafana-synthetic-monitoring-app.alerts:delete" }
+        ]
+      },
+      "grants": ["Admin", "Editor"]
+    },
+    {
+      "role": {
+        "name": "Thresholds reader",
+        "description": "Read thresholds in the Synthetic Monitoring app",
+        "permissions": [
+          { "action": "plugins.app:access", "scope": "plugins:id:grafana-synthetic-monitoring-app" },
+          { "action": "grafana-synthetic-monitoring-app:read" },
+
+          { "action": "grafana-synthetic-monitoring-app.thresholds:read" }
+        ]
+      },
+      "grants": ["Viewer"]
+    },
+    {
+      "role": {
+        "name": "Thresholds writer",
+        "description": "Read and edit thresholds in the Synthetic Monitoring app",
+        "permissions": [
+          { "action": "plugins.app:access", "scope": "plugins:id:grafana-synthetic-monitoring-app" },
+          { "action": "grafana-synthetic-monitoring-app:read" },
+          { "action": "grafana-synthetic-monitoring-app:write" },
+
+          { "action": "grafana-synthetic-monitoring-app.thresholds:write" },
+          { "action": "grafana-synthetic-monitoring-app.thresholds:read" },
+          { "action": "grafana-synthetic-monitoring-app.thresholds:delete" }
+        ]
+      },
+      "grants": ["Admin", "Editor"]
+    },
+    {
+      "role": {
+        "name": "Access tokens writer",
+        "description": "Create and delete access tokens in the Synthetic Monitoring app",
+        "permissions": [
+          { "action": "plugins.app:access", "scope": "plugins:id:grafana-synthetic-monitoring-app" },
+          { "action": "grafana-synthetic-monitoring-app:read" },
+          { "action": "grafana-synthetic-monitoring-app:write" },
+
+          { "action": "grafana-synthetic-monitoring-app.access-tokens:write" }
+        ]
+      },
+      "grants": ["Admin"]
+    },
+    {
+      "role": {
+        "name": "Admin",
+        "description": "Full access to write and manage checks, probes, alerts, thresholds, and access tokens as well as enabling/disabling the Synthetic Monitoring plugin",
+        "permissions": [
+          { "action": "plugins.app:access", "scope": "plugins:id:grafana-synthetic-monitoring-app" },
+          { "action": "grafana-synthetic-monitoring-app:read" },
+          { "action": "grafana-synthetic-monitoring-app:write" },
+
+          { "action": "grafana-synthetic-monitoring-app.plugin:write" },
+          { "action": "grafana-synthetic-monitoring-app.checks:write" },
+          { "action": "grafana-synthetic-monitoring-app.probes:write" },
+          { "action": "grafana-synthetic-monitoring-app.alerts:write" },
+          { "action": "grafana-synthetic-monitoring-app.thresholds:write" },
+          { "action": "grafana-synthetic-monitoring-app.access-tokens:write" },
+          { "action": "grafana-synthetic-monitoring-app.checks:read" },
+          { "action": "grafana-synthetic-monitoring-app.probes:read" },
+          { "action": "grafana-synthetic-monitoring-app.alerts:read" },
+          { "action": "grafana-synthetic-monitoring-app.thresholds:read" },
+          { "action": "grafana-synthetic-monitoring-app.checks:delete" },
+          { "action": "grafana-synthetic-monitoring-app.probes:delete" },
+          { "action": "grafana-synthetic-monitoring-app.alerts:delete" },
+          { "action": "grafana-synthetic-monitoring-app.thresholds:delete" }
+        ]
+      },
+      "grants": ["Admin"]
+    },
+    {
+      "role": {
+        "name": "Editor",
+        "description": "Add, update and delete checks, probes, alerts, thresholds, and access tokens in the Synthetic Monitoring app",
+        "permissions": [
+          { "action": "plugins.app:access", "scope": "plugins:id:grafana-synthetic-monitoring-app" },
+          { "action": "grafana-synthetic-monitoring-app:read" },
+          { "action": "grafana-synthetic-monitoring-app:write" },
+
+          { "action": "grafana-synthetic-monitoring-app.checks:write" },
+          { "action": "grafana-synthetic-monitoring-app.probes:write" },
+          { "action": "grafana-synthetic-monitoring-app.alerts:write" },
+          { "action": "grafana-synthetic-monitoring-app.thresholds:write" },
+          { "action": "grafana-synthetic-monitoring-app.checks:read" },
+          { "action": "grafana-synthetic-monitoring-app.probes:read" },
+          { "action": "grafana-synthetic-monitoring-app.alerts:read" },
+          { "action": "grafana-synthetic-monitoring-app.thresholds:read" },
+          { "action": "grafana-synthetic-monitoring-app.checks:delete" },
+          { "action": "grafana-synthetic-monitoring-app.probes:delete" },
+          { "action": "grafana-synthetic-monitoring-app.alerts:delete" },
+          { "action": "grafana-synthetic-monitoring-app.thresholds:delete" }
+        ]
+      },
+      "grants": ["Admin", "Editor"]
+    },
+    {
+      "role": {
+        "name": "Reader",
+        "description": "Read checks, probes, alerts, thresholds, and access tokens in the Synthetic Monitoring app",
+        "permissions": [
+          { "action": "plugins.app:access", "scope": "plugins:id:grafana-synthetic-monitoring-app" },
+          { "action": "grafana-synthetic-monitoring-app:read" },
+
+          { "action": "grafana-synthetic-monitoring-app.checks:read" },
+          { "action": "grafana-synthetic-monitoring-app.probes:read" },
+          { "action": "grafana-synthetic-monitoring-app.alerts:read" },
+          { "action": "grafana-synthetic-monitoring-app.thresholds:read" }
+        ]
+      },
+      "grants": ["Viewer"]
+    }
+  ],
   "dependencies": {
     "grafanaDependency": ">=11.3.0",
     "grafanaVersion": "11.3"
diff --git a/src/routing/InitialisedRouter.tsx b/src/routing/InitialisedRouter.tsx
index 6daf68bbd..7153d02c7 100644
--- a/src/routing/InitialisedRouter.tsx
+++ b/src/routing/InitialisedRouter.tsx
@@ -5,7 +5,7 @@ import { TextLink } from '@grafana/ui';
 import { LegacyEditRedirect } from 'routing/LegacyEditRedirect';
 import { ROUTES } from 'routing/types';
 import { getNewCheckTypeRedirects, getRoute } from 'routing/utils';
-import { useCanWriteSM } from 'hooks/useDSPermission';
+import { getUserPermissions } from 'data/permissions';
 import { useLimits } from 'hooks/useLimits';
 import { QueryParamMap, useNavigation } from 'hooks/useNavigation';
 import { useQuery } from 'hooks/useQuery';
@@ -26,6 +26,7 @@ import { CheckNotFound } from 'page/NotFound/CheckNotFound';
 import { PluginPageNotFound } from 'page/NotFound/NotFound';
 import { Probes } from 'page/Probes';
 import { SceneHomepage } from 'page/SceneHomepage';
+import { UnauthorizedPage } from 'page/UnauthorizedPage';
 
 export const InitialisedRouter = () => {
   const queryParams = useQuery();
@@ -44,19 +45,38 @@ export const InitialisedRouter = () => {
       navigate(path, translated);
     }
   }, [page, navigate, queryParams]);
-  const canEdit = useCanWriteSM();
+
+  const { canWriteChecks, canReadChecks, canReadProbes } = getUserPermissions();
 
   return (
     <Routes>
       <Route index element={<Navigate to={ROUTES.Home} />} />
 
-      <Route path={ROUTES.Home} element={<SceneHomepage />} />
+      <Route
+        path={ROUTES.Home}
+        element={
+          canReadChecks ? (
+            <SceneHomepage />
+          ) : (
+            <UnauthorizedPage permissions={['grafana-synthetic-monitoring-app.checks:read']} />
+          )
+        }
+      />
 
       <Route path={ROUTES.Checks}>
         <Route index element={<CheckList />} />
         <Route path=":id">
-          <Route index element={<DashboardPage />} />
-          <Route path="edit" element={canEdit ? <EditCheck /> : <Navigate to=".." replace />} />
+          <Route
+            index
+            element={
+              canReadChecks ? (
+                <DashboardPage />
+              ) : (
+                <UnauthorizedPage permissions={['grafana-synthetic-monitoring-app.checks:read']} />
+              )
+            }
+          />
+          <Route path="edit" element={canWriteChecks ? <EditCheck /> : <Navigate to=".." replace />} />
           <Route path="dashboard" element={<Navigate to=".." replace />} />
           <Route path="*" element={<CheckNotFound />} />
         </Route>
@@ -87,7 +107,16 @@ export const InitialisedRouter = () => {
         <Route index element={<Probes />} />
         <Route path="new" element={<NewProbe />} />
         <Route path=":id">
-          <Route index element={<EditProbe forceViewMode />} />
+          <Route
+            index
+            element={
+              canReadProbes ? (
+                <EditProbe forceViewMode />
+              ) : (
+                <UnauthorizedPage permissions={['grafana-synthetic-monitoring-app.probes:read']} />
+              )
+            }
+          />
           <Route path="edit" element={<EditProbe />} />
         </Route>
 
diff --git a/src/scenes/Common/editButton.tsx b/src/scenes/Common/editButton.tsx
index f78a099fe..d0b1bfd0e 100644
--- a/src/scenes/Common/editButton.tsx
+++ b/src/scenes/Common/editButton.tsx
@@ -5,8 +5,8 @@ import { LinkButton } from '@grafana/ui';
 import { Check } from 'types';
 import { ROUTES } from 'routing/types';
 import { generateRoutePath } from 'routing/utils';
+import { getUserPermissions } from 'data/permissions';
 import { useChecks } from 'data/useChecks';
-import { useCanWriteSM } from 'hooks/useDSPermission';
 
 interface Props {
   job: SceneVariable;
@@ -16,13 +16,13 @@ interface Props {
 function EditCheckButton({ job, instance }: Props) {
   const { data: checks = [], isLoading } = useChecks();
   const url = getUrl(checks, instance.getValue(), job.getValue());
-  const canEdit = useCanWriteSM();
+  const { canWriteChecks } = getUserPermissions();
 
   return (
     <LinkButton
       variant="secondary"
       href={url}
-      disabled={isLoading || !url || !canEdit}
+      disabled={isLoading || !url || !canWriteChecks}
       icon={isLoading ? 'fa fa-spinner' : 'edit'}
     >
       Edit check
diff --git a/src/test/fixtures/rbacPermissions.ts b/src/test/fixtures/rbacPermissions.ts
new file mode 100644
index 000000000..5d65d2179
--- /dev/null
+++ b/src/test/fixtures/rbacPermissions.ts
@@ -0,0 +1,44 @@
+export const FULL_ADMIN_ACCESS = {
+  'grafana-synthetic-monitoring-app:read': true,
+  'grafana-synthetic-monitoring-app:write': true,
+  'grafana-synthetic-monitoring-app.plugin:write': true,
+  'grafana-synthetic-monitoring-app.checks:write': true,
+  'grafana-synthetic-monitoring-app.probes:write': true,
+  'grafana-synthetic-monitoring-app.alerts:write': true,
+  'grafana-synthetic-monitoring-app.thresholds:write': true,
+  'grafana-synthetic-monitoring-app.access-tokens:write': true,
+  'grafana-synthetic-monitoring-app.checks:read': true,
+  'grafana-synthetic-monitoring-app.probes:read': true,
+  'grafana-synthetic-monitoring-app.alerts:read': true,
+  'grafana-synthetic-monitoring-app.thresholds:read': true,
+  'grafana-synthetic-monitoring-app.checks:delete': true,
+  'grafana-synthetic-monitoring-app.probes:delete': true,
+  'grafana-synthetic-monitoring-app.alerts:delete': true,
+  'grafana-synthetic-monitoring-app.thresholds:delete': true,
+};
+
+export const FULL_WRITER_ACCESS = {
+  'grafana-synthetic-monitoring-app:read': true,
+  'grafana-synthetic-monitoring-app:write': true,
+  'grafana-synthetic-monitoring-app.checks:write': true,
+  'grafana-synthetic-monitoring-app.probes:write': true,
+  'grafana-synthetic-monitoring-app.alerts:write': true,
+  'grafana-synthetic-monitoring-app.thresholds:write': true,
+  'grafana-synthetic-monitoring-app.access-tokens:write': true,
+  'grafana-synthetic-monitoring-app.checks:read': true,
+  'grafana-synthetic-monitoring-app.probes:read': true,
+  'grafana-synthetic-monitoring-app.alerts:read': true,
+  'grafana-synthetic-monitoring-app.thresholds:read': true,
+  'grafana-synthetic-monitoring-app.checks:delete': true,
+  'grafana-synthetic-monitoring-app.probes:delete': true,
+  'grafana-synthetic-monitoring-app.alerts:delete': true,
+  'grafana-synthetic-monitoring-app.thresholds:delete': true,
+};
+
+export const FULL_READONLY_ACCESS = {
+  'grafana-synthetic-monitoring-app:read': true,
+  'grafana-synthetic-monitoring-app.checks:read': true,
+  'grafana-synthetic-monitoring-app.probes:read': true,
+  'grafana-synthetic-monitoring-app.alerts:read': true,
+  'grafana-synthetic-monitoring-app.thresholds:read': true,
+};
diff --git a/src/test/mocks/@grafana/runtime.tsx b/src/test/mocks/@grafana/runtime.tsx
index 603a29f17..b1092315b 100644
--- a/src/test/mocks/@grafana/runtime.tsx
+++ b/src/test/mocks/@grafana/runtime.tsx
@@ -4,6 +4,7 @@ import { BackendSrvRequest } from '@grafana/runtime';
 import axios from 'axios';
 import { from } from 'rxjs';
 import { LOGS_DATASOURCE, METRICS_DATASOURCE, SM_DATASOURCE } from 'test/fixtures/datasources';
+import { FULL_ADMIN_ACCESS } from 'test/fixtures/rbacPermissions';
 
 import { SMDataSource } from 'datasource/DataSource';
 
@@ -11,7 +12,6 @@ import { DataTestIds } from '../../dataTestIds';
 
 jest.mock('@grafana/runtime', () => {
   const actual = jest.requireActual('@grafana/runtime');
-
   return {
     ...actual,
     config: {
@@ -27,6 +27,7 @@ jest.mock('@grafana/runtime', () => {
         user: {
           ...actual.config.user,
           orgRole: OrgRole.Admin,
+          permissions: FULL_ADMIN_ACCESS,
         },
       },
     },
diff --git a/src/test/utils.ts b/src/test/utils.ts
index 4325aec06..feecee924 100644
--- a/src/test/utils.ts
+++ b/src/test/utils.ts
@@ -10,6 +10,7 @@ import {
 
 import { ExtendedProbe, type Probe } from 'types';
 
+import { FULL_ADMIN_ACCESS, FULL_READONLY_ACCESS, FULL_WRITER_ACCESS } from './fixtures/rbacPermissions';
 import { apiRoute } from './handlers';
 import { server } from './server';
 
@@ -149,6 +150,60 @@ export function runTestWithoutSMAccess() {
   });
 }
 
+export function runTestAsRBACReader() {
+  const runtime = require('@grafana/runtime');
+  jest.replaceProperty(runtime, `config`, {
+    ...config,
+    featureToggles: {
+      ...runtime.config.featureToggles,
+      accessControlOnCall: true,
+    },
+
+    bootData: {
+      ...runtime.config.bootData,
+      user: {
+        permissions: FULL_READONLY_ACCESS,
+      },
+    },
+  });
+}
+
+export function runTestAsRBACEditor() {
+  const runtime = require('@grafana/runtime');
+  jest.replaceProperty(runtime, `config`, {
+    ...config,
+    featureToggles: {
+      ...runtime.config.featureToggles,
+      accessControlOnCall: true,
+    },
+
+    bootData: {
+      ...runtime.config.bootData,
+      user: {
+        permissions: FULL_WRITER_ACCESS,
+      },
+    },
+  });
+}
+
+export function runTestAsRBACAdmin() {
+  const runtime = require('@grafana/runtime');
+  jest.replaceProperty(runtime, `config`, {
+    ...config,
+    featureToggles: {
+      ...runtime.config.featureToggles,
+      accessControlOnCall: true,
+    },
+
+    bootData: {
+      ...runtime.config.bootData,
+      user: {
+        permissions: FULL_ADMIN_ACCESS,
+      },
+    },
+  });
+}
+
 export function runTestAsHGFreeUserOverLimit() {
   // this gets reset in afterEach in jest-setup.js
   const runtime = require('@grafana/runtime');
diff --git a/src/types.ts b/src/types.ts
index f9a06198d..d3d2fe6b8 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -799,3 +799,13 @@ export interface CheckFormInvalidSubmissionEvent {
   errs: FieldErrors<CheckFormValues>;
   source: string;
 }
+
+type PermissionBase = 'grafana-synthetic-monitoring-app';
+export type PluginPermissions =
+  | `${PermissionBase}:${'read' | 'write'}`
+  | `${PermissionBase}.checks:${'read' | 'write' | 'delete'}`
+  | `${PermissionBase}.probes:${'read' | 'write' | 'delete'}`
+  | `${PermissionBase}.alerts:${'read' | 'write' | 'delete'}`
+  | `${PermissionBase}.thresholds:${'read' | 'write' | 'delete'}`
+  | `${PermissionBase}.access-tokens:${'write'}`
+  | `${PermissionBase}.plugin:${'write'}`;