Allow configuring permissions for all MLflow models

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## 0.4.7
 * Added optional `force` argument to `databricks_group` resource to ignore `cannot create group: Group with name X already exists.` errors and implicitly import the specific group into Terraform state, enforcing entitlements defined in the instance of resource ([#1066](https://github.com/databrickslabs/terraform-provider-databricks/pull/1066)).
+* Added support to configure permissions for all MLflow models ([#1044](https://github.com/databrickslabs/terraform-provider-databricks/issues/1044)).
 * Fixed `databricks_service_principal` `display_name` update ([#1065](https://github.com/databrickslabs/terraform-provider-databricks/issues/1065)).
 * Added documentation for Unity Catalog resources.
 

docs/resources/permissions.md

@@ -373,7 +373,7 @@ resource "databricks_permissions" "experiment_usage" {
 
 ## MLflow Model usage
 
-Valid [permission levels](https://docs.databricks.com/security/access-control/workspace-acl.html#mlflow-model-permissions-1) for [databricks_mlflow_model](mlflow_model.md) are: `CAN_READ`, `CAN_EDIT`, `CAN_MANAGE_STAGING_VERSIONS`, `CAN_MANAGE_PRODUCTION_VERSIONS`, and `CAN_MANAGE`.
+Valid [permission levels](https://docs.databricks.com/security/access-control/workspace-acl.html#mlflow-model-permissions-1) for [databricks_mlflow_model](mlflow_model.md) are: `CAN_READ`, `CAN_EDIT`, `CAN_MANAGE_STAGING_VERSIONS`, `CAN_MANAGE_PRODUCTION_VERSIONS`, and `CAN_MANAGE`. You can also manage permissions for all MLflow models by `registered_model_id = "root"`.
 
 ```hcl
 resource "databricks_mlflow_model" "this" {

permissions/resource_permissions.go

@@ -145,8 +145,8 @@ func (a PermissionsAPI) put(objectID string, objectACL AccessControlChangeList)
 
 // Update updates object permissions. Technically, it's using method named SetOrDelete, but here we do more
 func (a PermissionsAPI) Update(objectID string, objectACL AccessControlChangeList) error {
-	if objectID == "/authorization/tokens" {
-		// Cannot remove admins's CAN_MANAGE permission on tokens
+	if objectID == "/authorization/tokens" || objectID == "/registered-models/root" {
+		// Prevent "Cannot change permissions for group 'admins' to None."
 		objectACL.AccessControlList = append(objectACL.AccessControlList, AccessControlChange{
 			GroupName:       "admins",
 			PermissionLevel: "CAN_MANAGE",