Define permissions to read and modify on-call schedules

Renames a permissions prefix from manage_ to admin_

ee/app/graphql/mutations/incident_management/oncall_schedule/oncall_schedule_base.rb

@@ -9,7 +9,7 @@ module Mutations
               null: true,
               description: 'The on-call schedule'
 
-        authorize :modify_incident_management_oncall_schedule
+        authorize :admin_incident_management_oncall_schedule
 
         private
 

ee/app/policies/ee/project_policy.rb

@@ -178,6 +178,7 @@ module EE
         enable :read_deploy_board
         enable :admin_epic_issue
         enable :read_group_timelogs
+        enable :read_incident_management_oncall_schedule
       end
 
       rule { can?(:developer_access) }.policy do
@@ -241,8 +242,7 @@ module EE
         enable :modify_auto_fix_setting
         enable :modify_merge_request_author_setting
         enable :modify_merge_request_committer_setting
-        enable :read_incident_management_oncall_schedule
-        enable :modify_incident_management_oncall_schedule
+        enable :admin_incident_management_oncall_schedule
       end
 
       rule { license_scanning_enabled & can?(:maintainer_access) }.enable :admin_software_license_policy

ee/app/services/incident_management/oncall_schedules/create_service.rb

@@ -27,7 +27,7 @@ module IncidentManagement
       attr_reader :project, :user, :params
 
       def allowed?
-        user&.can?(:modify_incident_management_oncall_schedule, project)
+        user&.can?(:admin_incident_management_oncall_schedule, project)
       end
 
       def available?

ee/spec/graphql/mutations/incident_management/oncall_schedule/create_spec.rb

@@ -14,7 +14,7 @@ RSpec.describe Mutations::IncidentManagement::OncallSchedule::Create do
     }
   end
 
-  specify { expect(described_class).to require_graphql_authorizations(:modify_incident_management_oncall_schedule) }
+  specify { expect(described_class).to require_graphql_authorizations(:admin_incident_management_oncall_schedule) }
 
   describe '#resolve' do
     subject(:resolve) { mutation_for(project, current_user).resolve(args) }

ee/spec/policies/project_policy_spec.rb

@@ -1342,6 +1342,58 @@ RSpec.describe ProjectPolicy do
     end
   end
 
+  describe 'Incident Management on-call schedules' do
+    using RSpec::Parameterized::TableSyntax
+
+    context ':read_incident_management_oncall_schedule' do
+      let(:policy) { :read_incident_management_oncall_schedule }
+
+      where(:role, :admin_mode, :allowed) do
+        :guest      | nil   | false
+        :reporter   | nil   | true
+        :developer  | nil   | true
+        :maintainer | nil   | true
+        :owner      | nil   | true
+        :admin      | false | false
+        :admin      | true  | true
+      end
+
+      before do
+        enable_admin_mode!(current_user) if admin_mode
+      end
+
+      with_them do
+        let(:current_user) { public_send(role) }
+
+        it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
+      end
+    end
+
+    context ':admin_incident_management_oncall_schedule' do
+      let(:policy) { :admin_incident_management_oncall_schedule }
+
+      where(:role, :admin_mode, :allowed) do
+        :guest      | nil   | false
+        :reporter   | nil   | false
+        :developer  | nil   | false
+        :maintainer | nil   | true
+        :owner      | nil   | true
+        :admin      | false | false
+        :admin      | true  | true
+      end
+
+      before do
+        enable_admin_mode!(current_user) if admin_mode
+      end
+
+      with_them do
+        let(:current_user) { public_send(role) }
+
+        it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
+      end
+    end
+  end
+
   context 'when project is readonly because the storage usage limit has been exceeded on the root namespace' do
     let(:current_user) { owner }
     let(:abilities) do