hashicorp · hashicc · Nov 25, 2025 · Nov 25, 2025 · Nov 26, 2025 · Nov 26, 2025
@@ -16,7 +16,7 @@ class InvalidRolePrincipalTypeError extends Error {
 export default class RoleAbility extends ModelAbility {
   // =services
 
-  @service can;
+  @service abilities;
 
   // =permissions
 
@@ -64,6 +64,6 @@ export default class RoleAbility extends ModelAbility {
         `Expected a role principal of type 'user', 'group', or 'managed-group'.  Got '${type}'.`,
       );
     }
-    return this.can.can(`read ${type}`, this.model);
+    return this.abilities.can(`read ${type}`, this.model);
   }
 }
@@ -33,7 +33,7 @@
     "broccoli-plugin": "^4.0.7",
     "broccoli-source": "^3.0.1",
     "ember-auto-import": "^2.10.0",
-    "ember-can": "^4.2.0",
+    "ember-can": "^8.0.0",
     "ember-cli-babel": "^8.2.0",
     "ember-cli-htmlbars": "^6.3.0",
     "ember-cli-mirage": "^3.0.3",

@@ -7,11 +7,12 @@ import Application from '@ember/application';
 import Resolver from 'ember-resolver';
 import loadInitializers from 'ember-load-initializers';
 import config from 'dummy/config/environment';
+import { extendResolver } from 'ember-can';
 
 export default class App extends Application {
   modulePrefix = config.modulePrefix;
   podModulePrefix = config.podModulePrefix;
-  Resolver = Resolver;
+  Resolver = extendResolver(Resolver);
 }
 
 loadInitializers(App, config.modulePrefix);
@@ -14,104 +14,104 @@ import {
 module('Unit | Abilities | Account', function (hooks) {
   setupTest(hooks);
 
-  let canService;
+  let abilitiesService;
   let store;
 
   hooks.beforeEach(function () {
-    canService = this.owner.lookup('service:can');
+    abilitiesService = this.owner.lookup('service:abilities');
     store = this.owner.lookup('service:store');
   });
 
   test('it reflects when a given account may set password based on authorized_actions', function (assert) {
     const account = store.createRecord('auth-method', {
       authorized_actions: ['set-password'],
     });
-    assert.true(canService.can('setPassword account', account));
+    assert.true(abilitiesService.can('setPassword account', account));
     account.authorized_actions = [];
-    assert.false(canService.can('setPassword account', account));
+    assert.false(abilitiesService.can('setPassword account', account));
   });
 
   test('can read known account types when authorized', function (assert) {
     const account = store.createRecord('account', {
       authorized_actions: ['read'],
       type: TYPE_AUTH_METHOD_OIDC,
     });
-    assert.true(canService.can('read account', account));
+    assert.true(abilitiesService.can('read account', account));
     account.type = TYPE_AUTH_METHOD_PASSWORD;
-    assert.true(canService.can('read account', account));
+    assert.true(abilitiesService.can('read account', account));
     account.type = TYPE_AUTH_METHOD_LDAP;
-    assert.true(canService.can('read account', account));
+    assert.true(abilitiesService.can('read account', account));
     account.type = 'no-such-type';
-    assert.false(canService.can('read account', account));
+    assert.false(abilitiesService.can('read account', account));
   });
 
   test('cannot read accounts when unauthorized', function (assert) {
     const account = store.createRecord('account', {
       authorized_actions: [],
       type: TYPE_AUTH_METHOD_OIDC,
     });
-    assert.false(canService.can('read account', account));
+    assert.false(abilitiesService.can('read account', account));
     account.type = TYPE_AUTH_METHOD_PASSWORD;
-    assert.false(canService.can('read account', account));
+    assert.false(abilitiesService.can('read account', account));
     account.type = TYPE_AUTH_METHOD_LDAP;
-    assert.false(canService.can('read account', account));
+    assert.false(abilitiesService.can('read account', account));
     account.type = 'no-such-type';
-    assert.false(canService.can('read account', account));
+    assert.false(abilitiesService.can('read account', account));
   });
 
   test('can delete known account types when authorized', function (assert) {
     const account = store.createRecord('account', {
       authorized_actions: ['delete'],
       type: TYPE_AUTH_METHOD_OIDC,
     });
-    assert.true(canService.can('delete account', account));
+    assert.true(abilitiesService.can('delete account', account));
     account.type = TYPE_AUTH_METHOD_PASSWORD;
-    assert.true(canService.can('delete account', account));
+    assert.true(abilitiesService.can('delete account', account));
     account.type = TYPE_AUTH_METHOD_LDAP;
-    assert.true(canService.can('delete account', account));
+    assert.true(abilitiesService.can('delete account', account));
     account.type = 'no-such-type';
-    assert.false(canService.can('delete account', account));
+    assert.false(abilitiesService.can('delete account', account));
   });
 
   test('cannot delete accounts when unauthorized', function (assert) {
     const account = store.createRecord('account', {
       authorized_actions: ['delete'],
       type: TYPE_AUTH_METHOD_OIDC,
     });
-    assert.true(canService.can('delete account', account));
+    assert.true(abilitiesService.can('delete account', account));
     account.type = TYPE_AUTH_METHOD_PASSWORD;
-    assert.true(canService.can('delete account', account));
+    assert.true(abilitiesService.can('delete account', account));
     account.type = TYPE_AUTH_METHOD_LDAP;
-    assert.true(canService.can('delete account', account));
+    assert.true(abilitiesService.can('delete account', account));
     account.type = 'no-such-type';
-    assert.false(canService.can('delete account', account));
+    assert.false(abilitiesService.can('delete account', account));
   });
 
   test('can update known account types when authorized', function (assert) {
     const account = store.createRecord('account', {
       authorized_actions: ['update'],
       type: TYPE_AUTH_METHOD_OIDC,
     });
-    assert.true(canService.can('update account', account));
+    assert.true(abilitiesService.can('update account', account));
     account.type = TYPE_AUTH_METHOD_PASSWORD;
-    assert.true(canService.can('update account', account));
+    assert.true(abilitiesService.can('update account', account));
     account.type = TYPE_AUTH_METHOD_LDAP;
-    assert.true(canService.can('update account', account));
+    assert.true(abilitiesService.can('update account', account));
     account.type = 'no-such-type';
-    assert.false(canService.can('update account', account));
+    assert.false(abilitiesService.can('update account', account));
   });
 
   test('cannot update accounts when unauthorized', function (assert) {
     const account = store.createRecord('account', {
       authorized_actions: [],
       type: TYPE_AUTH_METHOD_OIDC,
     });
-    assert.false(canService.can('update account', account));
+    assert.false(abilitiesService.can('update account', account));
     account.type = TYPE_AUTH_METHOD_PASSWORD;
-    assert.false(canService.can('update account', account));
+    assert.false(abilitiesService.can('update account', account));
     account.type = TYPE_AUTH_METHOD_LDAP;
-    assert.false(canService.can('update account', account));
+    assert.false(abilitiesService.can('update account', account));
     account.type = 'no-such-type';
-    assert.false(canService.can('update account', account));
+    assert.false(abilitiesService.can('update account', account));
   });
 });
@@ -14,11 +14,11 @@ import {
 module('Unit | Abilities | Auth Method', function (hooks) {
   setupTest(hooks);
 
-  let canService;
+  let abilitiesService;
   let store;
 
   hooks.beforeEach(function () {
-    canService = this.owner.lookup('service:can');
+    abilitiesService = this.owner.lookup('service:abilities');
     store = this.owner.lookup('service:store');
   });
 
@@ -27,82 +27,82 @@ module('Unit | Abilities | Auth Method', function (hooks) {
       authorized_actions: ['read'],
       type: TYPE_AUTH_METHOD_OIDC,
     });
-    assert.true(canService.can('read auth-method', authMethod));
+    assert.true(abilitiesService.can('read auth-method', authMethod));
     authMethod.type = TYPE_AUTH_METHOD_PASSWORD;
-    assert.true(canService.can('read auth-method', authMethod));
+    assert.true(abilitiesService.can('read auth-method', authMethod));
     authMethod.type = TYPE_AUTH_METHOD_LDAP;
-    assert.true(canService.can('read auth-method', authMethod));
+    assert.true(abilitiesService.can('read auth-method', authMethod));
     authMethod.type = 'no-such-type';
-    assert.false(canService.can('read auth-method', authMethod));
+    assert.false(abilitiesService.can('read auth-method', authMethod));
   });
 
   test('cannot read auth methods when unauthorized', function (assert) {
     const authMethod = store.createRecord('auth-method', {
       authorized_actions: [],
       type: TYPE_AUTH_METHOD_OIDC,
     });
-    assert.false(canService.can('read auth-method', authMethod));
+    assert.false(abilitiesService.can('read auth-method', authMethod));
     authMethod.type = TYPE_AUTH_METHOD_PASSWORD;
-    assert.false(canService.can('read auth-method', authMethod));
+    assert.false(abilitiesService.can('read auth-method', authMethod));
     authMethod.type = TYPE_AUTH_METHOD_LDAP;
-    assert.false(canService.can('read auth-method', authMethod));
+    assert.false(abilitiesService.can('read auth-method', authMethod));
     authMethod.type = 'no-such-type';
-    assert.false(canService.can('read auth-method', authMethod));
+    assert.false(abilitiesService.can('read auth-method', authMethod));
   });
 
   test('can delete known auth method types when authorized', function (assert) {
     const authMethod = store.createRecord('auth-method', {
       authorized_actions: ['delete'],
       type: TYPE_AUTH_METHOD_OIDC,
     });
-    assert.true(canService.can('delete auth-method', authMethod));
+    assert.true(abilitiesService.can('delete auth-method', authMethod));
     authMethod.type = TYPE_AUTH_METHOD_PASSWORD;
-    assert.true(canService.can('delete auth-method', authMethod));
+    assert.true(abilitiesService.can('delete auth-method', authMethod));
     authMethod.type = TYPE_AUTH_METHOD_LDAP;
-    assert.true(canService.can('delete auth-method', authMethod));
+    assert.true(abilitiesService.can('delete auth-method', authMethod));
     authMethod.type = 'no-such-type';
-    assert.false(canService.can('delete auth-method', authMethod));
+    assert.false(abilitiesService.can('delete auth-method', authMethod));
   });
 
   test('cannot delete auth methods when unauthorized', function (assert) {
     const authMethod = store.createRecord('auth-method', {
       authorized_actions: ['delete'],
       type: TYPE_AUTH_METHOD_OIDC,
     });
-    assert.true(canService.can('delete auth-method', authMethod));
+    assert.true(abilitiesService.can('delete auth-method', authMethod));
     authMethod.type = TYPE_AUTH_METHOD_PASSWORD;
-    assert.true(canService.can('delete auth-method', authMethod));
+    assert.true(abilitiesService.can('delete auth-method', authMethod));
     authMethod.type = TYPE_AUTH_METHOD_LDAP;
-    assert.true(canService.can('delete auth-method', authMethod));
+    assert.true(abilitiesService.can('delete auth-method', authMethod));
     authMethod.type = 'no-such-type';
-    assert.false(canService.can('delete auth-method', authMethod));
+    assert.false(abilitiesService.can('delete auth-method', authMethod));
   });
 
   test('can update known auth method types when authorized', function (assert) {
     const authMethod = store.createRecord('auth-method', {
       authorized_actions: ['update'],
       type: TYPE_AUTH_METHOD_OIDC,
     });
-    assert.true(canService.can('update auth-method', authMethod));
+    assert.true(abilitiesService.can('update auth-method', authMethod));
     authMethod.type = TYPE_AUTH_METHOD_PASSWORD;
-    assert.true(canService.can('update auth-method', authMethod));
+    assert.true(abilitiesService.can('update auth-method', authMethod));
     authMethod.type = TYPE_AUTH_METHOD_LDAP;
-    assert.true(canService.can('update auth-method', authMethod));
+    assert.true(abilitiesService.can('update auth-method', authMethod));
     authMethod.type = 'no-such-type';
-    assert.false(canService.can('update auth-method', authMethod));
+    assert.false(abilitiesService.can('update auth-method', authMethod));
   });
 
   test('cannot update auth methods when unauthorized', function (assert) {
     const authMethod = store.createRecord('auth-method', {
       authorized_actions: [],
       type: TYPE_AUTH_METHOD_OIDC,
     });
-    assert.false(canService.can('update auth-method', authMethod));
+    assert.false(abilitiesService.can('update auth-method', authMethod));
     authMethod.type = TYPE_AUTH_METHOD_PASSWORD;
-    assert.false(canService.can('update auth-method', authMethod));
+    assert.false(abilitiesService.can('update auth-method', authMethod));
     authMethod.type = TYPE_AUTH_METHOD_LDAP;
-    assert.false(canService.can('update auth-method', authMethod));
+    assert.false(abilitiesService.can('update auth-method', authMethod));
     authMethod.type = 'no-such-type';
-    assert.false(canService.can('update auth-method', authMethod));
+    assert.false(abilitiesService.can('update auth-method', authMethod));
   });
 });
@@ -11,11 +11,11 @@ import { TYPE_SESSION_RECORDING_SSH } from 'api/models/session-recording';
 module('Unit | Ability | channel-recording', function (hooks) {
   setupTest(hooks);
 
-  let canService;
+  let abilitiesService;
   let store;
 
   hooks.beforeEach(function () {
-    canService = this.owner.lookup('service:can');
+    abilitiesService = this.owner.lookup('service:abilities');
     store = this.owner.lookup('service:store');
   });
 
@@ -41,7 +41,10 @@ module('Unit | Ability | channel-recording', function (hooks) {
     });
 
     assert.true(
-      canService.can('getAsciicast channel-recording', channelRecordingModel),
+      abilitiesService.can(
+        'getAsciicast channel-recording',
+        channelRecordingModel,
+      ),
     );
   });
 
@@ -62,7 +65,10 @@ module('Unit | Ability | channel-recording', function (hooks) {
     });
 
     assert.false(
-      canService.can('getAsciicast channel-recording', channelRecordingModel),
+      abilitiesService.can(
+        'getAsciicast channel-recording',
+        channelRecordingModel,
+      ),
     );
   });
 });
@@ -10,7 +10,7 @@ module('Unit | Abilities | Group', function (hooks) {
   setupTest(hooks);
 
   test('it reflects when a given group resource may add members based on authorized_actions', function (assert) {
-    const service = this.owner.lookup('service:can');
+    const service = this.owner.lookup('service:abilities');
     const model = {
       authorized_actions: ['add-members'],
     };
@@ -20,7 +20,7 @@ module('Unit | Abilities | Group', function (hooks) {
   });
 
   test('it reflects when a given group resource may remove members based on authorized_actions', function (assert) {
-    const service = this.owner.lookup('service:can');
+    const service = this.owner.lookup('service:abilities');
     const model = {
       authorized_actions: ['remove-members'],
     };

@@ -10,7 +10,7 @@ module('Unit | Abilities | Host Set', function (hooks) {
   setupTest(hooks);
 
   test('it reflects when a given host set resource may add hosts based on authorized_actions', function (assert) {
-    const service = this.owner.lookup('service:can');
+    const service = this.owner.lookup('service:abilities');
     const model = {
       authorized_actions: ['add-hosts'],
     };
@@ -20,7 +20,7 @@ module('Unit | Abilities | Host Set', function (hooks) {
   });
 
   test('it reflects when a given hostSet resource may remove hosts based on authorized_actions', function (assert) {
-    const service = this.owner.lookup('service:can');
+    const service = this.owner.lookup('service:abilities');
     const model = {
       authorized_actions: ['remove-hosts'],
     };