A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.