A 401 unauthorized is returned when the user does not have sufficient privileges to perform an action.

a 401 response is an authentication failure that lets the user know that they need to authenticate or their authentication credentials are invalid and should try and authenticate again.

When a user is already authenticated but their role does not grant them privileges to perform an action, a 403 Forbidden response should be returned.

https://github.com/grafana/grafana/blob/master/pkg/middleware/auth.go#L59