fleet/docs/Using-Fleet/Permissions.md

# Permissions

Users have different abilities depending on the access level they have.

Users with the Admin role receive all permissions.

## User permissions

| **Action**                                                                         | Observer | Maintainer | Admin |
| ----------------------------------------------------                               | -------- | ---------- | ----- |
| View all [activity](https://fleetdm.com/docs/using-fleet/rest-api#activities)                                                                  | ✅       | ✅         | ✅    |
| View all hosts                                                                    | ✅       | ✅         | ✅    |
| Filter hosts using [labels](https://fleetdm.com/docs/using-fleet/rest-api#labels)                                                          | ✅       | ✅         | ✅    |
| Target hosts using labels                                                          | ✅       | ✅         | ✅    |
| Add and delete hosts                                                               |          | ✅         | ✅    |
| Transfer hosts between teams\*                                                     |          | ✅         | ✅    |
| Create, edit, and delete labels                                                    |          | ✅         | ✅    |
| View all software                                                                  | ✅       | ✅         | ✅    |
| Filter software by [vulnerabilities](https://fleetdm.com/docs/using-fleet/vulnerability-processing#vulnerability-processing)                                                 | ✅       | ✅         | ✅    |
| Filter hosts by software                                                           | ✅       | ✅         | ✅    |
| Filter software by team\*                                                          | ✅       | ✅         | ✅    |
| Manage [vulnerability automations](https://fleetdm.com/docs/using-fleet/automations#vulnerability-automations)                                                  |          |            | ✅    |
| Run only designated, **observer can run** ,queries as live queries against all hosts | ✅       | ✅         | ✅    |
| Run any query as [live query](https://fleetdm.com/docs/using-fleet/fleet-ui#run-a-query) against all hosts                                      |          | ✅         | ✅    |
| Create, edit, and delete queries                                                   |          | ✅         | ✅    |
| View all queries                                                                   | ✅       | ✅         | ✅    |
| Add, edit, and remove queries from all schedules                                  |          | ✅         | ✅    |
| Create, edit, view, and delete packs                                               |          | ✅         | ✅    |
| View all policies                                                                  | ✅       | ✅         | ✅    |
| Filter hosts using policies                                                        | ✅       | ✅         | ✅    |
| Create, edit, and delete policies for all hosts                                    |          | ✅         | ✅    |
| Create, edit, and delete policies for all hosts assigned to team\*                 |          | ✅         | ✅    |
| Manage [policy automations](https://fleetdm.com/docs/using-fleet/automations#policy-automations)                                                         |          |            | ✅    |
| Create, edit, view, and delete users                                               |          |            | ✅    |
| Add and remove team members\*                                                      |          |            | ✅    |
| Create, edit, and delete teams\*                                                   |          |            | ✅    |
| Create, edit, and delete [enroll secrets](https://fleetdm.com/docs/deploying/faq#when-do-i-need-to-deploy-a-new-enroll-secret-to-my-hosts)                                           |          | ✅         | ✅    |
| Create, edit, and delete [enroll secrets for teams](https://fleetdm.com/docs/using-fleet/rest-api#get-enroll-secrets-for-a-team)\*                                |          | ✅         | ✅    |
| Edit [organization settings](https://fleetdm.com/docs/using-fleet/configuration-files#organization-settings)                                                         |          |            | ✅    |
| Edit [agent options](https://fleetdm.com/docs/using-fleet/configuration-files#agent-options)                                                                 |          |            | ✅    |
| Edit [agent options for hosts assigned to teams](https://fleetdm.com/docs/using-fleet/configuration-files#team-agent-options)\*                                   |          |            | ✅    |
| Initiate [file carving](https://fleetdm.com/docs/using-fleet/rest-api#file-carving)                                                              |          | ✅         | ✅    |
| Retrieve contents from file carving                                                |          |            | ✅    |


\*Applies only to Fleet Premium

## Team member permissions

`Applies only to Fleet Premium`

Users in Fleet either have team access or global access. 

Users with team access only have access to the [hosts](https://fleetdm.com/docs/using-fleet/rest-api#hosts), [software](https://fleetdm.com/docs/using-fleet/rest-api#software), [schedules](https://fleetdm.com/docs/using-fleet/fleet-ui#schedule-a-query) , and [policies](https://fleetdm.com/docs/using-fleet/rest-api#policies) assigned to
their team.

Users with global access have access to all
[hosts](https://fleetdm.com/docs/using-fleet/rest-api#hosts), [software](https://fleetdm.com/docs/using-fleet/rest-api#software), [queries](https://fleetdm.com/docs/using-fleet/rest-api#queries), [schedules](https://fleetdm.com/docs/using-fleet/fleet-ui#schedule-a-query) , and [policies](https://fleetdm.com/docs/using-fleet/rest-api#policies). Check out [the user permissions
table](#user-permissions) above for global user permissions.

Users can be a member of multiple teams in Fleet.

Users that are members of multiple teams can be assigned different roles for each team. For example, a user can be given access to the "Workstations" team and assigned the "Observer" role. This same user can be given access to the "Servers" team and assigned the "Maintainer" role.

| **Action**                                                                         | Team observer | Team maintainer | Team admin |
| ------------------------------------------------------------                       | --------      | ----------      | -------    |
| View hosts                                                                        | ✅            | ✅              | ✅         |
| Filter hosts using [labels](https://fleetdm.com/docs/using-fleet/rest-api#labels)                                                          | ✅            | ✅              | ✅         |
| Target hosts using labels                                                          | ✅            | ✅              | ✅         |
| Add and delete hosts                                                               |               | ✅              | ✅         |
| Filter software by [vulnerabilities]((https://fleetdm.com/docs/using-fleet/vulnerability-processing#vulnerability-processing))                                                 | ✅            | ✅              | ✅         |
| Filter hosts by software                                                           | ✅            | ✅              | ✅         |
| Filter software                                                                    | ✅            | ✅              | ✅         |
| Run only designated, **observer can run** ,queries as live queries against all hosts | ✅            | ✅              | ✅         |
| Run any query as [live query](https://fleetdm.com/docs/using-fleet/fleet-ui#run-a-query)                                                        |               | ✅              | ✅         |
| Create, edit, and delete only **self authored** queries                              |               | ✅              | ✅         |
| Add, edit, and remove queries from the schedule                                    |               | ✅              | ✅         |
| View policies                                                                      | ✅            | ✅              | ✅         |
| View global (inherited) policies                                                   | ✅            | ✅              | ✅         |
| Filter hosts using policies                                                        | ✅            | ✅              | ✅         |
| Create, edit, and delete policies                                                  |               | ✅              | ✅         |
| Manage [policy automations](https://fleetdm.com/docs/using-fleet/automations#policy-automations)                                                          |               |                 | ✅         |
| Add and remove team members                                                        |               |                 | ✅         |
| Edit team name                                                                     |               |                 | ✅         |
| Create, edit, and delete [team enroll secrets](https://fleetdm.com/docs/using-fleet/rest-api#get-enroll-secrets-for-a-team)                                      |               | ✅              | ✅         |
| Edit [agent options](https://fleetdm.com/docs/using-fleet/configuration-files#agent-options)                                                                 |               |                 | ✅         |
| Initiate [file carving](https://fleetdm.com/docs/using-fleet/rest-api#file-carving)                                                              |               | ✅               | ✅         |


<meta name="pageOrderInSection" value="900">
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md 2021-06-09 23:12:45 +00:00			`# Permissions`

			`Users have different abilities depending on the access level they have.`

			`Users with the Admin role receive all permissions.`

			`## User permissions`

Add policy automation permissions to docs (#7841) - format markdown tables 2022-09-21 16:27:50 +00:00			`\| Action \| Observer \| Maintainer \| Admin \|`
			`\| ---------------------------------------------------- \| -------- \| ---------- \| ----- \|`
Update Docs: Add file carving and links to permissions documentation (#8064) 2022-10-04 15:12:10 +00:00			`\| View all [activity](https://fleetdm.com/docs/using-fleet/rest-api#activities) \| ✅ \| ✅ \| ✅ \|`
			`\| View all hosts \| ✅ \| ✅ \| ✅ \|`
			`\| Filter hosts using [labels](https://fleetdm.com/docs/using-fleet/rest-api#labels) \| ✅ \| ✅ \| ✅ \|`
Add policy automation permissions to docs (#7841) - format markdown tables 2022-09-21 16:27:50 +00:00			`\| Target hosts using labels \| ✅ \| ✅ \| ✅ \|`
			`\| Add and delete hosts \| \| ✅ \| ✅ \|`
			`\| Transfer hosts between teams\* \| \| ✅ \| ✅ \|`
			`\| Create, edit, and delete labels \| \| ✅ \| ✅ \|`
			`\| View all software \| ✅ \| ✅ \| ✅ \|`
Update Docs: Add file carving and links to permissions documentation (#8064) 2022-10-04 15:12:10 +00:00			`\| Filter software by [vulnerabilities](https://fleetdm.com/docs/using-fleet/vulnerability-processing#vulnerability-processing) \| ✅ \| ✅ \| ✅ \|`
Add policy automation permissions to docs (#7841) - format markdown tables 2022-09-21 16:27:50 +00:00			`\| Filter hosts by software \| ✅ \| ✅ \| ✅ \|`
			`\| Filter software by team\* \| ✅ \| ✅ \| ✅ \|`
Update Docs: Add file carving and links to permissions documentation (#8064) 2022-10-04 15:12:10 +00:00			`\| Manage [vulnerability automations](https://fleetdm.com/docs/using-fleet/automations#vulnerability-automations) \| \| \| ✅ \|`
Add policy automation permissions to docs (#7841) - format markdown tables 2022-09-21 16:27:50 +00:00			`\| Run only designated, observer can run ,queries as live queries against all hosts \| ✅ \| ✅ \| ✅ \|`
Update Docs: Add file carving and links to permissions documentation (#8064) 2022-10-04 15:12:10 +00:00			`\| Run any query as [live query](https://fleetdm.com/docs/using-fleet/fleet-ui#run-a-query) against all hosts \| \| ✅ \| ✅ \|`
Add policy automation permissions to docs (#7841) - format markdown tables 2022-09-21 16:27:50 +00:00			`\| Create, edit, and delete queries \| \| ✅ \| ✅ \|`
			`\| View all queries \| ✅ \| ✅ \| ✅ \|`
Update Docs: Add file carving and links to permissions documentation (#8064) 2022-10-04 15:12:10 +00:00			`\| Add, edit, and remove queries from all schedules \| \| ✅ \| ✅ \|`
Add policy automation permissions to docs (#7841) - format markdown tables 2022-09-21 16:27:50 +00:00			`\| Create, edit, view, and delete packs \| \| ✅ \| ✅ \|`
			`\| View all policies \| ✅ \| ✅ \| ✅ \|`
			`\| Filter hosts using policies \| ✅ \| ✅ \| ✅ \|`
			`\| Create, edit, and delete policies for all hosts \| \| ✅ \| ✅ \|`
			`\| Create, edit, and delete policies for all hosts assigned to team\* \| \| ✅ \| ✅ \|`
Update Docs: Add file carving and links to permissions documentation (#8064) 2022-10-04 15:12:10 +00:00			`\| Manage [policy automations](https://fleetdm.com/docs/using-fleet/automations#policy-automations) \| \| \| ✅ \|`
Add policy automation permissions to docs (#7841) - format markdown tables 2022-09-21 16:27:50 +00:00			`\| Create, edit, view, and delete users \| \| \| ✅ \|`
			`\| Add and remove team members\* \| \| \| ✅ \|`
			`\| Create, edit, and delete teams\* \| \| \| ✅ \|`
Update Docs: Add file carving and links to permissions documentation (#8064) 2022-10-04 15:12:10 +00:00			`\| Create, edit, and delete [enroll secrets](https://fleetdm.com/docs/deploying/faq#when-do-i-need-to-deploy-a-new-enroll-secret-to-my-hosts) \| \| ✅ \| ✅ \|`
			`\| Create, edit, and delete [enroll secrets for teams](https://fleetdm.com/docs/using-fleet/rest-api#get-enroll-secrets-for-a-team)\* \| \| ✅ \| ✅ \|`
			`\| Edit [organization settings](https://fleetdm.com/docs/using-fleet/configuration-files#organization-settings) \| \| \| ✅ \|`
			`\| Edit [agent options](https://fleetdm.com/docs/using-fleet/configuration-files#agent-options) \| \| \| ✅ \|`
			`\| Edit [agent options for hosts assigned to teams](https://fleetdm.com/docs/using-fleet/configuration-files#team-agent-options)\* \| \| \| ✅ \|`
			`\| Initiate [file carving](https://fleetdm.com/docs/using-fleet/rest-api#file-carving) \| \| ✅ \| ✅ \|`
			`\| Retrieve contents from file carving \| \| \| ✅ \|`

Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> 2022-04-18 16:10:33 +00:00


Documentation for RBAC and teams (#472) - Add permissions.md and teams.md 2021-06-09 23:12:45 +00:00
Updated product name on website and docs (#1731) Updated product name on website and docs 2021-08-19 17:50:21 +00:00			`\*Applies only to Fleet Premium`
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md 2021-06-09 23:12:45 +00:00
			`## Team member permissions`

Updated product name on website and docs (#1731) Updated product name on website and docs 2021-08-19 17:50:21 +00:00			`Applies only to Fleet Premium`
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md 2021-06-09 23:12:45 +00:00
Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> 2022-04-18 16:10:33 +00:00			`Users in Fleet either have team access or global access.`
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md 2021-06-09 23:12:45 +00:00
Update Docs: Add file carving and links to permissions documentation (#8064) 2022-10-04 15:12:10 +00:00			`Users with team access only have access to the [hosts](https://fleetdm.com/docs/using-fleet/rest-api#hosts), [software](https://fleetdm.com/docs/using-fleet/rest-api#software), [schedules](https://fleetdm.com/docs/using-fleet/fleet-ui#schedule-a-query) , and [policies](https://fleetdm.com/docs/using-fleet/rest-api#policies) assigned to`
Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> 2022-04-18 16:10:33 +00:00			`their team.`
Update permissions documentation (#2721) - Removed create/edit/delete enroll secret permissions from team level users - Update verbiage to clarify the distinction between users with global access and users with team access. 2021-10-28 18:27:03 +00:00
Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> 2022-04-18 16:10:33 +00:00			`Users with global access have access to all`
Update Docs: Add file carving and links to permissions documentation (#8064) 2022-10-04 15:12:10 +00:00			`[hosts](https://fleetdm.com/docs/using-fleet/rest-api#hosts), [software](https://fleetdm.com/docs/using-fleet/rest-api#software), [queries](https://fleetdm.com/docs/using-fleet/rest-api#queries), [schedules](https://fleetdm.com/docs/using-fleet/fleet-ui#schedule-a-query) , and [policies](https://fleetdm.com/docs/using-fleet/rest-api#policies). Check out [the user permissions`
Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> 2022-04-18 16:10:33 +00:00			`table](#user-permissions) above for global user permissions.`
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md 2021-06-09 23:12:45 +00:00
			`Users can be a member of multiple teams in Fleet.`

			`Users that are members of multiple teams can be assigned different roles for each team. For example, a user can be given access to the "Workstations" team and assigned the "Observer" role. This same user can be given access to the "Servers" team and assigned the "Maintainer" role.`

Add policy automation permissions to docs (#7841) - format markdown tables 2022-09-21 16:27:50 +00:00			`\| Action \| Team observer \| Team maintainer \| Team admin \|`
			`\| ------------------------------------------------------------ \| -------- \| ---------- \| ------- \|`
Update Docs: Add file carving and links to permissions documentation (#8064) 2022-10-04 15:12:10 +00:00			`\| View hosts \| ✅ \| ✅ \| ✅ \|`
			`\| Filter hosts using [labels](https://fleetdm.com/docs/using-fleet/rest-api#labels) \| ✅ \| ✅ \| ✅ \|`
Add policy automation permissions to docs (#7841) - format markdown tables 2022-09-21 16:27:50 +00:00			`\| Target hosts using labels \| ✅ \| ✅ \| ✅ \|`
			`\| Add and delete hosts \| \| ✅ \| ✅ \|`
Update Docs: Add file carving and links to permissions documentation (#8064) 2022-10-04 15:12:10 +00:00			`\| Filter software by [vulnerabilities]((https://fleetdm.com/docs/using-fleet/vulnerability-processing#vulnerability-processing)) \| ✅ \| ✅ \| ✅ \|`
Add policy automation permissions to docs (#7841) - format markdown tables 2022-09-21 16:27:50 +00:00			`\| Filter hosts by software \| ✅ \| ✅ \| ✅ \|`
			`\| Filter software \| ✅ \| ✅ \| ✅ \|`
			`\| Run only designated, observer can run ,queries as live queries against all hosts \| ✅ \| ✅ \| ✅ \|`
Update Docs: Add file carving and links to permissions documentation (#8064) 2022-10-04 15:12:10 +00:00			`\| Run any query as [live query](https://fleetdm.com/docs/using-fleet/fleet-ui#run-a-query) \| \| ✅ \| ✅ \|`
Add policy automation permissions to docs (#7841) - format markdown tables 2022-09-21 16:27:50 +00:00			`\| Create, edit, and delete only self authored queries \| \| ✅ \| ✅ \|`
			`\| Add, edit, and remove queries from the schedule \| \| ✅ \| ✅ \|`
			`\| View policies \| ✅ \| ✅ \| ✅ \|`
			`\| View global (inherited) policies \| ✅ \| ✅ \| ✅ \|`
			`\| Filter hosts using policies \| ✅ \| ✅ \| ✅ \|`
			`\| Create, edit, and delete policies \| \| ✅ \| ✅ \|`
Update Docs: Add file carving and links to permissions documentation (#8064) 2022-10-04 15:12:10 +00:00			`\| Manage [policy automations](https://fleetdm.com/docs/using-fleet/automations#policy-automations) \| \| \| ✅ \|`
Add policy automation permissions to docs (#7841) - format markdown tables 2022-09-21 16:27:50 +00:00			`\| Add and remove team members \| \| \| ✅ \|`
			`\| Edit team name \| \| \| ✅ \|`
Update Docs: Add file carving and links to permissions documentation (#8064) 2022-10-04 15:12:10 +00:00			`\| Create, edit, and delete [team enroll secrets](https://fleetdm.com/docs/using-fleet/rest-api#get-enroll-secrets-for-a-team) \| \| ✅ \| ✅ \|`
			`\| Edit [agent options](https://fleetdm.com/docs/using-fleet/configuration-files#agent-options) \| \| \| ✅ \|`
			`\| Initiate [file carving](https://fleetdm.com/docs/using-fleet/rest-api#file-carving) \| \| ✅ \| ✅ \|`
Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> 2022-04-18 16:10:33 +00:00
Remove numbers from documentation filenames in Fleet repo (#4313) * Renaming files and a lot of find and replace * pageRank meta tags, sorting by page rank * reranking * removing numbers * revert changing links that are locked to a commit * update metatag name, uncomment github contributers * Update basic-documentation.page.js * revert link change * more explicit errors, change pageOrderInSection numbers, updated sort * Update build-static-content.js * update comment * update handbook link * handbook entry * update sort * update changelog doc links to use fleetdm.com * move standard query library back to old location, update links/references to location * revert unintentional link changes * Update handbook/community.md Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com> Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com> Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com> 2022-02-23 18:17:55 +00:00
Allow global admin to change anyone's password. (#4582) 2022-03-15 12:11:53 +00:00			`<meta name="pageOrderInSection" value="900">`