Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-22 16:39:01 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 121
fleet/docs/Using Fleet/manage-access.md

179 lines
25 KiB
Markdown
Raw Normal View History

Reorganize Fleet documentation (#12871) Closes: #12611 Changes: - Added three new documentation sections `/docs/get-started/`, `/docs/configuration` and `/docs/rest api/` - Updated folder names: `/docs/Using-Fleet/` » `/docs/Using Fleet` and `/docs/deploying` » `/docs/deploy/` - Moved `/docs/using-fleet/process-events.md` to `/articles` and updated the meta tags to change it into a guide. - Added support for a new meta tag: `navSection`. This meta tag is used to organize pages in the sidebar navigation on fleetdm.com/docs - Moved `docs/using-fleet/application-security.md` and `docs/using-fleet/security-audits.md` to the security handbook. - Moved `docs/deploying/load-testing.md` and `docs/deploying/debugging.md` to the engineering handbook. - Moved the following files/folders: - `docs/using-fleet/configuration-files/` » `docs/configuration/configuration-files/` - `docs/deploying/configuration.md` » `docs/configuration/fleet-server-configuration.md` - `docs/using-fleet/rest-api.md` » `docs/rest-api/rest-api.md` - `docs/using-fleet/monitoring-fleet.md` » `docs/deploy/rest-api.md` - Updated filenames: - `docs/using-fleet/permissions.md` » `docs/using-fleet/manage-access.md` - `docs/using-fleet/adding-hosts.md` » `docs/using-fleet/enroll-hosts.md` - `docs/using-fleet/teams.md` » `docs/using-fleet/segment-hosts.md` - `docs/using-fleet/fleet-ctl-agent-updates.md` » `docs/using-fleet/update-agents.md` - `docs/using-fleet/chromeos.md` » `docs/using-fleet/enroll-chromebooks.md` - Updated the generated markdown in `server/fleet/gen_activity_doc.go` and `server/service/osquery_utils/gen_queries_doc.go` - Updated the navigation sidebar and mobile dropdown links on docs pages to group pages by their `navSection` meta tag. - Updated fleetdm.com/docs not to show pages in the `docs/contributing/` folder in the sidebar navigation - Added redirects for docs pages that have moved. . --------- Co-authored-by: Mike Thomas <mthomas@fleetdm.com> Co-authored-by: Rachael Shaw <r@rachael.wtf>
2023-07-27 22:40:01 +00:00
# Manage access
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
Users have different abilities depending on the access level they have.
New `gitops` role (#10850) #8593 This PR adds a new role `gitops` to Fleet. MDM capabilities for the role coming on a separate PR. We need this merged ASAP so that we can unblock the UI work for this. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [X] Documented any permissions changes - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-12 19:11:04 +00:00
## Roles
### Admin
Users with the admin role receive all permissions.
### Maintainer
Docs: Update documentation to reflect scheduled query changes. (#12884)
2023-07-31 23:06:07 +00:00
Maintainers can manage most entities in Fleet, like queries, policies, and labels.
New `gitops` role (#10850) #8593 This PR adds a new role `gitops` to Fleet. MDM capabilities for the role coming on a separate PR. We need this merged ASAP so that we can unblock the UI work for this. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [X] Documented any permissions changes - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-12 19:11:04 +00:00
Unlike admins, maintainers cannot edit higher level settings like application configuration, teams or users.
### Observer
Docs: Update documentation to reflect scheduled query changes. (#12884)
2023-07-31 23:06:07 +00:00
The observer role is a read-only role. It can access most entities in Fleet, like queries, policies, labels, application configuration, teams, etc.
New `gitops` role (#10850) #8593 This PR adds a new role `gitops` to Fleet. MDM capabilities for the role coming on a separate PR. We need this merged ASAP so that we can unblock the UI work for this. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [X] Documented any permissions changes - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-12 19:11:04 +00:00
They can also run queries configured with the `observer_can_run` flag set to `true`.
### Observer+
Add Fleet Premium note to GitOps and Observer+ roles (#11273) Documentation-only change
2023-04-21 19:48:57 +00:00
`Applies only to Fleet Premium`
Docs: Update documentation to reflect scheduled query changes. (#12884)
2023-07-31 23:06:07 +00:00
Observer+ is an observer with the added ability to run *any* query.
New `gitops` role (#10850) #8593 This PR adds a new role `gitops` to Fleet. MDM capabilities for the role coming on a separate PR. We need this merged ASAP so that we can unblock the UI work for this. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [X] Documented any permissions changes - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-12 19:11:04 +00:00
### GitOps
Add Fleet Premium note to GitOps and Observer+ roles (#11273) Documentation-only change
2023-04-21 19:48:57 +00:00
`Applies only to Fleet Premium`
New `gitops` role (#10850) #8593 This PR adds a new role `gitops` to Fleet. MDM capabilities for the role coming on a separate PR. We need this merged ASAP so that we can unblock the UI work for this. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [X] Documented any permissions changes - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-12 19:11:04 +00:00
GitOps is a modern approach to Continuous Deployment (CD) that uses Git as the single source of truth for declarative infrastructure and application configurations.
GitOps is an API-only and write-only role that can be used on CI/CD pipelines.
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
## User permissions
Docs: Fix permission table headers (#11659) Closes #11640 Changes: - Removed the whitespace in between the permission role names and the asterisk that was causing the table header to have a linebreak in the permission roles table.
2023-05-30 17:24:53 +00:00
| **Action** | Observer | Observer+* | Maintainer | Admin | GitOps* |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| ------------------------------------------------------------------------------------------------------------------------------------------ | -------- | ---------- | ---------- | ----- | ------- |
| View all [activity](https://fleetdm.com/docs/using-fleet/rest-api#activities) | ✅ | ✅ | ✅ | ✅ | |
| View all hosts | ✅ | ✅ | ✅ | ✅ | |
document permissions changes for Puppet gitops (#17367) #15337 --------- Co-authored-by: Rachael Shaw <r@rachael.wtf>
2024-03-21 18:38:06 +00:00
| View a host by identifier | ✅ | ✅ | ✅ | ✅ | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Filter hosts using [labels](https://fleetdm.com/docs/using-fleet/rest-api#labels) | ✅ | ✅ | ✅ | ✅ | |
| Target hosts using labels | ✅ | ✅ | ✅ | ✅ | |
New APIs to add/remove manual labels to/from a host (#18283) #16767 To create a manual label: ```sh cat labels.yml --- apiVersion: v1 kind: label spec: name: Manually Managed Example label_membership_type: manual hosts: - lucass-macbook-pro.local ``` To add/delete a manual label to/from a host: ``` curl -k -v -X POST -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/hosts/1/labels -d '{"labels": ["Manually Managed Example"]}' curl -k -v -X DELETE -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/hosts/1/labels -d '{"labels": ["Manually Managed Example"]}' ``` API draft changes: https://github.com/fleetdm/fleet/pull/16979/files Figma with error strings: https://www.figma.com/file/JiWoAiuHlkt76s3o3Uyz6h/%2316767-API-endpoint-for-updating-a-host's-manual-labels?type=design&node-id=2-130&mode=design&t=pxRPhrn6E1bOCrEd-0 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) ~- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - ~[ ] If database migrations are included, checked table schema to confirm autoupdate~ - ~For database migrations:~ - ~[ ] Checked schema for all modified table for columns that will auto-update timestamps during migration.~ - ~[ ] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.~ - ~[ ] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`).~ - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2024-04-16 09:37:58 +00:00
| Add/remove manual labels to/from hosts | | | ✅ | ✅ | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Add and delete hosts | | | ✅ | ✅ | |
| Transfer hosts between teams\* | | | ✅ | ✅ | ✅ |
| Create, edit, and delete labels | | | ✅ | ✅ | ✅ |
| View all software | ✅ | ✅ | ✅ | ✅ | |
| Filter software by [vulnerabilities](https://fleetdm.com/docs/using-fleet/vulnerability-processing#vulnerability-processing) | ✅ | ✅ | ✅ | ✅ | |
| Filter hosts by software | ✅ | ✅ | ✅ | ✅ | |
| Filter software by team\* | ✅ | ✅ | ✅ | ✅ | |
| Manage [vulnerability automations](https://fleetdm.com/docs/using-fleet/automations#vulnerability-automations) | | | | ✅ | ✅ |
| Run queries designated "**observer can run**" as live queries against all hosts | ✅ | ✅ | ✅ | ✅ | |
| Run any query as [live query](https://fleetdm.com/docs/using-fleet/fleet-ui#run-a-query) against all hosts | | ✅ | ✅ | ✅ | |
| Create, edit, and delete queries | | | ✅ | ✅ | ✅ |
gitops role authorization changes for fleetctl gitops (#16710) To support `fleetctl gitops`, gitops role can now read policies/queries and write scripts. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any permissions changes (docs/Using Fleet/manage-access.md) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-02-12 22:44:35 +00:00
| View all queries and their reports | ✅ | ✅ | ✅ | ✅ | ✅ |
Fleet UI: Observer+ can run policies in the UI, update docs accordingly (#14796)
2023-11-03 11:42:11 +00:00
| Manage [query automations](https://fleetdm.com/docs/using-fleet/fleet-ui#schedule-a-query) | | | ✅ | ✅ | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Create, edit, view, and delete packs | | | ✅ | ✅ | ✅ |
gitops role authorization changes for fleetctl gitops (#16710) To support `fleetctl gitops`, gitops role can now read policies/queries and write scripts. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any permissions changes (docs/Using Fleet/manage-access.md) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-02-12 22:44:35 +00:00
| View all policies | ✅ | ✅ | ✅ | ✅ | ✅ |
Fleet UI: Observer+ can run policies in the UI, update docs accordingly (#14796)
2023-11-03 11:42:11 +00:00
| Run all policies | | ✅ | ✅ | ✅ | |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Filter hosts using policies | ✅ | ✅ | ✅ | ✅ | |
| Create, edit, and delete policies for all hosts | | | ✅ | ✅ | ✅ |
| Create, edit, and delete policies for all hosts assigned to team\* | | | ✅ | ✅ | ✅ |
| Manage [policy automations](https://fleetdm.com/docs/using-fleet/automations#policy-automations) | | | | ✅ | ✅ |
| Create, edit, view, and delete users | | | | ✅ | |
Add OS updates to permissions table (#17384) - Maintainers and up can edit OS udpates
2024-03-07 22:47:54 +00:00
| Add and remove team users\* | | | | ✅ | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Create, edit, and delete teams\* | | | | ✅ | ✅ |
| Create, edit, and delete [enroll secrets](https://fleetdm.com/docs/deploying/faq#when-do-i-need-to-deploy-a-new-enroll-secret-to-my-hosts) | | | ✅ | ✅ | ✅ |
| Create, edit, and delete [enroll secrets for teams](https://fleetdm.com/docs/using-fleet/rest-api#get-enroll-secrets-for-a-team)\* | | | ✅ | ✅ | |
Allowing GitOps role to read org configs -- doc change. (#17238) Allowing GitOps role to read org configs. Docs for https://github.com/fleetdm/fleet/pull/17223
2024-03-07 19:21:14 +00:00
| Read organization settings\** | ✅ | ✅ | ✅ | ✅ | ✅ |
Docs: Update query permissions (#15154) Updates to the "Manage access" page to reflect changes for: + https://github.com/fleetdm/fleet/issues/15146 + https://github.com/fleetdm/fleet/issues/14415
2023-12-14 18:45:02 +00:00
| Read Single Sign-On settings\** | | | | ✅ | |
| Read SMTP settings\** | | | | ✅ | |
| Read osquery agent options\** | | | | ✅ | |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Edit [organization settings](https://fleetdm.com/docs/using-fleet/configuration-files#organization-settings) | | | | ✅ | ✅ |
| Edit [agent options](https://fleetdm.com/docs/using-fleet/configuration-files#agent-options) | | | | ✅ | ✅ |
| Edit [agent options for hosts assigned to teams](https://fleetdm.com/docs/using-fleet/configuration-files#team-agent-options)\* | | | | ✅ | ✅ |
| Initiate [file carving](https://fleetdm.com/docs/using-fleet/rest-api#file-carving) | | | ✅ | ✅ | |
| Retrieve contents from file carving | | | | ✅ | |
| View Apple mobile device management (MDM) certificate information | | | | ✅ | |
| View Apple business manager (BM) information | | | | ✅ | |
| Generate Apple mobile device management (MDM) certificate signing request (CSR) | | | | ✅ | |
Fleet UI: Observer+ can run policies in the UI, update docs accordingly (#14796)
2023-11-03 11:42:11 +00:00
| View disk encryption key for macOS and Windows hosts | ✅ | ✅ | ✅ | ✅ | |
Add OS updates to permissions table (#17384) - Maintainers and up can edit OS udpates
2024-03-07 22:47:54 +00:00
| Edit OS updates for macOS and Windows hosts | | | ✅ | ✅ | ✅ |
| Create edit and delete configuration profiles for macOS and Windows hosts | | | ✅ | ✅ | ✅ |
| Execute MDM commands on macOS and Windows hosts\** | | | ✅ | ✅ | |
| View results of MDM commands executed on macOS and Windows hosts\** | ✅ | ✅ | ✅ | ✅ | |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Edit [MDM settings](https://fleetdm.com/docs/using-fleet/mdm-macos-settings) | | | | ✅ | ✅ |
| Edit [MDM settings for teams](https://fleetdm.com/docs/using-fleet/mdm-macos-settings) | | | | ✅ | ✅ |
document permissions changes for Puppet gitops (#17367) #15337 --------- Co-authored-by: Rachael Shaw <r@rachael.wtf>
2024-03-21 18:38:06 +00:00
| View all [MDM settings](https://fleetdm.com/docs/using-fleet/mdm-macos-settings) | | | | ✅ | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Upload an EULA file for MDM automatic enrollment\* | | | | ✅ | |
| View/download MDM macOS setup assistant\* | | | ✅ | ✅ | |
Fix bug preventing gitops role from `fleetctl apply`ing macos setup assistant (and bootstrap package) (#12193)
2023-06-07 17:29:36 +00:00
| Edit/upload MDM macOS setup assistant\* | | | ✅ | ✅ | ✅ |
| View metadata of MDM macOS bootstrap packages\* | | | ✅ | ✅ | |
| Edit/upload MDM macOS bootstrap packages\* | | | ✅ | ✅ | ✅ |
| Enable/disable MDM macOS setup end user authentication\* | | | ✅ | ✅ | ✅ |
Feat: saved scripts (#14409) For #9537
2023-10-10 22:00:45 +00:00
| Run arbitrary scripts on hosts\* | | | ✅ | ✅ | |
| View saved scripts\* | ✅ | ✅ | ✅ | ✅ | |
gitops role authorization changes for fleetctl gitops (#16710) To support `fleetctl gitops`, gitops role can now read policies/queries and write scripts. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any permissions changes (docs/Using Fleet/manage-access.md) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-02-12 22:44:35 +00:00
| Edit/upload saved scripts\* | | | ✅ | ✅ | ✅ |
Feat: saved scripts (#14409) For #9537
2023-10-10 22:00:45 +00:00
| Run saved scripts on hosts\* | ✅ | ✅ | ✅ | ✅ | |
feat: update permissions docs for lock/unlock/wipe (#16892) Part of #9949 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any permissions changes (docs/Using Fleet/manage-access.md)
2024-02-16 18:26:33 +00:00
| Lock, unlock, and wipe hosts\* | | | ✅ | ✅ | |
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
Filter out non-`observer_can_run` queries for observers in `fleetctl get queries` command to match the UI. (#11251) #11089 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - [X] Documented any permissions changes - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [x] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-26 14:38:20 +00:00
\* Applies only to Fleet Premium
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
Docs: Update query permissions (#15154) Updates to the "Manage access" page to reflect changes for: + https://github.com/fleetdm/fleet/issues/15146 + https://github.com/fleetdm/fleet/issues/14415
2023-12-14 18:45:02 +00:00
\** Applies only to [Fleet REST API](https://fleetdm.com/docs/using-fleet/rest-api)
Update Permissions docs (#10440) - Global observers can read configuration via the API (not the UI) - Team observers can read team configuration via the API (not the UI)
2023-03-13 19:26:06 +00:00
Update "Team member" wording in docs to reference users instead. (#17116) + Changed a bunch of instances of "member" to "user" to match the updated UI (https://github.com/fleetdm/fleet/issues/15893) + Cut some step-by-step instructions for using the team UI from the "Segment hosts" docs
2024-02-29 21:07:59 +00:00
## Team user permissions
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
Updated product name on website and docs (#1731) Updated product name on website and docs
2021-08-19 17:50:21 +00:00
`Applies only to Fleet Premium`
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
Implement fleetctl get mdm-apple (#8786)
2022-12-05 16:35:45 +00:00
Users in Fleet either have team access or global access.
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
Docs: Update documentation to reflect scheduled query changes. (#12884)
2023-07-31 23:06:07 +00:00
Users with team access only have access to the [hosts](https://fleetdm.com/docs/using-fleet/rest-api#hosts), [software](https://fleetdm.com/docs/using-fleet/rest-api#software), and [policies](https://fleetdm.com/docs/using-fleet/rest-api#policies) assigned to
Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2022-04-18 16:10:33 +00:00
their team.
Update permissions documentation (#2721) - Removed create/edit/delete enroll secret permissions from team level users - Update verbiage to clarify the distinction between users with global access and users with team access.
2021-10-28 18:27:03 +00:00
Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2022-04-18 16:10:33 +00:00
Users with global access have access to all
Docs: Update documentation to reflect scheduled query changes. (#12884)
2023-07-31 23:06:07 +00:00
[hosts](https://fleetdm.com/docs/using-fleet/rest-api#hosts), [software](https://fleetdm.com/docs/using-fleet/rest-api#software), [queries](https://fleetdm.com/docs/using-fleet/rest-api#queries), and [policies](https://fleetdm.com/docs/using-fleet/rest-api#policies). Check out [the user permissions
Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2022-04-18 16:10:33 +00:00
table](#user-permissions) above for global user permissions.
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
Update "Team member" wording in docs to reference users instead. (#17116) + Changed a bunch of instances of "member" to "user" to match the updated UI (https://github.com/fleetdm/fleet/issues/15893) + Cut some step-by-step instructions for using the team UI from the "Segment hosts" docs
2024-02-29 21:07:59 +00:00
Users can be assigned to multiple teams in Fleet.
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
Update "Team member" wording in docs to reference users instead. (#17116) + Changed a bunch of instances of "member" to "user" to match the updated UI (https://github.com/fleetdm/fleet/issues/15893) + Cut some step-by-step instructions for using the team UI from the "Segment hosts" docs
2024-02-29 21:07:59 +00:00
Users with access to multiple teams can be assigned different roles for each team. For example, a user can be given access to the "Workstations" team and assigned the "Observer" role. This same user can be given access to the "Servers" team and assigned the "Maintainer" role.
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
New `gitops` role (#10850) #8593 This PR adds a new role `gitops` to Fleet. MDM capabilities for the role coming on a separate PR. We need this merged ASAP so that we can unblock the UI work for this. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [X] Documented any permissions changes - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-12 19:11:04 +00:00
| **Action** | Team observer | Team observer+ | Team maintainer | Team admin | Team GitOps |
| -------------------------------------------------------------------------------------------------------------------------------- | ------------- | -------------- | --------------- | ---------- | ----------- |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| View hosts | ✅ | ✅ | ✅ | ✅ | |
document permissions changes for Puppet gitops (#17367) #15337 --------- Co-authored-by: Rachael Shaw <r@rachael.wtf>
2024-03-21 18:38:06 +00:00
| View a host by identifier | ✅ | ✅ | ✅ | ✅ | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Filter hosts using [labels](https://fleetdm.com/docs/using-fleet/rest-api#labels) | ✅ | ✅ | ✅ | ✅ | |
| Target hosts using labels | ✅ | ✅ | ✅ | ✅ | |
New APIs to add/remove manual labels to/from a host (#18283) #16767 To create a manual label: ```sh cat labels.yml --- apiVersion: v1 kind: label spec: name: Manually Managed Example label_membership_type: manual hosts: - lucass-macbook-pro.local ``` To add/delete a manual label to/from a host: ``` curl -k -v -X POST -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/hosts/1/labels -d '{"labels": ["Manually Managed Example"]}' curl -k -v -X DELETE -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/hosts/1/labels -d '{"labels": ["Manually Managed Example"]}' ``` API draft changes: https://github.com/fleetdm/fleet/pull/16979/files Figma with error strings: https://www.figma.com/file/JiWoAiuHlkt76s3o3Uyz6h/%2316767-API-endpoint-for-updating-a-host's-manual-labels?type=design&node-id=2-130&mode=design&t=pxRPhrn6E1bOCrEd-0 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) ~- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - ~[ ] If database migrations are included, checked table schema to confirm autoupdate~ - ~For database migrations:~ - ~[ ] Checked schema for all modified table for columns that will auto-update timestamps during migration.~ - ~[ ] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.~ - ~[ ] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`).~ - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2024-04-16 09:37:58 +00:00
| Add/remove manual labels to/from hosts | | | ✅ | ✅ | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Add and delete hosts | | | ✅ | ✅ | |
| Filter software by [vulnerabilities](https://fleetdm.com/docs/using-fleet/vulnerability-processing#vulnerability-processing) | ✅ | ✅ | ✅ | ✅ | |
| Filter hosts by software | ✅ | ✅ | ✅ | ✅ | |
| Filter software | ✅ | ✅ | ✅ | ✅ | |
| Run queries designated "**observer can run**" as live queries against hosts | ✅ | ✅ | ✅ | ✅ | |
| Run any query as [live query](https://fleetdm.com/docs/using-fleet/fleet-ui#run-a-query) | | ✅ | ✅ | ✅ | |
| Create, edit, and delete only **self authored** queries | | | ✅ | ✅ | ✅ |
Docs: Update query permissions (#15154) Updates to the "Manage access" page to reflect changes for: + https://github.com/fleetdm/fleet/issues/15146 + https://github.com/fleetdm/fleet/issues/14415
2023-12-14 18:45:02 +00:00
| View team queries and their reports | ✅ | ✅ | ✅ | ✅ | |
| View global (inherited) queries and their reports\** | ✅ | ✅ | ✅ | ✅ | |
Fleet UI: Observer+ can run policies in the UI, update docs accordingly (#14796)
2023-11-03 11:42:11 +00:00
| Manage [query automations](https://fleetdm.com/docs/using-fleet/fleet-ui#schedule-a-query) | | | ✅ | ✅ | ✅ |
| View team policies | ✅ | ✅ | ✅ | ✅ | |
| Run team policies as a live policy | | ✅ | ✅ | ✅ | |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| View global (inherited) policies | ✅ | ✅ | ✅ | ✅ | |
Fleet UI: Observer+ can run policies in the UI, update docs accordingly (#14796)
2023-11-03 11:42:11 +00:00
| Run global (inherited) policies as a live policy | | ✅ | ✅ | ✅ | |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Filter hosts using policies | ✅ | ✅ | ✅ | ✅ | |
| Create, edit, and delete team policies | | | ✅ | ✅ | ✅ |
| Manage [policy automations](https://fleetdm.com/docs/using-fleet/automations#policy-automations) | | | | ✅ | ✅ |
Add OS updates to permissions table (#17384) - Maintainers and up can edit OS udpates
2024-03-07 22:47:54 +00:00
| Add and remove team users | | | | ✅ | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Edit team name | | | | ✅ | ✅ |
| Create, edit, and delete [team enroll secrets](https://fleetdm.com/docs/using-fleet/rest-api#get-enroll-secrets-for-a-team) | | | ✅ | ✅ | |
Do not return empty SSO and SMTP settings for non-global-admins (#12180) #11266 PS: I first attempted a serialization trick by introducing a new `appConfigResponse` and implementing `json.Marshal` to exclude these fields but it was too hacky and hard to maintain moving forward, so I'm bitting the bullet now. Happy to hear other ideas. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-06-07 19:06:36 +00:00
| Read organization settings\* | ✅ | ✅ | ✅ | ✅ | |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Read agent options\* | ✅ | ✅ | ✅ | ✅ | |
| Edit [agent options](https://fleetdm.com/docs/using-fleet/configuration-files#agent-options) | | | | ✅ | ✅ |
| Initiate [file carving](https://fleetdm.com/docs/using-fleet/rest-api#file-carving) | | | ✅ | ✅ | |
| View disk encryption key for macOS hosts | ✅ | ✅ | ✅ | ✅ | |
Add OS updates to permissions table (#17384) - Maintainers and up can edit OS udpates
2024-03-07 22:47:54 +00:00
| Edit OS updates for macOS and Windows hosts | | | ✅ | ✅ | ✅ |
Add endpoint to upload an MDM custom profile for Windows and macOS (#15150)
2023-11-15 15:58:59 +00:00
| Create edit and delete configuration profiles for macOS and Windows hosts | | | ✅ | ✅ | ✅ |
Update manage-access.md (#13426) Updated table rows related to MDM commands permission. Right now there are just calling out macOS hosts and we're implementing MDM commands for Windows. Additionally, there was a duplicate row in the table which I removed. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-08-22 10:55:14 +00:00
| Execute MDM commands on macOS and Windows hosts* | | | ✅ | ✅ | |
| View results of MDM commands executed on macOS and Windows hosts* | ✅ | ✅ | ✅ | ✅ | |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Edit [team MDM settings](https://fleetdm.com/docs/using-fleet/mdm-macos-settings) | | | | ✅ | ✅ |
| View/download MDM macOS setup assistant | | | ✅ | ✅ | |
Fix bug preventing gitops role from `fleetctl apply`ing macos setup assistant (and bootstrap package) (#12193)
2023-06-07 17:29:36 +00:00
| Edit/upload MDM macOS setup assistant | | | ✅ | ✅ | ✅ |
| View metadata of MDM macOS bootstrap packages | | | ✅ | ✅ | |
| Edit/upload MDM macOS bootstrap packages | | | ✅ | ✅ | ✅ |
| Enable/disable MDM macOS setup end user authentication | | | ✅ | ✅ | ✅ |
Feat: saved scripts (#14409) For #9537
2023-10-10 22:00:45 +00:00
| Run arbitrary scripts on hosts | | | ✅ | ✅ | |
| View saved scripts | ✅ | ✅ | ✅ | ✅ | |
| Edit/upload saved scripts | | | ✅ | ✅ | |
| Run saved scripts on hosts | ✅ | ✅ | ✅ | ✅ | |
| View script details by host | ✅ | ✅ | ✅ | ✅ | |
feat: update permissions docs for lock/unlock/wipe (#16892) Part of #9949 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any permissions changes (docs/Using Fleet/manage-access.md)
2024-02-16 18:26:33 +00:00
| Lock, unlock, and wipe hosts | | | ✅ | ✅ | |
Feat: saved scripts (#14409) For #9537
2023-10-10 22:00:45 +00:00
Remove numbers from documentation filenames in Fleet repo (#4313) * Renaming files and a lot of find and replace * pageRank meta tags, sorting by page rank * reranking * removing numbers * revert changing links that are locked to a commit * update metatag name, uncomment github contributers * Update basic-documentation.page.js * revert link change * more explicit errors, change pageOrderInSection numbers, updated sort * Update build-static-content.js * update comment * update handbook link * handbook entry * update sort * update changelog doc links to use fleetdm.com * move standard query library back to old location, update links/references to location * revert unintentional link changes * Update handbook/community.md Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com> Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com> Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com>
2022-02-23 18:17:55 +00:00
Update Permissions docs (#10440) - Global observers can read configuration via the API (not the UI) - Team observers can read team configuration via the API (not the UI)
2023-03-13 19:26:06 +00:00
\* Applies only to [Fleet REST API](https://fleetdm.com/docs/using-fleet/rest-api)
Docs: Update query permissions (#15154) Updates to the "Manage access" page to reflect changes for: + https://github.com/fleetdm/fleet/issues/15146 + https://github.com/fleetdm/fleet/issues/14415
2023-12-14 18:45:02 +00:00
\** Team-level users only see global query results for hosts on teams where they have access.
Filter out non-`observer_can_run` queries for observers in `fleetctl get queries` command to match the UI. (#11251) #11089 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - [X] Documented any permissions changes - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [x] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-26 14:38:20 +00:00
Allow global admin to change anyone's password. (#4582)
2022-03-15 12:11:53 +00:00
<meta name="pageOrderInSection" value="900">
Website: Add meta descriptions to Fleet documentation. (#12586) #11986 Changes: - Added meta descriptions to Fleet documentation pages. --------- Co-authored-by: Rachael Shaw <r@rachael.wtf>
2023-07-13 16:57:17 +00:00
<meta name="description" value="Learn about the different roles and permissions in Fleet.">
Add `/scripts/run` and `scripts/run/sync` API endpoints to run scripts (part 1) (#13417)
2023-08-21 18:47:19 +00:00
<meta name="navSection" value="The basics">
Reference in a new issue Copy permalink