Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-22 16:39:01 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 121
fleet/articles/role-based-access.md

195 lines
28 KiB
Markdown
Raw Normal View History

Docs quick reference optimization (#21331) This PR closes https://github.com/fleetdm/fleet/issues/21108 @noahtalerman, I double-checked all redirects, and they are working. Clicking through the URLs in [this spreadsheet](https://docs.google.com/spreadsheets/d/1djVynIMuJK4pT5ziJW12CluVqcaoxxnCLaBO3VXfAt4/edit?usp=sharing) is a pretty quick way to go through them all. Note that "Audit logs" and "Understanding host vitals" redirect to the contributor docs on GitHub, so they will throw a 404 until this is merged. Some new guides benefitted from a name change, so they make more sense as stand-alone guides, and also so that we don't have to mess around with more redirects later. Those name changes followed [this convention](https://fleetdm.com/handbook/company/communications#headings-and-titles), which was recently documented in the handbook. Have fun! --------- Co-authored-by: Eric <eashaw@sailsjs.com> Co-authored-by: Noah Talerman <noahtal@umich.edu>
2024-08-16 20:30:31 +00:00
# Role-based access
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
Users have different abilities depending on the access level they have.
New `gitops` role (#10850) #8593 This PR adds a new role `gitops` to Fleet. MDM capabilities for the role coming on a separate PR. We need this merged ASAP so that we can unblock the UI work for this. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [X] Documented any permissions changes - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-12 19:11:04 +00:00
## Roles
### Admin
Users with the admin role receive all permissions.
### Maintainer
Docs: Update documentation to reflect scheduled query changes. (#12884)
2023-07-31 23:06:07 +00:00
Maintainers can manage most entities in Fleet, like queries, policies, and labels.
New `gitops` role (#10850) #8593 This PR adds a new role `gitops` to Fleet. MDM capabilities for the role coming on a separate PR. We need this merged ASAP so that we can unblock the UI work for this. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [X] Documented any permissions changes - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-12 19:11:04 +00:00
Unlike admins, maintainers cannot edit higher level settings like application configuration, teams or users.
### Observer
Docs: Update documentation to reflect scheduled query changes. (#12884)
2023-07-31 23:06:07 +00:00
The observer role is a read-only role. It can access most entities in Fleet, like queries, policies, labels, application configuration, teams, etc.
New `gitops` role (#10850) #8593 This PR adds a new role `gitops` to Fleet. MDM capabilities for the role coming on a separate PR. We need this merged ASAP so that we can unblock the UI work for this. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [X] Documented any permissions changes - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-12 19:11:04 +00:00
They can also run queries configured with the `observer_can_run` flag set to `true`.
### Observer+
Add Fleet Premium note to GitOps and Observer+ roles (#11273) Documentation-only change
2023-04-21 19:48:57 +00:00
`Applies only to Fleet Premium`
Docs: Update documentation to reflect scheduled query changes. (#12884)
2023-07-31 23:06:07 +00:00
Observer+ is an observer with the added ability to run *any* query.
New `gitops` role (#10850) #8593 This PR adds a new role `gitops` to Fleet. MDM capabilities for the role coming on a separate PR. We need this merged ASAP so that we can unblock the UI work for this. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [X] Documented any permissions changes - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-12 19:11:04 +00:00
### GitOps
Add Fleet Premium note to GitOps and Observer+ roles (#11273) Documentation-only change
2023-04-21 19:48:57 +00:00
`Applies only to Fleet Premium`
New `gitops` role (#10850) #8593 This PR adds a new role `gitops` to Fleet. MDM capabilities for the role coming on a separate PR. We need this merged ASAP so that we can unblock the UI work for this. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [X] Documented any permissions changes - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-12 19:11:04 +00:00
GitOps is a modern approach to Continuous Deployment (CD) that uses Git as the single source of truth for declarative infrastructure and application configurations.
GitOps is an API-only and write-only role that can be used on CI/CD pipelines.
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
## User permissions
Docs: Fix permission table headers (#11659) Closes #11640 Changes: - Removed the whitespace in between the permission role names and the asterisk that was causing the table header to have a linebreak in the permission roles table.
2023-05-30 17:24:53 +00:00
| **Action** | Observer | Observer+* | Maintainer | Admin | GitOps* |
Center checkboxes in tables on role-based-access.md (#25133) Centered the checkboxes in the columns under the "User permissions" and "Team user permissions" tables. Co-authored-by: Drew Baker <89049099+Drew-P-drawers@users.noreply.github.com>
2025-01-06 17:56:23 +00:00
| ------------------------------------------------------------------------------------------------------------------------------------------ | :------: | :--------: | :--------: | :---: | :-----: |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| View all [activity](https://fleetdm.com/docs/using-fleet/rest-api#activities) | ✅ | ✅ | ✅ | ✅ | |
Documentation changes for v4.67.0 (#28528) Docs for the 4.67.0 release. --------- Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Co-authored-by: Eugene <eugene@fleetdm.com> Co-authored-by: Ian Littman <iansltx@gmail.com> Co-authored-by: Drew Baker <89049099+Drew-P-drawers@users.noreply.github.com> Co-authored-by: Scott Gress <scottmgress@gmail.com> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
2025-04-24 21:10:41 +00:00
| Cancel [hosts' upcoming activity](https://fleetdm.com/docs/rest-api/rest-api#get-hosts-upcoming-activity) | | | ✅ | ✅ | |
Update docs: Webhooks for global activity (#19863) Docs for the "Webhooks for global activity feed" story (#14722) - Add item to permissions table - Clean up and simplify Audit logs top section. It's a reference page - Link to Audit logs reference from Automations page
2024-06-26 20:48:58 +00:00
| Manage [activity automations](https://fleetdm.com/docs/using-fleet/audit-logs) | | | | ✅ | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| View all hosts | ✅ | ✅ | ✅ | ✅ | |
document permissions changes for Puppet gitops (#17367) #15337 --------- Co-authored-by: Rachael Shaw <r@rachael.wtf>
2024-03-21 18:38:06 +00:00
| View a host by identifier | ✅ | ✅ | ✅ | ✅ | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Filter hosts using [labels](https://fleetdm.com/docs/using-fleet/rest-api#labels) | ✅ | ✅ | ✅ | ✅ | |
| Target hosts using labels | ✅ | ✅ | ✅ | ✅ | |
New APIs to add/remove manual labels to/from a host (#18283) #16767 To create a manual label: ```sh cat labels.yml --- apiVersion: v1 kind: label spec: name: Manually Managed Example label_membership_type: manual hosts: - lucass-macbook-pro.local ``` To add/delete a manual label to/from a host: ``` curl -k -v -X POST -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/hosts/1/labels -d '{"labels": ["Manually Managed Example"]}' curl -k -v -X DELETE -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/hosts/1/labels -d '{"labels": ["Manually Managed Example"]}' ``` API draft changes: https://github.com/fleetdm/fleet/pull/16979/files Figma with error strings: https://www.figma.com/file/JiWoAiuHlkt76s3o3Uyz6h/%2316767-API-endpoint-for-updating-a-host's-manual-labels?type=design&node-id=2-130&mode=design&t=pxRPhrn6E1bOCrEd-0 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) ~- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - ~[ ] If database migrations are included, checked table schema to confirm autoupdate~ - ~For database migrations:~ - ~[ ] Checked schema for all modified table for columns that will auto-update timestamps during migration.~ - ~[ ] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.~ - ~[ ] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`).~ - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2024-04-16 09:37:58 +00:00
| Add/remove manual labels to/from hosts | | | ✅ | ✅ | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Add and delete hosts | | | ✅ | ✅ | |
| Transfer hosts between teams\* | | | ✅ | ✅ | ✅ |
Documentation changes for v4.67.0 (#28528) Docs for the 4.67.0 release. --------- Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Co-authored-by: Eugene <eugene@fleetdm.com> Co-authored-by: Ian Littman <iansltx@gmail.com> Co-authored-by: Drew Baker <89049099+Drew-P-drawers@users.noreply.github.com> Co-authored-by: Scott Gress <scottmgress@gmail.com> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
2025-04-24 21:10:41 +00:00
| Add user information from IdP to hosts\* | | | ✅ | ✅ | |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Create, edit, and delete labels | | | ✅ | ✅ | ✅ |
| View all software | ✅ | ✅ | ✅ | ✅ | |
Permissions: edit software (#22426) Permissions changes for this story: https://github.com/fleetdm/fleet/issues/20404
2024-09-26 18:47:14 +00:00
| Add, edit, and delete software | | | ✅ | ✅ | ✅ |
Software permissions changes (#19405) Adding new rows to manage access table to reflect new permissions added with #14921
2024-06-06 15:12:12 +00:00
| Download added software | | | ✅ | ✅ | |
Permissions: uninstall software (#22434)
2024-09-26 19:10:40 +00:00
| Install/uninstall software on hosts | | | ✅ | ✅ | |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Filter software by [vulnerabilities](https://fleetdm.com/docs/using-fleet/vulnerability-processing#vulnerability-processing) | ✅ | ✅ | ✅ | ✅ | |
| Filter hosts by software | ✅ | ✅ | ✅ | ✅ | |
| Filter software by team\* | ✅ | ✅ | ✅ | ✅ | |
| Manage [vulnerability automations](https://fleetdm.com/docs/using-fleet/automations#vulnerability-automations) | | | | ✅ | ✅ |
| Run queries designated "**observer can run**" as live queries against all hosts | ✅ | ✅ | ✅ | ✅ | |
| Run any query as [live query](https://fleetdm.com/docs/using-fleet/fleet-ui#run-a-query) against all hosts | | ✅ | ✅ | ✅ | |
| Create, edit, and delete queries | | | ✅ | ✅ | ✅ |
gitops role authorization changes for fleetctl gitops (#16710) To support `fleetctl gitops`, gitops role can now read policies/queries and write scripts. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any permissions changes (docs/Using Fleet/manage-access.md) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-02-12 22:44:35 +00:00
| View all queries and their reports | ✅ | ✅ | ✅ | ✅ | ✅ |
Fleet UI: Observer+ can run policies in the UI, update docs accordingly (#14796)
2023-11-03 11:42:11 +00:00
| Manage [query automations](https://fleetdm.com/docs/using-fleet/fleet-ui#schedule-a-query) | | | ✅ | ✅ | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Create, edit, view, and delete packs | | | ✅ | ✅ | ✅ |
gitops role authorization changes for fleetctl gitops (#16710) To support `fleetctl gitops`, gitops role can now read policies/queries and write scripts. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any permissions changes (docs/Using Fleet/manage-access.md) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-02-12 22:44:35 +00:00
| View all policies | ✅ | ✅ | ✅ | ✅ | ✅ |
Fleet UI: Observer+ can run policies in the UI, update docs accordingly (#14796)
2023-11-03 11:42:11 +00:00
| Run all policies | | ✅ | ✅ | ✅ | |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Filter hosts using policies | ✅ | ✅ | ✅ | ✅ | |
| Create, edit, and delete policies for all hosts | | | ✅ | ✅ | ✅ |
| Create, edit, and delete policies for all hosts assigned to team\* | | | ✅ | ✅ | ✅ |
Docs: Note permissions distinction between global policy automations and software install (#19551) and script execution (#17129) policy automations (#23447) Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2024-11-04 18:35:49 +00:00
| Edit global ("All teams") policy automations | | | | ✅ | ✅ |
| Edit team policy automations: calendar events, install software, and run script\* | | | ✅ | ✅ | ✅ |
| Edit team policy automations: other workflows (tickets and webhooks)\* | | | | ✅ | ✅ |
Docs v4.74.0 (#33879) Documentation changes for 4.74 --------- Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com> Co-authored-by: Ian Littman <iansltx@gmail.com> Co-authored-by: Noah Talerman <noahtal@umich.edu> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> Co-authored-by: Magnus Jensen <magnus@fleetdm.com> Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com> Co-authored-by: Janis Watts <184028114+jmwatts@users.noreply.github.com> Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
2025-10-06 22:03:10 +00:00
| Edit "No team" policy automations | | | | ✅ | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Create, edit, view, and delete users | | | | ✅ | |
Add OS updates to permissions table (#17384) - Maintainers and up can edit OS udpates
2024-03-07 22:47:54 +00:00
| Add and remove team users\* | | | | ✅ | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Create, edit, and delete teams\* | | | | ✅ | ✅ |
| Create, edit, and delete [enroll secrets](https://fleetdm.com/docs/deploying/faq#when-do-i-need-to-deploy-a-new-enroll-secret-to-my-hosts) | | | ✅ | ✅ | ✅ |
| Create, edit, and delete [enroll secrets for teams](https://fleetdm.com/docs/using-fleet/rest-api#get-enroll-secrets-for-a-team)\* | | | ✅ | ✅ | |
Allowing GitOps role to read org configs -- doc change. (#17238) Allowing GitOps role to read org configs. Docs for https://github.com/fleetdm/fleet/pull/17223
2024-03-07 19:21:14 +00:00
| Read organization settings\** | ✅ | ✅ | ✅ | ✅ | ✅ |
Docs: Update query permissions (#15154) Updates to the "Manage access" page to reflect changes for: + https://github.com/fleetdm/fleet/issues/15146 + https://github.com/fleetdm/fleet/issues/14415
2023-12-14 18:45:02 +00:00
| Read Single Sign-On settings\** | | | | ✅ | |
| Read SMTP settings\** | | | | ✅ | |
| Read osquery agent options\** | | | | ✅ | |
Docs: GitOps reference (#19740) Docs for Fleet's best practice GitOps: #13643 (also #17043)
2024-07-02 15:11:43 +00:00
| Edit organization settings | | | | ✅ | ✅ |
| Edit agent options | | | | ✅ | ✅ |
| Edit agent options for hosts assigned to teams\* | | | | ✅ | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Initiate [file carving](https://fleetdm.com/docs/using-fleet/rest-api#file-carving) | | | ✅ | ✅ | |
| Retrieve contents from file carving | | | | ✅ | |
Permissions guide: Apple Business Manager and Volume Purchasing Program (#22336) - ABM and VPP CRUD - Use APNs language to be consistent w/ product and docs
2024-09-24 13:49:22 +00:00
| Create Apple Push Certificates service (APNs) certificate signing request (CSR) | | | | ✅ | |
| View, edit, and delete APNs certificate | | | | ✅ | |
| View, edit, and delete Apple Business Manager (ABM) connections | | | | ✅ | |
| View, edit, and delete Volume Purchasing Program (VPP) connections | | | | ✅ | |
Merge Android docs changes (#27221) Related to: - #23231
2025-03-19 15:03:02 +00:00
| Connect Android Enterprise | | | | ✅ | |
Fleet UI: Observer+ can run policies in the UI, update docs accordingly (#14796)
2023-11-03 11:42:11 +00:00
| View disk encryption key for macOS and Windows hosts | ✅ | ✅ | ✅ | ✅ | |
4.69.0 doc changes (#28937)
2025-06-14 19:26:45 +00:00
| Edit OS updates for macOS, Windows, iOS, and iPadOS hosts | | | | ✅ | ✅ |
Docs v4.74.0 (#33879) Documentation changes for 4.74 --------- Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com> Co-authored-by: Ian Littman <iansltx@gmail.com> Co-authored-by: Noah Talerman <noahtal@umich.edu> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> Co-authored-by: Magnus Jensen <magnus@fleetdm.com> Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com> Co-authored-by: Janis Watts <184028114+jmwatts@users.noreply.github.com> Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
2025-10-06 22:03:10 +00:00
| Create, edit, resend and delete configuration profiles for Apple (macOS/iOS/iPadOS), Windows, and Android hosts | | | ✅ | ✅ | ✅ |
Update user permissions documentation for MDM commands (#23368)
2024-10-31 21:10:50 +00:00
| Execute MDM commands on macOS and Windows hosts\** | | | ✅ | ✅ | ✅ |
Add OS updates to permissions table (#17384) - Maintainers and up can edit OS udpates
2024-03-07 22:47:54 +00:00
| View results of MDM commands executed on macOS and Windows hosts\** | ✅ | ✅ | ✅ | ✅ | |
4.69.0 doc changes (#28937)
2025-06-14 19:26:45 +00:00
| Edit [OS settings](https://fleetdm.com/docs/rest-api/rest-api#os-settings) | | | ✅ | ✅ | ✅ |
| View all [OS settings](https://fleetdm.com/docs/rest-api/rest-api#os-settings) | | | ✅ | ✅ | ✅ |
Docs v4.74.0 (#33879) Documentation changes for 4.74 --------- Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com> Co-authored-by: Ian Littman <iansltx@gmail.com> Co-authored-by: Noah Talerman <noahtal@umich.edu> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> Co-authored-by: Magnus Jensen <magnus@fleetdm.com> Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com> Co-authored-by: Janis Watts <184028114+jmwatts@users.noreply.github.com> Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
2025-10-06 22:03:10 +00:00
| Edit [macOS and Linux setup experience](https://fleetdm.com/guides/macos-setup-experience)\* | | | ✅ | ✅ | ✅ |
macOS setup experience guide: end user authentication (#24990) - Put "already configured SSO" message at the top b/c this scenario will apply to most users - Add missing permissions for IdP for end user auth and end user migration - Clean up language in docs - Add redirects for the UI in case content moves later --------- Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
2024-12-27 15:33:00 +00:00
| Add and edit identity provider for end user authentication, end user license agreement (EULA), and end user migration workflow\* | | | | ✅ | |
Docs v4.66.0 (#27844) Documentation changes for the 4.66.0 release. --------- Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Co-authored-by: Marko Lisica <markol.lisica@gmail.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: Victor Lyuboslavsky <victor@fleetdm.com> Co-authored-by: George Karr <georgekarrv@users.noreply.github.com> Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com> Co-authored-by: Ian Littman <iansltx@gmail.com> Co-authored-by: Eugene <eugene@fleetdm.com> Co-authored-by: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com> Co-authored-by: Scott Gress <scottmgress@gmail.com> Co-authored-by: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com>
2025-04-04 19:28:09 +00:00
| Add and edit certificate authorities (CA)\* | | | | ✅ | ✅ |
Docs v4.74.0 (#33879) Documentation changes for 4.74 --------- Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com> Co-authored-by: Ian Littman <iansltx@gmail.com> Co-authored-by: Noah Talerman <noahtal@umich.edu> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> Co-authored-by: Magnus Jensen <magnus@fleetdm.com> Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com> Co-authored-by: Janis Watts <184028114+jmwatts@users.noreply.github.com> Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
2025-10-06 22:03:10 +00:00
| Request certificates (CA)\* | | | | ✅ | ✅ |
Permissions changes for #19055 (#20624) Global observer/+ can no longer run saved scripts. --------- Co-authored-by: Rachael Shaw <r@rachael.wtf>
2024-07-22 16:41:16 +00:00
| Run scripts on hosts | | | ✅ | ✅ | |
| View saved scripts\* | ✅ | ✅ | ✅ | ✅ | |
| Edit/upload saved scripts\* | | | ✅ | ✅ | ✅ |
feat: update permissions docs for lock/unlock/wipe (#16892) Part of #9949 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any permissions changes (docs/Using Fleet/manage-access.md)
2024-02-16 18:26:33 +00:00
| Lock, unlock, and wipe hosts\* | | | ✅ | ✅ | |
Docs v4.74.0 (#33879) Documentation changes for 4.74 --------- Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com> Co-authored-by: Ian Littman <iansltx@gmail.com> Co-authored-by: Noah Talerman <noahtal@umich.edu> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> Co-authored-by: Magnus Jensen <magnus@fleetdm.com> Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com> Co-authored-by: Janis Watts <184028114+jmwatts@users.noreply.github.com> Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
2025-10-06 22:03:10 +00:00
| Turn off MDM | | | ✅ | ✅ | |
| Configure Microsoft Entra conditional access integration | | | | ✅ | |
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
Filter out non-`observer_can_run` queries for observers in `fleetctl get queries` command to match the UI. (#11251) #11089 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - [X] Documented any permissions changes - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [x] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-26 14:38:20 +00:00
\* Applies only to Fleet Premium
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
Docs: Update query permissions (#15154) Updates to the "Manage access" page to reflect changes for: + https://github.com/fleetdm/fleet/issues/15146 + https://github.com/fleetdm/fleet/issues/14415
2023-12-14 18:45:02 +00:00
\** Applies only to [Fleet REST API](https://fleetdm.com/docs/using-fleet/rest-api)
Update Permissions docs (#10440) - Global observers can read configuration via the API (not the UI) - Team observers can read team configuration via the API (not the UI)
2023-03-13 19:26:06 +00:00
Update "Team member" wording in docs to reference users instead. (#17116) + Changed a bunch of instances of "member" to "user" to match the updated UI (https://github.com/fleetdm/fleet/issues/15893) + Cut some step-by-step instructions for using the team UI from the "Segment hosts" docs
2024-02-29 21:07:59 +00:00
## Team user permissions
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
Updated product name on website and docs (#1731) Updated product name on website and docs
2021-08-19 17:50:21 +00:00
`Applies only to Fleet Premium`
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
Implement fleetctl get mdm-apple (#8786)
2022-12-05 16:35:45 +00:00
Users in Fleet either have team access or global access.
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
Docs: Update documentation to reflect scheduled query changes. (#12884)
2023-07-31 23:06:07 +00:00
Users with team access only have access to the [hosts](https://fleetdm.com/docs/using-fleet/rest-api#hosts), [software](https://fleetdm.com/docs/using-fleet/rest-api#software), and [policies](https://fleetdm.com/docs/using-fleet/rest-api#policies) assigned to
Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2022-04-18 16:10:33 +00:00
their team.
Update permissions documentation (#2721) - Removed create/edit/delete enroll secret permissions from team level users - Update verbiage to clarify the distinction between users with global access and users with team access.
2021-10-28 18:27:03 +00:00
Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2022-04-18 16:10:33 +00:00
Users with global access have access to all
Docs: Update documentation to reflect scheduled query changes. (#12884)
2023-07-31 23:06:07 +00:00
[hosts](https://fleetdm.com/docs/using-fleet/rest-api#hosts), [software](https://fleetdm.com/docs/using-fleet/rest-api#software), [queries](https://fleetdm.com/docs/using-fleet/rest-api#queries), and [policies](https://fleetdm.com/docs/using-fleet/rest-api#policies). Check out [the user permissions
Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2022-04-18 16:10:33 +00:00
table](#user-permissions) above for global user permissions.
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
Update "Team member" wording in docs to reference users instead. (#17116) + Changed a bunch of instances of "member" to "user" to match the updated UI (https://github.com/fleetdm/fleet/issues/15893) + Cut some step-by-step instructions for using the team UI from the "Segment hosts" docs
2024-02-29 21:07:59 +00:00
Users can be assigned to multiple teams in Fleet.
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
Update "Team member" wording in docs to reference users instead. (#17116) + Changed a bunch of instances of "member" to "user" to match the updated UI (https://github.com/fleetdm/fleet/issues/15893) + Cut some step-by-step instructions for using the team UI from the "Segment hosts" docs
2024-02-29 21:07:59 +00:00
Users with access to multiple teams can be assigned different roles for each team. For example, a user can be given access to the "Workstations" team and assigned the "Observer" role. This same user can be given access to the "Servers" team and assigned the "Maintainer" role.
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md
2021-06-09 23:12:45 +00:00
New `gitops` role (#10850) #8593 This PR adds a new role `gitops` to Fleet. MDM capabilities for the role coming on a separate PR. We need this merged ASAP so that we can unblock the UI work for this. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [X] Documented any permissions changes - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-12 19:11:04 +00:00
| **Action** | Team observer | Team observer+ | Team maintainer | Team admin | Team GitOps |
Center checkboxes in tables on role-based-access.md (#25133) Centered the checkboxes in the columns under the "User permissions" and "Team user permissions" tables. Co-authored-by: Drew Baker <89049099+Drew-P-drawers@users.noreply.github.com>
2025-01-06 17:56:23 +00:00
| -------------------------------------------------------------------------------------------------------------------------------- | :-----------: | :------------: | :-------------: | :--------: | :---------: |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| View hosts | ✅ | ✅ | ✅ | ✅ | |
document permissions changes for Puppet gitops (#17367) #15337 --------- Co-authored-by: Rachael Shaw <r@rachael.wtf>
2024-03-21 18:38:06 +00:00
| View a host by identifier | ✅ | ✅ | ✅ | ✅ | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Filter hosts using [labels](https://fleetdm.com/docs/using-fleet/rest-api#labels) | ✅ | ✅ | ✅ | ✅ | |
| Target hosts using labels | ✅ | ✅ | ✅ | ✅ | |
Documentation changes for v4.67.0 (#28528) Docs for the 4.67.0 release. --------- Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Co-authored-by: Eugene <eugene@fleetdm.com> Co-authored-by: Ian Littman <iansltx@gmail.com> Co-authored-by: Drew Baker <89049099+Drew-P-drawers@users.noreply.github.com> Co-authored-by: Scott Gress <scottmgress@gmail.com> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
2025-04-24 21:10:41 +00:00
| View hosts' [past](https://fleetdm.com/docs/rest-api/rest-api#get-hosts-past-activity) and [upcoming](https://fleetdm.com/docs/rest-api/rest-api#get-hosts-upcoming-activity) activity | ✅ | ✅ | ✅ | ✅ | |
| Cancel hosts' [upcoming](https://fleetdm.com/docs/rest-api/rest-api#get-hosts-upcoming-activity) activity | | | ✅ | ✅ | |
New APIs to add/remove manual labels to/from a host (#18283) #16767 To create a manual label: ```sh cat labels.yml --- apiVersion: v1 kind: label spec: name: Manually Managed Example label_membership_type: manual hosts: - lucass-macbook-pro.local ``` To add/delete a manual label to/from a host: ``` curl -k -v -X POST -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/hosts/1/labels -d '{"labels": ["Manually Managed Example"]}' curl -k -v -X DELETE -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/hosts/1/labels -d '{"labels": ["Manually Managed Example"]}' ``` API draft changes: https://github.com/fleetdm/fleet/pull/16979/files Figma with error strings: https://www.figma.com/file/JiWoAiuHlkt76s3o3Uyz6h/%2316767-API-endpoint-for-updating-a-host's-manual-labels?type=design&node-id=2-130&mode=design&t=pxRPhrn6E1bOCrEd-0 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) ~- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - ~[ ] If database migrations are included, checked table schema to confirm autoupdate~ - ~For database migrations:~ - ~[ ] Checked schema for all modified table for columns that will auto-update timestamps during migration.~ - ~[ ] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.~ - ~[ ] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`).~ - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2024-04-16 09:37:58 +00:00
| Add/remove manual labels to/from hosts | | | ✅ | ✅ | ✅ |
Docs v4.66.0 (#27844) Documentation changes for the 4.66.0 release. --------- Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Co-authored-by: Marko Lisica <markol.lisica@gmail.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: Victor Lyuboslavsky <victor@fleetdm.com> Co-authored-by: George Karr <georgekarrv@users.noreply.github.com> Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com> Co-authored-by: Ian Littman <iansltx@gmail.com> Co-authored-by: Eugene <eugene@fleetdm.com> Co-authored-by: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com> Co-authored-by: Scott Gress <scottmgress@gmail.com> Co-authored-by: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com>
2025-04-04 19:28:09 +00:00
| Create and edit self-authored labels | | | | | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Add and delete hosts | | | ✅ | ✅ | |
Software permissions changes (#19405) Adding new rows to manage access table to reflect new permissions added with #14921
2024-06-06 15:12:12 +00:00
| View software | ✅ | ✅ | ✅ | ✅ | |
Docs v4.74.0 (#33879) Documentation changes for 4.74 --------- Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com> Co-authored-by: Ian Littman <iansltx@gmail.com> Co-authored-by: Noah Talerman <noahtal@umich.edu> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> Co-authored-by: Magnus Jensen <magnus@fleetdm.com> Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com> Co-authored-by: Janis Watts <184028114+jmwatts@users.noreply.github.com> Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
2025-10-06 22:03:10 +00:00
| Add, edit, and delete software | | | ✅ | ✅ | ✅ |
Software permissions changes (#19405) Adding new rows to manage access table to reflect new permissions added with #14921
2024-06-06 15:12:12 +00:00
| Download added software | | | ✅ | ✅ | |
Permissions: uninstall software (#22434)
2024-09-26 19:10:40 +00:00
| Install/uninstall software on hosts | | | ✅ | ✅ | |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Filter software by [vulnerabilities](https://fleetdm.com/docs/using-fleet/vulnerability-processing#vulnerability-processing) | ✅ | ✅ | ✅ | ✅ | |
| Filter hosts by software | ✅ | ✅ | ✅ | ✅ | |
| Filter software | ✅ | ✅ | ✅ | ✅ | |
| Run queries designated "**observer can run**" as live queries against hosts | ✅ | ✅ | ✅ | ✅ | |
| Run any query as [live query](https://fleetdm.com/docs/using-fleet/fleet-ui#run-a-query) | | ✅ | ✅ | ✅ | |
Docs v4.66.0 (#27844) Documentation changes for the 4.66.0 release. --------- Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Co-authored-by: Marko Lisica <markol.lisica@gmail.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: Victor Lyuboslavsky <victor@fleetdm.com> Co-authored-by: George Karr <georgekarrv@users.noreply.github.com> Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com> Co-authored-by: Ian Littman <iansltx@gmail.com> Co-authored-by: Eugene <eugene@fleetdm.com> Co-authored-by: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com> Co-authored-by: Scott Gress <scottmgress@gmail.com> Co-authored-by: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com>
2025-04-04 19:28:09 +00:00
| Create, edit, and delete self-authored queries | | | ✅ | ✅ | ✅ |
Docs: Update query permissions (#15154) Updates to the "Manage access" page to reflect changes for: + https://github.com/fleetdm/fleet/issues/15146 + https://github.com/fleetdm/fleet/issues/14415
2023-12-14 18:45:02 +00:00
| View team queries and their reports | ✅ | ✅ | ✅ | ✅ | |
| View global (inherited) queries and their reports\** | ✅ | ✅ | ✅ | ✅ | |
Fleet UI: Observer+ can run policies in the UI, update docs accordingly (#14796)
2023-11-03 11:42:11 +00:00
| Manage [query automations](https://fleetdm.com/docs/using-fleet/fleet-ui#schedule-a-query) | | | ✅ | ✅ | ✅ |
| View team policies | ✅ | ✅ | ✅ | ✅ | |
| Run team policies as a live policy | | ✅ | ✅ | ✅ | |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| View global (inherited) policies | ✅ | ✅ | ✅ | ✅ | |
Fleet UI: Observer+ can run policies in the UI, update docs accordingly (#14796)
2023-11-03 11:42:11 +00:00
| Run global (inherited) policies as a live policy | | ✅ | ✅ | ✅ | |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Filter hosts using policies | ✅ | ✅ | ✅ | ✅ | |
| Create, edit, and delete team policies | | | ✅ | ✅ | ✅ |
Docs: Note permissions distinction between global policy automations and software install (#19551) and script execution (#17129) policy automations (#23447) Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2024-11-04 18:35:49 +00:00
| Edit team policy automations: calendar events, install software, and run script | | | ✅ | ✅ | ✅ |
| Edit team policy automations: other workflows (tickets and webhooks) | | | | ✅ | ✅ |
Add OS updates to permissions table (#17384) - Maintainers and up can edit OS udpates
2024-03-07 22:47:54 +00:00
| Add and remove team users | | | | ✅ | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Edit team name | | | | ✅ | ✅ |
| Create, edit, and delete [team enroll secrets](https://fleetdm.com/docs/using-fleet/rest-api#get-enroll-secrets-for-a-team) | | | ✅ | ✅ | |
Docs v4.66.0 (#27844) Documentation changes for the 4.66.0 release. --------- Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Co-authored-by: Marko Lisica <markol.lisica@gmail.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: Victor Lyuboslavsky <victor@fleetdm.com> Co-authored-by: George Karr <georgekarrv@users.noreply.github.com> Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com> Co-authored-by: Ian Littman <iansltx@gmail.com> Co-authored-by: Eugene <eugene@fleetdm.com> Co-authored-by: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com> Co-authored-by: Scott Gress <scottmgress@gmail.com> Co-authored-by: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com>
2025-04-04 19:28:09 +00:00
| Read organization settings\* | ✅ | ✅ | ✅ | ✅ | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Read agent options\* | ✅ | ✅ | ✅ | ✅ | |
Docs: GitOps reference (#19740) Docs for Fleet's best practice GitOps: #13643 (also #17043)
2024-07-02 15:11:43 +00:00
| Edit agent options | | | | ✅ | ✅ |
Fleet UI Bug fix: Team admin/maintainer do not see save button for global policies (#11673)
2023-05-16 17:18:29 +00:00
| Initiate [file carving](https://fleetdm.com/docs/using-fleet/rest-api#file-carving) | | | ✅ | ✅ | |
| View disk encryption key for macOS hosts | ✅ | ✅ | ✅ | ✅ | |
4.69.0 doc changes (#28937)
2025-06-14 19:26:45 +00:00
| Edit OS updates for macOS, Windows, iOS, and iPadOS hosts | | | | ✅ | ✅ |
Docs v4.74.0 (#33879) Documentation changes for 4.74 --------- Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com> Co-authored-by: Ian Littman <iansltx@gmail.com> Co-authored-by: Noah Talerman <noahtal@umich.edu> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> Co-authored-by: Magnus Jensen <magnus@fleetdm.com> Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com> Co-authored-by: Janis Watts <184028114+jmwatts@users.noreply.github.com> Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
2025-10-06 22:03:10 +00:00
| Create, edit, resend and delete configuration profiles for Apple (macOS/iOS/iPadOS), Windows, and Android hosts | | | ✅ | ✅ | ✅ |
Update manage-access.md (#13426) Updated table rows related to MDM commands permission. Right now there are just calling out macOS hosts and we're implementing MDM commands for Windows. Additionally, there was a duplicate row in the table which I removed. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-08-22 10:55:14 +00:00
| Execute MDM commands on macOS and Windows hosts* | | | ✅ | ✅ | |
| View results of MDM commands executed on macOS and Windows hosts* | ✅ | ✅ | ✅ | ✅ | |
4.69.0 doc changes (#28937)
2025-06-14 19:26:45 +00:00
| Edit [team OS settings](https://fleetdm.com/docs/rest-api/rest-api#os-settings) | | | ✅ | ✅ | ✅ |
Docs v4.74.0 (#33879) Documentation changes for 4.74 --------- Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com> Co-authored-by: Ian Littman <iansltx@gmail.com> Co-authored-by: Noah Talerman <noahtal@umich.edu> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> Co-authored-by: Magnus Jensen <magnus@fleetdm.com> Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com> Co-authored-by: Janis Watts <184028114+jmwatts@users.noreply.github.com> Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
2025-10-06 22:03:10 +00:00
| Edit [macOS]([https://fleetdm.com/docs/](https://fleetdm.com/guides/macos-setup-experience#basic-article)) and Linux setup experience\* | | | ✅ | ✅ | ✅ |
Permissions changes for #19055 (#20624) Global observer/+ can no longer run saved scripts. --------- Co-authored-by: Rachael Shaw <r@rachael.wtf>
2024-07-22 16:41:16 +00:00
| Run scripts on hosts | | | ✅ | ✅ | |
Feat: saved scripts (#14409) For #9537
2023-10-10 22:00:45 +00:00
| View saved scripts | ✅ | ✅ | ✅ | ✅ | |
| Edit/upload saved scripts | | | ✅ | ✅ | |
| View script details by host | ✅ | ✅ | ✅ | ✅ | |
feat: update permissions docs for lock/unlock/wipe (#16892) Part of #9949 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any permissions changes (docs/Using Fleet/manage-access.md)
2024-02-16 18:26:33 +00:00
| Lock, unlock, and wipe hosts | | | ✅ | ✅ | |
Docs v4.74.0 (#33879) Documentation changes for 4.74 --------- Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com> Co-authored-by: Ian Littman <iansltx@gmail.com> Co-authored-by: Noah Talerman <noahtal@umich.edu> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> Co-authored-by: Magnus Jensen <magnus@fleetdm.com> Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com> Co-authored-by: Janis Watts <184028114+jmwatts@users.noreply.github.com> Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
2025-10-06 22:03:10 +00:00
| Turn off MDM | | | ✅ | ✅ | |
Feat: saved scripts (#14409) For #9537
2023-10-10 22:00:45 +00:00
Remove numbers from documentation filenames in Fleet repo (#4313) * Renaming files and a lot of find and replace * pageRank meta tags, sorting by page rank * reranking * removing numbers * revert changing links that are locked to a commit * update metatag name, uncomment github contributers * Update basic-documentation.page.js * revert link change * more explicit errors, change pageOrderInSection numbers, updated sort * Update build-static-content.js * update comment * update handbook link * handbook entry * update sort * update changelog doc links to use fleetdm.com * move standard query library back to old location, update links/references to location * revert unintentional link changes * Update handbook/community.md Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com> Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com> Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com>
2022-02-23 18:17:55 +00:00
Update Permissions docs (#10440) - Global observers can read configuration via the API (not the UI) - Team observers can read team configuration via the API (not the UI)
2023-03-13 19:26:06 +00:00
\* Applies only to [Fleet REST API](https://fleetdm.com/docs/using-fleet/rest-api)
Docs: Update query permissions (#15154) Updates to the "Manage access" page to reflect changes for: + https://github.com/fleetdm/fleet/issues/15146 + https://github.com/fleetdm/fleet/issues/14415
2023-12-14 18:45:02 +00:00
\** Team-level users only see global query results for hosts on teams where they have access.
Filter out non-`observer_can_run` queries for observers in `fleetctl get queries` command to match the UI. (#11251) #11089 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - [X] Documented any permissions changes - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [x] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-26 14:38:20 +00:00
Docs quick reference optimization (#21331) This PR closes https://github.com/fleetdm/fleet/issues/21108 @noahtalerman, I double-checked all redirects, and they are working. Clicking through the URLs in [this spreadsheet](https://docs.google.com/spreadsheets/d/1djVynIMuJK4pT5ziJW12CluVqcaoxxnCLaBO3VXfAt4/edit?usp=sharing) is a pretty quick way to go through them all. Note that "Audit logs" and "Understanding host vitals" redirect to the contributor docs on GitHub, so they will throw a 404 until this is merged. Some new guides benefitted from a name change, so they make more sense as stand-alone guides, and also so that we don't have to mess around with more redirects later. Those name changes followed [this convention](https://fleetdm.com/handbook/company/communications#headings-and-titles), which was recently documented in the handbook. Have fun! --------- Co-authored-by: Eric <eashaw@sailsjs.com> Co-authored-by: Noah Talerman <noahtal@umich.edu>
2024-08-16 20:30:31 +00:00
<meta name="category" value="guides">
<meta name="authorGitHubUsername" value="noahtalerman">
<meta name="authorFullName" value="Noah Talerman">
Docs: Note permissions distinction between global policy automations and software install (#19551) and script execution (#17129) policy automations (#23447) Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2024-11-04 18:35:49 +00:00
<meta name="publishedOn" value="2024-10-31">
Docs quick reference optimization (#21331) This PR closes https://github.com/fleetdm/fleet/issues/21108 @noahtalerman, I double-checked all redirects, and they are working. Clicking through the URLs in [this spreadsheet](https://docs.google.com/spreadsheets/d/1djVynIMuJK4pT5ziJW12CluVqcaoxxnCLaBO3VXfAt4/edit?usp=sharing) is a pretty quick way to go through them all. Note that "Audit logs" and "Understanding host vitals" redirect to the contributor docs on GitHub, so they will throw a 404 until this is merged. Some new guides benefitted from a name change, so they make more sense as stand-alone guides, and also so that we don't have to mess around with more redirects later. Those name changes followed [this convention](https://fleetdm.com/handbook/company/communications#headings-and-titles), which was recently documented in the handbook. Have fun! --------- Co-authored-by: Eric <eashaw@sailsjs.com> Co-authored-by: Noah Talerman <noahtal@umich.edu>
2024-08-16 20:30:31 +00:00
<meta name="articleTitle" value="Role-based access">
Website: Add meta descriptions to Fleet documentation. (#12586) #11986 Changes: - Added meta descriptions to Fleet documentation pages. --------- Co-authored-by: Rachael Shaw <r@rachael.wtf>
2023-07-13 16:57:17 +00:00
<meta name="description" value="Learn about the different roles and permissions in Fleet.">
Reference in a new issue Copy permalink