From 45c5e29ca085d794f891fed157c37cf25b685e94 Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Thu, 28 Oct 2021 14:27:03 -0400 Subject: [PATCH] Update permissions documentation (#2721) - Removed create/edit/delete enroll secret permissions from team level users - Update verbiage to clarify the distinction between users with global access and users with team access. --- docs/01-Using-Fleet/09-Permissions.md | 32 ++++++++++++--------------- 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/docs/01-Using-Fleet/09-Permissions.md b/docs/01-Using-Fleet/09-Permissions.md index e37fbad0f0..9c59d06799 100644 --- a/docs/01-Using-Fleet/09-Permissions.md +++ b/docs/01-Using-Fleet/09-Permissions.md @@ -35,16 +35,16 @@ The following table depicts various permissions levels for each role. | Create labels | | ✅ | ✅ | | Edit labels | | ✅ | ✅ | | Delete labels | | ✅ | ✅ | -| Create new global policies | | ✅ | ✅ | -| Delete global policies | | ✅ | ✅ | +| Add policies for all hosts | | ✅ | ✅ | +| Remove policies for all hosts | | ✅ | ✅ | | Create users | | | ✅ | | Edit users | | | ✅ | | Delete users | | | ✅ | | Edit organization settings | | | ✅ | | Create enroll secrets | | | ✅ | | Edit enroll secrets | | | ✅ | -| Edit global level agent options | | | ✅ | -| Edit team level agent options\* | | | ✅ | +| Edit agent options | | | ✅ | +| Edit agent options for hosts assigned to teams\* | | | ✅ | | Create teams\* | | | ✅ | | Edit teams\* | | | ✅ | | Add members to teams\* | | | ✅ | @@ -59,7 +59,9 @@ The following table depicts various permissions levels for each role. ℹ️ In Fleet 4.0, the Teams feature was introduced. ``` -Users either have global access to Fleet or team access to Fleet. Check out [the user permissions table](#user-permissions) above for global user permissions. +Users either have global access or team access in Fleet. Users with global access can observe and act on all hosts in Fleet. Check out [the user permissions table](#user-permissions) above for global user permissions. + +Users with team access can only observe and act on hosts that are assigned to their team. Users can be a member of multiple teams in Fleet. @@ -76,20 +78,14 @@ The following table depicts various permissions levels in a team. | Target hosts assigned to team using labels | ✅ | ✅ | ✅ | | Run saved queries as live queries on hosts assigned to team | ✅ | ✅ | ✅ | | Run custom queries as live queries on hosts assigned to team | | ✅ | ✅ | -| Enroll hosts to member team | | ✅ | ✅ | -| Delete hosts belonging to member team | | ✅ | ✅ | -| Create saved queries | | ✅ | ✅ | +| Enroll hosts to team | | ✅ | ✅ | +| Delete hosts assigned to team | | ✅ | ✅ | +| Create queries | | ✅ | ✅ | | Edit queries they authored | | ✅ | ✅ | | Delete queries they authored | | ✅ | ✅ | -| Create new team schedules | | ✅ | ✅ | -| Delete team schedules | | ✅ | ✅ | -| Browse global schedules | | ✅ | ✅ | -| Create new team policies | | ✅ | ✅ | -| Delete team policies | | ✅ | ✅ | -| Browse global policies | | ✅ | ✅ | -| Create enroll secrets that belong to team | | | ✅ | -| Edit enroll secrets that belong to team | | | ✅ | -| Delete enroll secrets that belong to team | | | ✅ | +| Schedule queries for hosts assigned to team | | ✅ | ✅ | +| Add policies for hosts assigned to team | | ✅ | ✅ | +| Remove policies for hosts assigned to team | | ✅ | ✅ | | Edit users assigned to team | | | ✅ | | Remove users assigned to team | | | ✅ | -| Edit team level agent options | | | ✅ | \ No newline at end of file +| Edit agent options for hosts assigned to team | | | ✅ | \ No newline at end of file