From 59666ba92f37d08775b351d9debd7b30cb73dca3 Mon Sep 17 00:00:00 2001
From: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Date: Wed, 4 Feb 2026 15:54:06 +0100
Subject: [PATCH] Clarify 'Turn off MDM for specific hosts' in permissions
---
articles/role-based-access.md | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/articles/role-based-access.md b/articles/role-based-access.md
index e6a5e59ff8..c0b473ae1f 100644
--- a/articles/role-based-access.md
+++ b/articles/role-based-access.md
@@ -104,7 +104,7 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines.
| View saved scripts\* | ✅ | ✅ | ✅ | ✅ | |
| Edit/upload saved scripts\* | | | ✅ | ✅ | ✅ |
| Lock, unlock, and wipe hosts\* | | | ✅ | ✅ | |
-| Turn off MDM | | | ✅ | ✅ | |
+| Turn off MDM for specific hosts | | | ✅ | ✅ | |
| Configure Microsoft Entra conditional access integration | | | | ✅ | |
| View [custom variables](https://fleetdm.com/docs/rest-api/rest-api#list-custom-variables) | ✅ | ✅ | ✅ | ✅ | |
| Create, edit, and delete custom variables | ✅ | ✅ | ✅ | ✅ | |
@@ -182,10 +182,9 @@ Users with access to multiple teams can be assigned different roles for each tea
| Edit/upload saved scripts | | | ✅ | ✅ | |
| View script details by host | ✅ | ✅ | ✅ | ✅ | |
| Lock, unlock, and wipe hosts | | | ✅ | ✅ | |
-| Turn off MDM | | | ✅ | ✅ | |
+| Turn off MDM for specific hosts | | | ✅ | ✅ | | | | | ✅ | ✅ | |
| View [custom variables](https://fleetdm.com/docs/rest-api/rest-api#list-custom-variables) | ✅ | ✅ | ✅ | ✅ | |
-
\* Applies only to [Fleet REST API](https://fleetdm.com/docs/using-fleet/rest-api)
\** Team-level users only see global query results for hosts on teams where they have access.
@@ -195,4 +194,4 @@ Users with access to multiple teams can be assigned different roles for each tea
-
\ No newline at end of file
+