From 6886317cad6e36451cbb9ddb34bb83f6bddac88c Mon Sep 17 00:00:00 2001 From: Rachael Shaw Date: Thu, 14 Dec 2023 12:45:02 -0600 Subject: [PATCH] Docs: Update query permissions (#15154) Updates to the "Manage access" page to reflect changes for: + https://github.com/fleetdm/fleet/issues/15146 + https://github.com/fleetdm/fleet/issues/14415 --- docs/Using Fleet/manage-access.md | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/docs/Using Fleet/manage-access.md b/docs/Using Fleet/manage-access.md index bf935b299f..d31ca82d68 100644 --- a/docs/Using Fleet/manage-access.md +++ b/docs/Using Fleet/manage-access.md @@ -50,7 +50,7 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines. | Run queries designated "**observer can run**" as live queries against all hosts | ✅ | ✅ | ✅ | ✅ | | | Run any query as [live query](https://fleetdm.com/docs/using-fleet/fleet-ui#run-a-query) against all hosts | | ✅ | ✅ | ✅ | | | Create, edit, and delete queries | | | ✅ | ✅ | ✅ | -| View all queries and their reports\** | ✅ | ✅ | ✅ | ✅ | | +| View all queries and their reports | ✅ | ✅ | ✅ | ✅ | | | Manage [query automations](https://fleetdm.com/docs/using-fleet/fleet-ui#schedule-a-query) | | | ✅ | ✅ | ✅ | | Create, edit, view, and delete packs | | | ✅ | ✅ | ✅ | | View all policies | ✅ | ✅ | ✅ | ✅ | | @@ -64,10 +64,10 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines. | Create, edit, and delete teams\* | | | | ✅ | ✅ | | Create, edit, and delete [enroll secrets](https://fleetdm.com/docs/deploying/faq#when-do-i-need-to-deploy-a-new-enroll-secret-to-my-hosts) | | | ✅ | ✅ | ✅ | | Create, edit, and delete [enroll secrets for teams](https://fleetdm.com/docs/using-fleet/rest-api#get-enroll-secrets-for-a-team)\* | | | ✅ | ✅ | | -| Read organization settings\*** | ✅ | ✅ | ✅ | ✅ | | -| Read Single Sign-On settings\*** | | | | ✅ | | -| Read SMTP settings\*** | | | | ✅ | | -| Read osquery agent options\*** | | | | ✅ | | +| Read organization settings\** | ✅ | ✅ | ✅ | ✅ | | +| Read Single Sign-On settings\** | | | | ✅ | | +| Read SMTP settings\** | | | | ✅ | | +| Read osquery agent options\** | | | | ✅ | | | Edit [organization settings](https://fleetdm.com/docs/using-fleet/configuration-files#organization-settings) | | | | ✅ | ✅ | | Edit [agent options](https://fleetdm.com/docs/using-fleet/configuration-files#agent-options) | | | | ✅ | ✅ | | Edit [agent options for hosts assigned to teams](https://fleetdm.com/docs/using-fleet/configuration-files#team-agent-options)\* | | | | ✅ | ✅ | @@ -77,9 +77,9 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines. | View Apple business manager (BM) information | | | | ✅ | | | Generate Apple mobile device management (MDM) certificate signing request (CSR) | | | | ✅ | | | View disk encryption key for macOS and Windows hosts | ✅ | ✅ | ✅ | ✅ | | -| Create edit and delete configuration profiles for macOS and Windows hosts | | | ✅ | ✅ | ✅ | -| Execute MDM commands on macOS and Windows hosts*** | | | ✅ | ✅ | | -| View results of MDM commands executed on macOS and Windows hosts*** | ✅ | ✅ | ✅ | ✅ | | +| Create edit and delete configuration profiles for macOS and Windows hosts | | | ✅ | ✅ | ✅ | +| Execute MDM commands on macOS and Windows hosts\** | | | ✅ | ✅ | | +| View results of MDM commands executed on macOS and Windows hosts\** | ✅ | ✅ | ✅ | ✅ | | | Edit [MDM settings](https://fleetdm.com/docs/using-fleet/mdm-macos-settings) | | | | ✅ | ✅ | | Edit [MDM settings for teams](https://fleetdm.com/docs/using-fleet/mdm-macos-settings) | | | | ✅ | ✅ | | Upload an EULA file for MDM automatic enrollment\* | | | | ✅ | | @@ -95,9 +95,7 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines. \* Applies only to Fleet Premium -\** Global observers can view all queries via the API. The UI and fleetctl only list the ones they can run (**observer can run**). - -\*** Applies only to [Fleet REST API](https://fleetdm.com/docs/using-fleet/rest-api) +\** Applies only to [Fleet REST API](https://fleetdm.com/docs/using-fleet/rest-api) ## Team member permissions @@ -128,7 +126,8 @@ Users that are members of multiple teams can be assigned different roles for eac | Run queries designated "**observer can run**" as live queries against hosts | ✅ | ✅ | ✅ | ✅ | | | Run any query as [live query](https://fleetdm.com/docs/using-fleet/fleet-ui#run-a-query) | | ✅ | ✅ | ✅ | | | Create, edit, and delete only **self authored** queries | | | ✅ | ✅ | ✅ | -| View all queries and their reports\** | ✅ | ✅ | ✅ | ✅ | | +| View team queries and their reports | ✅ | ✅ | ✅ | ✅ | | +| View global (inherited) queries and their reports\** | ✅ | ✅ | ✅ | ✅ | | | Manage [query automations](https://fleetdm.com/docs/using-fleet/fleet-ui#schedule-a-query) | | | ✅ | ✅ | ✅ | | View team policies | ✅ | ✅ | ✅ | ✅ | | | Run team policies as a live policy | | ✅ | ✅ | ✅ | | @@ -163,7 +162,7 @@ Users that are members of multiple teams can be assigned different roles for eac \* Applies only to [Fleet REST API](https://fleetdm.com/docs/using-fleet/rest-api) -\** Team observers can view all queries via the API. The UI and fleetctl only list the ones they can run (**observer can run**). +\** Team-level users only see global query results for hosts on teams where they have access.