Grant write to policies to global maintainer (#4321)

2026-05-23 00:49:03 +00:00 · 2022-02-22 16:57:36 -05:00 · 2022-02-22 16:57:36 -05:00 · 84ac0f05a9
commit 84ac0f05a9
parent ad9a225033
5 changed files with 9 additions and 14 deletions
--- a/changes/issue-4260-global-maintainer-can-write-team-policy
+++ b/changes/issue-4260-global-maintainer-can-write-team-policy
@ -0,0 +1 @@
+* Grant write access to team policies to the global maintainer role.
--- a/docs/01-Using-Fleet/09-Permissions.md
+++ b/docs/01-Using-Fleet/09-Permissions.md
@ -37,6 +37,8 @@ The following table depicts various permissions levels for each role.
 | Delete labels                                        |          | ✅         | ✅    |
 | Add policies for all hosts                           |          | ✅         | ✅    |
 | Remove policies for all hosts                        |          | ✅         | ✅    |
+| Add policies for hosts assigned to team\*            |          | ✅         | ✅    |
+| Remove policies for hosts assigned to team\*         |          | ✅         | ✅    |
 | Create users                                         |          |            | ✅    |
 | Edit users                                           |          |            | ✅    |
 | Delete users                                         |          |            | ✅    |
--- a/server/authz/policy.rego
+++ b/server/authz/policy.rego
@ -438,25 +438,17 @@ allow {
 # Policies
 ##

-# Global Admin can read and write policies
+# Global Admin and Maintainer can read and write policies
 allow {
  object.type == "policy"
-  subject.global_role == admin
+  subject.global_role == [admin,maintainer][_]
  action == [read, write][_]
 }

-# Global Maintainer can read and write global policies
-allow {
-  is_null(object.team_id)
-  object.type == "policy"
-  subject.global_role == maintainer
-  action == [read, write][_]
-}
-
-# Global Maintainer and Observer users can read any policies
+# Global Observer can read any policies
 allow {
  object.type == "policy"
-  subject.global_role == [maintainer,observer][_]
+  subject.global_role == observer
  action == read
 }

--- a/server/authz/policy_test.go
+++ b/server/authz/policy_test.go
@ -681,7 +681,7 @@ func TestAuthorizePolicies(t *testing.T) {

 		{user: test.UserAdmin, object: teamPolicy, action: write, allow: true},
 		{user: test.UserAdmin, object: teamPolicy, action: read, allow: true},
-		{user: test.UserMaintainer, object: teamPolicy, action: write, allow: false},
+		{user: test.UserMaintainer, object: teamPolicy, action: write, allow: true},
 		{user: test.UserMaintainer, object: teamPolicy, action: read, allow: true},
 		{user: test.UserObserver, object: teamPolicy, action: write, allow: false},
 		{user: test.UserObserver, object: teamPolicy, action: read, allow: true},
--- a/server/service/team_policies_test.go
+++ b/server/service/team_policies_test.go
@ -78,7 +78,7 @@ func TestTeamPoliciesAuth(t *testing.T) {
 		{
 			"global maintainer",
 			&fleet.User{GlobalRole: ptr.String(fleet.RoleMaintainer)},
-			true,
+			false,
 			false,
 		},
 		{
				`@ -0,0 +1 @@`
				`* Grant write access to team policies to the global maintainer role.`