diff --git a/changes/issue-11556-hide-save-global-policy-from-team-roles b/changes/issue-11556-hide-save-global-policy-from-team-roles new file mode 100644 index 0000000000..821c0292ac --- /dev/null +++ b/changes/issue-11556-hide-save-global-policy-from-team-roles @@ -0,0 +1 @@ +- Team admin and team maintainer cannot save/update a global policy so hide the save button when viewing or running a global policy diff --git a/docs/Using-Fleet/Permissions.md b/docs/Using-Fleet/Permissions.md index 9b654892de..39804b9ef5 100644 --- a/docs/Using-Fleet/Permissions.md +++ b/docs/Using-Fleet/Permissions.md @@ -34,54 +34,54 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines. ## User permissions | **Action** | Observer | Observer+ *| Maintainer | Admin | GitOps *| -| ------------------------------------------------------------------------------------------------------------------------------------------ | -------- | --------- | ---------- | ----- | ------ | -| View all [activity](https://fleetdm.com/docs/using-fleet/rest-api#activities) | ✅ | ✅ | ✅ | ✅ | | -| View all hosts | ✅ | ✅ | ✅ | ✅ | | -| Filter hosts using [labels](https://fleetdm.com/docs/using-fleet/rest-api#labels) | ✅ | ✅ | ✅ | ✅ | | -| Target hosts using labels | ✅ | ✅ | ✅ | ✅ | | -| Add and delete hosts | | | ✅ | ✅ | | -| Transfer hosts between teams\* | | | ✅ | ✅ | ✅ | -| Create, edit, and delete labels | | | ✅ | ✅ | ✅ | -| View all software | ✅ | ✅ | ✅ | ✅ | | -| Filter software by [vulnerabilities](https://fleetdm.com/docs/using-fleet/vulnerability-processing#vulnerability-processing) | ✅ | ✅ | ✅ | ✅ | | -| Filter hosts by software | ✅ | ✅ | ✅ | ✅ | | -| Filter software by team\* | ✅ | ✅ | ✅ | ✅ | | -| Manage [vulnerability automations](https://fleetdm.com/docs/using-fleet/automations#vulnerability-automations) | | | | ✅ | ✅ | -| Run queries designated "**observer can run**" as live queries against all hosts | ✅ | ✅ | ✅ | ✅ | | -| Run any query as [live query](https://fleetdm.com/docs/using-fleet/fleet-ui#run-a-query) against all hosts | | ✅ | ✅ | ✅ | | -| Create, edit, and delete queries | | | ✅ | ✅ | ✅ | -| View all queries\** | ✅ | ✅ | ✅ | ✅ | | -| Add, edit, and remove queries from all schedules | | | ✅ | ✅ | ✅ | -| Create, edit, view, and delete packs | | | ✅ | ✅ | ✅ | -| View all policies | ✅ | ✅ | ✅ | ✅ | | -| Filter hosts using policies | ✅ | ✅ | ✅ | ✅ | | -| Create, edit, and delete policies for all hosts | | | ✅ | ✅ | ✅ | -| Create, edit, and delete policies for all hosts assigned to team\* | | | ✅ | ✅ | ✅ | -| Manage [policy automations](https://fleetdm.com/docs/using-fleet/automations#policy-automations) | | | | ✅ | ✅ | -| Create, edit, view, and delete users | | | | ✅ | | -| Add and remove team members\* | | | | ✅ | ✅ | -| Create, edit, and delete teams\* | | | | ✅ | ✅ | -| Create, edit, and delete [enroll secrets](https://fleetdm.com/docs/deploying/faq#when-do-i-need-to-deploy-a-new-enroll-secret-to-my-hosts) | | | ✅ | ✅ | ✅ | -| Create, edit, and delete [enroll secrets for teams](https://fleetdm.com/docs/using-fleet/rest-api#get-enroll-secrets-for-a-team)\* | | | ✅ | ✅ | | -| Read organization settings and agent options\*** | ✅ | ✅ | ✅ | ✅ | | -| Edit [organization settings](https://fleetdm.com/docs/using-fleet/configuration-files#organization-settings) | | | | ✅ | ✅ | -| Edit [agent options](https://fleetdm.com/docs/using-fleet/configuration-files#agent-options) | | | | ✅ | ✅ | -| Edit [agent options for hosts assigned to teams](https://fleetdm.com/docs/using-fleet/configuration-files#team-agent-options)\* | | | | ✅ | ✅ | -| Initiate [file carving](https://fleetdm.com/docs/using-fleet/rest-api#file-carving) | | | ✅ | ✅ | | -| Retrieve contents from file carving | | | | ✅ | | -| View Apple mobile device management (MDM) certificate information | | | | ✅ | | -| View Apple business manager (BM) information | | | | ✅ | | -| Generate Apple mobile device management (MDM) certificate signing request (CSR) | | | | ✅ | | -| View disk encryption key for macOS hosts | ✅ | ✅ | ✅ | ✅ | | -| Create edit and delete configuration profiles for macOS hosts | | | ✅ | ✅ | ✅ | -| Execute MDM commands on macOS hosts*** | | | ✅ | ✅ | | -| View results of MDM commands executed on macOS hosts*** | ✅ | ✅ | ✅ | ✅ | | -| Edit [MDM settings](https://fleetdm.com/docs/using-fleet/mdm-macos-settings) | | | | ✅ | ✅ | -| Edit [MDM settings for teams](https://fleetdm.com/docs/using-fleet/mdm-macos-settings) | | | | ✅ | ✅ | -| Upload an EULA file for MDM automatic enrollment\* | | | | ✅ | | -| View/download MDM macOS setup assistant\* | | | ✅ | ✅ | | -| Edit/upload MDM macOS setup assistant\* | | | ✅ | ✅ | | -| Enable/disable MDM macOS setup end user authentication\* | | | ✅ | ✅ | | +| ------------------------------------------------------------------------------------------------------------------------------------------ | -------- | ---------- | ---------- | ----- | ------- | +| View all [activity](https://fleetdm.com/docs/using-fleet/rest-api#activities) | ✅ | ✅ | ✅ | ✅ | | +| View all hosts | ✅ | ✅ | ✅ | ✅ | | +| Filter hosts using [labels](https://fleetdm.com/docs/using-fleet/rest-api#labels) | ✅ | ✅ | ✅ | ✅ | | +| Target hosts using labels | ✅ | ✅ | ✅ | ✅ | | +| Add and delete hosts | | | ✅ | ✅ | | +| Transfer hosts between teams\* | | | ✅ | ✅ | ✅ | +| Create, edit, and delete labels | | | ✅ | ✅ | ✅ | +| View all software | ✅ | ✅ | ✅ | ✅ | | +| Filter software by [vulnerabilities](https://fleetdm.com/docs/using-fleet/vulnerability-processing#vulnerability-processing) | ✅ | ✅ | ✅ | ✅ | | +| Filter hosts by software | ✅ | ✅ | ✅ | ✅ | | +| Filter software by team\* | ✅ | ✅ | ✅ | ✅ | | +| Manage [vulnerability automations](https://fleetdm.com/docs/using-fleet/automations#vulnerability-automations) | | | | ✅ | ✅ | +| Run queries designated "**observer can run**" as live queries against all hosts | ✅ | ✅ | ✅ | ✅ | | +| Run any query as [live query](https://fleetdm.com/docs/using-fleet/fleet-ui#run-a-query) against all hosts | | ✅ | ✅ | ✅ | | +| Create, edit, and delete queries | | | ✅ | ✅ | ✅ | +| View all queries\** | ✅ | ✅ | ✅ | ✅ | | +| Add, edit, and remove queries from all schedules | | | ✅ | ✅ | ✅ | +| Create, edit, view, and delete packs | | | ✅ | ✅ | ✅ | +| View all policies | ✅ | ✅ | ✅ | ✅ | | +| Filter hosts using policies | ✅ | ✅ | ✅ | ✅ | | +| Create, edit, and delete policies for all hosts | | | ✅ | ✅ | ✅ | +| Create, edit, and delete policies for all hosts assigned to team\* | | | ✅ | ✅ | ✅ | +| Manage [policy automations](https://fleetdm.com/docs/using-fleet/automations#policy-automations) | | | | ✅ | ✅ | +| Create, edit, view, and delete users | | | | ✅ | | +| Add and remove team members\* | | | | ✅ | ✅ | +| Create, edit, and delete teams\* | | | | ✅ | ✅ | +| Create, edit, and delete [enroll secrets](https://fleetdm.com/docs/deploying/faq#when-do-i-need-to-deploy-a-new-enroll-secret-to-my-hosts) | | | ✅ | ✅ | ✅ | +| Create, edit, and delete [enroll secrets for teams](https://fleetdm.com/docs/using-fleet/rest-api#get-enroll-secrets-for-a-team)\* | | | ✅ | ✅ | | +| Read organization settings and agent options\*** | ✅ | ✅ | ✅ | ✅ | | +| Edit [organization settings](https://fleetdm.com/docs/using-fleet/configuration-files#organization-settings) | | | | ✅ | ✅ | +| Edit [agent options](https://fleetdm.com/docs/using-fleet/configuration-files#agent-options) | | | | ✅ | ✅ | +| Edit [agent options for hosts assigned to teams](https://fleetdm.com/docs/using-fleet/configuration-files#team-agent-options)\* | | | | ✅ | ✅ | +| Initiate [file carving](https://fleetdm.com/docs/using-fleet/rest-api#file-carving) | | | ✅ | ✅ | | +| Retrieve contents from file carving | | | | ✅ | | +| View Apple mobile device management (MDM) certificate information | | | | ✅ | | +| View Apple business manager (BM) information | | | | ✅ | | +| Generate Apple mobile device management (MDM) certificate signing request (CSR) | | | | ✅ | | +| View disk encryption key for macOS hosts | ✅ | ✅ | ✅ | ✅ | | +| Create edit and delete configuration profiles for macOS hosts | | | ✅ | ✅ | ✅ | +| Execute MDM commands on macOS hosts*** | | | ✅ | ✅ | | +| View results of MDM commands executed on macOS hosts*** | ✅ | ✅ | ✅ | ✅ | | +| Edit [MDM settings](https://fleetdm.com/docs/using-fleet/mdm-macos-settings) | | | | ✅ | ✅ | +| Edit [MDM settings for teams](https://fleetdm.com/docs/using-fleet/mdm-macos-settings) | | | | ✅ | ✅ | +| Upload an EULA file for MDM automatic enrollment\* | | | | ✅ | | +| View/download MDM macOS setup assistant\* | | | ✅ | ✅ | | +| Edit/upload MDM macOS setup assistant\* | | | ✅ | ✅ | | +| Enable/disable MDM macOS setup end user authentication\* | | | ✅ | ✅ | | \* Applies only to Fleet Premium @@ -108,38 +108,39 @@ Users that are members of multiple teams can be assigned different roles for eac | **Action** | Team observer | Team observer+ | Team maintainer | Team admin | Team GitOps | | -------------------------------------------------------------------------------------------------------------------------------- | ------------- | -------------- | --------------- | ---------- | ----------- | -| View hosts | ✅ | ✅ | ✅ | ✅ | | -| Filter hosts using [labels](https://fleetdm.com/docs/using-fleet/rest-api#labels) | ✅ | ✅ | ✅ | ✅ | | -| Target hosts using labels | ✅ | ✅ | ✅ | ✅ | | -| Add and delete hosts | | | ✅ | ✅ | | -| Filter software by [vulnerabilities](https://fleetdm.com/docs/using-fleet/vulnerability-processing#vulnerability-processing) | ✅ | ✅ | ✅ | ✅ | | -| Filter hosts by software | ✅ | ✅ | ✅ | ✅ | | -| Filter software | ✅ | ✅ | ✅ | ✅ | | -| Run queries designated "**observer can run**" as live queries against hosts | ✅ | ✅ | ✅ | ✅ | | -| Run any query as [live query](https://fleetdm.com/docs/using-fleet/fleet-ui#run-a-query) | | ✅ | ✅ | ✅ | | -| Create, edit, and delete only **self authored** queries | | | ✅ | ✅ | ✅ | -| View all queries\** | ✅ | ✅ | ✅ | ✅ | | -| Add, edit, and remove queries from the schedule | | | ✅ | ✅ | ✅ | -| View policies | ✅ | ✅ | ✅ | ✅ | | -| View global (inherited) policies | ✅ | ✅ | ✅ | ✅ | | -| Filter hosts using policies | ✅ | ✅ | ✅ | ✅ | | -| Create, edit, and delete policies | | | ✅ | ✅ | ✅ | -| Manage [policy automations](https://fleetdm.com/docs/using-fleet/automations#policy-automations) | | | | ✅ | ✅ | -| Add and remove team members | | | | ✅ | ✅ | -| Edit team name | | | | ✅ | ✅ | -| Create, edit, and delete [team enroll secrets](https://fleetdm.com/docs/using-fleet/rest-api#get-enroll-secrets-for-a-team) | | | ✅ | ✅ | | -| Read agent options\* | ✅ | ✅ | ✅ | ✅ | | -| Edit [agent options](https://fleetdm.com/docs/using-fleet/configuration-files#agent-options) | | | | ✅ | ✅ | -| Initiate [file carving](https://fleetdm.com/docs/using-fleet/rest-api#file-carving) | | | ✅ | ✅ | | -| View disk encryption key for macOS hosts | ✅ | ✅ | ✅ | ✅ | | -| Create edit and delete configuration profiles for macOS hosts | | | ✅ | ✅ | ✅ | -| Execute MDM commands on macOS hosts, and read command results* | | | ✅ | ✅ | | -| Execute MDM commands on macOS hosts* | | | ✅ | ✅ | | -| View results of MDM commands executed on macOS hosts* | ✅ | ✅ | ✅ | ✅ | | -| Edit [team MDM settings](https://fleetdm.com/docs/using-fleet/mdm-macos-settings) | | | | ✅ | ✅ | -| View/download MDM macOS setup assistant | | | ✅ | ✅ | | -| Edit/upload MDM macOS setup assistant | | | ✅ | ✅ | | -| Enable/disable MDM macOS setup end user authentication | | | ✅ | ✅ | | +| View hosts | ✅ | ✅ | ✅ | ✅ | | +| Filter hosts using [labels](https://fleetdm.com/docs/using-fleet/rest-api#labels) | ✅ | ✅ | ✅ | ✅ | | +| Target hosts using labels | ✅ | ✅ | ✅ | ✅ | | +| Add and delete hosts | | | ✅ | ✅ | | +| Filter software by [vulnerabilities](https://fleetdm.com/docs/using-fleet/vulnerability-processing#vulnerability-processing) | ✅ | ✅ | ✅ | ✅ | | +| Filter hosts by software | ✅ | ✅ | ✅ | ✅ | | +| Filter software | ✅ | ✅ | ✅ | ✅ | | +| Run queries designated "**observer can run**" as live queries against hosts | ✅ | ✅ | ✅ | ✅ | | +| Run any query as [live query](https://fleetdm.com/docs/using-fleet/fleet-ui#run-a-query) | | ✅ | ✅ | ✅ | | +| Create, edit, and delete only **self authored** queries | | | ✅ | ✅ | ✅ | +| View all queries\** | ✅ | ✅ | ✅ | ✅ | | +| Add, edit, and remove queries from the schedule | | | ✅ | ✅ | ✅ | +| View policies | ✅ | ✅ | ✅ | ✅ | | +| View global (inherited) policies | ✅ | ✅ | ✅ | ✅ | | +| Run global (inherited) policies as a live policy | | | ✅ | ✅ | | +| Filter hosts using policies | ✅ | ✅ | ✅ | ✅ | | +| Create, edit, and delete team policies | | | ✅ | ✅ | ✅ | +| Manage [policy automations](https://fleetdm.com/docs/using-fleet/automations#policy-automations) | | | | ✅ | ✅ | +| Add and remove team members | | | | ✅ | ✅ | +| Edit team name | | | | ✅ | ✅ | +| Create, edit, and delete [team enroll secrets](https://fleetdm.com/docs/using-fleet/rest-api#get-enroll-secrets-for-a-team) | | | ✅ | ✅ | | +| Read agent options\* | ✅ | ✅ | ✅ | ✅ | | +| Edit [agent options](https://fleetdm.com/docs/using-fleet/configuration-files#agent-options) | | | | ✅ | ✅ | +| Initiate [file carving](https://fleetdm.com/docs/using-fleet/rest-api#file-carving) | | | ✅ | ✅ | | +| View disk encryption key for macOS hosts | ✅ | ✅ | ✅ | ✅ | | +| Create edit and delete configuration profiles for macOS hosts | | | ✅ | ✅ | ✅ | +| Execute MDM commands on macOS hosts, and read command results* | | | ✅ | ✅ | | +| Execute MDM commands on macOS hosts* | | | ✅ | ✅ | | +| View results of MDM commands executed on macOS hosts* | ✅ | ✅ | ✅ | ✅ | | +| Edit [team MDM settings](https://fleetdm.com/docs/using-fleet/mdm-macos-settings) | | | | ✅ | ✅ | +| View/download MDM macOS setup assistant | | | ✅ | ✅ | | +| Edit/upload MDM macOS setup assistant | | | ✅ | ✅ | | +| Enable/disable MDM macOS setup end user authentication | | | ✅ | ✅ | | \* Applies only to [Fleet REST API](https://fleetdm.com/docs/using-fleet/rest-api) diff --git a/frontend/pages/policies/PolicyPage/components/PolicyForm/PolicyForm.tsx b/frontend/pages/policies/PolicyPage/components/PolicyForm/PolicyForm.tsx index 987817b738..d93f3ce482 100644 --- a/frontend/pages/policies/PolicyPage/components/PolicyForm/PolicyForm.tsx +++ b/frontend/pages/policies/PolicyPage/components/PolicyForm/PolicyForm.tsx @@ -169,7 +169,10 @@ const PolicyForm = ({ }, [lastEditedQueryBody, lastEditedQueryId]); const hasSavePermissions = - isGlobalAdmin || isGlobalMaintainer || isTeamAdmin || isTeamMaintainer; + isGlobalAdmin || + isGlobalMaintainer || + (isTeamAdmin && policyTeamId === storedPolicy?.team_id) || // team admin cannot save global policy + (isTeamMaintainer && policyTeamId === storedPolicy?.team_id); // team maintainer cannot save global policy const onLoad = (editor: IAceEditor) => { editor.setOptions({ @@ -519,37 +522,39 @@ const PolicyForm = ({ {isEditMode && isPremiumTier && renderCriticalPolicy()} {renderLiveQueryWarning()}
- - {hasSavePermissions && ( - - )} - - - Select the platform(s) this -
- policy will be checked on -
- to save or run the policy. - + + + + Select the platform(s) this +
+ policy will be checked on +
+ to save or run the policy. + + + )}