Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-14 12:38:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 143
fleet/docs/Using-Fleet/Permissions.md
Lucas Manuel Rodriguez 1ebfbb14eb
New gitops role (#10850) 
#8593

This PR adds a new role `gitops` to Fleet.
MDM capabilities for the role coming on a separate PR. We need this
merged ASAP so that we can unblock the UI work for this.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [X] Documented any permissions changes
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [x] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-12 16:11:04 -03:00

17 KiB
Raw Blame History

Permissions

Users have different abilities depending on the access level they have.

Roles

Admin

Users with the admin role receive all permissions.

Maintainer

Maintainers can manage most entities in Fleet, like queries, policies, labels and schedules. Unlike admins, maintainers cannot edit higher level settings like application configuration, teams or users.

Observer

The Observer role is a read-only role. It can access most entities in Fleet, like queries, policies, labels, schedules, application configuration, teams, etc. They can also run queries configured with the observer_can_run flag set to true.

Observer+

Observer+ is an Observer with the added ability to run any query.

GitOps

GitOps is a modern approach to Continuous Deployment (CD) that uses Git as the single source of truth for declarative infrastructure and application configurations. GitOps is an API-only and write-only role that can be used on CI/CD pipelines.

User permissions

Action Observer Observer+ Maintainer Admin GitOps
View all activity
View all hosts
Filter hosts using labels
Target hosts using labels
Add and delete hosts
Transfer hosts between teams*
Create, edit, and delete labels
View all software
Filter software by vulnerabilities
Filter hosts by software
Filter software by team*
Manage vulnerability automations
Run only designated, observer can run ,queries as live queries against all hosts
Run any query as live query against all hosts
Create, edit, and delete queries
View all queries
Add, edit, and remove queries from all schedules
Create, edit, view, and delete packs
View all policies
Filter hosts using policies
Create, edit, and delete policies for all hosts
Create, edit, and delete policies for all hosts assigned to team*
Manage policy automations
Create, edit, view, and delete users
Add and remove team members*
Create, edit, and delete teams*
Create, edit, and delete enroll secrets
Create, edit, and delete enroll secrets for teams*
Read organization settings and agent options**
Edit organization settings
Edit agent options
Edit agent options for hosts assigned to teams*
Initiate file carving
Retrieve contents from file carving
View Apple mobile device management (MDM) certificate information
View Apple business manager (BM) information
Generate Apple mobile device management (MDM) certificate signing request (CSR)
View disk encryption key for macOS hosts enrolled in Fleet's MDM
Create edit and delete configuration profiles for macOS hosts enrolled in Fleet's MDM
Execute MDM commands on macOS hosts enrolled in Fleet's MDM
View results of MDM commands executed on macOS hosts enrolled in Fleet's MDM

*Applies only to Fleet Premium

** Applies only to Fleet REST API

Team member permissions

Applies only to Fleet Premium

Users in Fleet either have team access or global access.

Users with team access only have access to the hosts, software, schedules , and policies assigned to their team.

Users with global access have access to all hosts, software, queries, schedules , and policies. Check out the user permissions table above for global user permissions.

Users can be a member of multiple teams in Fleet.

Users that are members of multiple teams can be assigned different roles for each team. For example, a user can be given access to the "Workstations" team and assigned the "Observer" role. This same user can be given access to the "Servers" team and assigned the "Maintainer" role.

Action Team observer Team observer+ Team maintainer Team admin Team GitOps
View hosts
Filter hosts using labels
Target hosts using labels
Add and delete hosts
Filter software by vulnerabilities
Filter hosts by software
Filter software
Run only designated, observer can run ,queries as live queries against all hosts
Run any query as live query
Create, edit, and delete only self authored queries
Add, edit, and remove queries from the schedule
View policies
View global (inherited) policies
Filter hosts using policies
Create, edit, and delete policies
Manage policy automations
Add and remove team members
Edit team name
Create, edit, and delete team enroll secrets
Read agent options*
Edit agent options
Initiate file carving
View disk encryption key for macOS hosts enrolled in Fleet's MDM
Create edit and delete configuration profiles for macOS hosts enrolled in Fleet's MDM
Execute MDM commands on macOS hosts enrolled in Fleet's MDM, and read command results
Execute MDM commands on macOS hosts enrolled in Fleet's MDM
View results of MDM commands executed on macOS hosts enrolled in Fleet's MDM

* Applies only to Fleet REST API