mirror of
https://github.com/fleetdm/fleet
synced 2026-05-22 00:18:27 +00:00
62b8a77acd
# Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [ ] Added/updated automated tests - [ ] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [ ] QA'd all new/changed functionality manually For unreleased bug fixes in a release candidate, one of: - [ ] Confirmed that the fix is not expected to adversely impact load test results - [ ] Alerted the release DRI if additional load testing is needed ## Database migrations - [ ] Checked table schema to confirm autoupdate - [ ] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [ ] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [ ] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). ## New Fleet configuration settings - [ ] Setting(s) is/are explicitly excluded from GitOps If you didn't check the box above, follow this checklist for GitOps-enabled settings: - [ ] Verified that the setting is exported via `fleetctl generate-gitops` - [ ] Verified the setting is documented in a separate PR to [the GitOps documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485) - [ ] Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional) - [ ] Verified that any relevant UI is disabled when GitOps mode is enabled ## fleetd/orbit/Fleet Desktop - [ ] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [ ] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [ ] Verified that fleetd runs on macOS, Linux and Windows - [ ] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) Signed-off-by: Emmanuel Ferdman <emmanuelferdman@gmail.com>
190 lines
27 KiB
Markdown
190 lines
27 KiB
Markdown
# Role-based access
|
|
|
|
Users have different abilities depending on the access level they have.
|
|
|
|
## Roles
|
|
|
|
### Admin
|
|
|
|
Users with the admin role receive all permissions.
|
|
|
|
### Maintainer
|
|
|
|
Maintainers can manage most entities in Fleet, like queries, policies, and labels.
|
|
Unlike admins, maintainers cannot edit higher level settings like application configuration, teams or users.
|
|
|
|
### Observer
|
|
|
|
The observer role is a read-only role. It can access most entities in Fleet, like queries, policies, labels, application configuration, teams, etc.
|
|
They can also run queries configured with the `observer_can_run` flag set to `true`.
|
|
|
|
### Observer+
|
|
|
|
`Applies only to Fleet Premium`
|
|
|
|
Observer+ is an observer with the added ability to run *any* query.
|
|
|
|
### GitOps
|
|
|
|
`Applies only to Fleet Premium`
|
|
|
|
GitOps is a modern approach to Continuous Deployment (CD) that uses Git as the single source of truth for declarative infrastructure and application configurations.
|
|
GitOps is an API-only and write-only role that can be used on CI/CD pipelines.
|
|
|
|
## User permissions
|
|
|
|
| **Action** | Observer | Observer+* | Maintainer | Admin | GitOps* |
|
|
| ------------------------------------------------------------------------------------------------------------------------------------------ | :------: | :--------: | :--------: | :---: | :-----: |
|
|
| View all [activity](https://fleetdm.com/docs/using-fleet/rest-api#activities) | ✅ | ✅ | ✅ | ✅ | |
|
|
| Cancel [hosts' upcoming activity](https://fleetdm.com/docs/rest-api/rest-api#get-hosts-upcoming-activity) | | | ✅ | ✅ | |
|
|
| Manage [activity automations](https://fleetdm.com/docs/using-fleet/audit-logs) | | | | ✅ | ✅ |
|
|
| View all hosts | ✅ | ✅ | ✅ | ✅ | |
|
|
| View a host by identifier | ✅ | ✅ | ✅ | ✅ | ✅ |
|
|
| Filter hosts using [labels](https://fleetdm.com/docs/using-fleet/rest-api#labels) | ✅ | ✅ | ✅ | ✅ | |
|
|
| Target hosts using labels | ✅ | ✅ | ✅ | ✅ | |
|
|
| Add/remove manual labels to/from hosts | | | ✅ | ✅ | ✅ |
|
|
| Add and delete hosts | | | ✅ | ✅ | |
|
|
| Transfer hosts between teams\* | | | ✅ | ✅ | ✅ |
|
|
| Add user information from IdP to hosts\* | | | ✅ | ✅ | |
|
|
| Create, edit, and delete labels | | | ✅ | ✅ | ✅ |
|
|
| View all software | ✅ | ✅ | ✅ | ✅ | |
|
|
| Add, edit, and delete software | | | ✅ | ✅ | ✅ |
|
|
| Download added software | | | ✅ | ✅ | |
|
|
| Install/uninstall software on hosts | | | ✅ | ✅ | |
|
|
| Filter software by [vulnerabilities](https://fleetdm.com/docs/using-fleet/vulnerability-processing#vulnerability-processing) | ✅ | ✅ | ✅ | ✅ | |
|
|
| Filter hosts by software | ✅ | ✅ | ✅ | ✅ | |
|
|
| Filter software by team\* | ✅ | ✅ | ✅ | ✅ | |
|
|
| Manage [vulnerability automations](https://fleetdm.com/docs/using-fleet/automations#vulnerability-automations) | | | | ✅ | ✅ |
|
|
| Run queries designated "**observer can run**" as live queries against all hosts | ✅ | ✅ | ✅ | ✅ | |
|
|
| Run any query as [live query](https://fleetdm.com/docs/using-fleet/fleet-ui#run-a-query) against all hosts | | ✅ | ✅ | ✅ | |
|
|
| Create, edit, and delete queries | | | ✅ | ✅ | ✅ |
|
|
| View all queries and their reports | ✅ | ✅ | ✅ | ✅ | ✅ |
|
|
| Manage [query automations](https://fleetdm.com/docs/using-fleet/fleet-ui#schedule-a-query) | | | ✅ | ✅ | ✅ |
|
|
| Create, edit, view, and delete packs | | | ✅ | ✅ | ✅ |
|
|
| View all policies | ✅ | ✅ | ✅ | ✅ | ✅ |
|
|
| Run all policies | | ✅ | ✅ | ✅ | |
|
|
| Filter hosts using policies | ✅ | ✅ | ✅ | ✅ | |
|
|
| Create, edit, and delete policies for all hosts | | | ✅ | ✅ | ✅ |
|
|
| Create, edit, and delete policies for all hosts assigned to team\* | | | ✅ | ✅ | ✅ |
|
|
| Edit global ("All teams") policy automations | | | | ✅ | ✅ |
|
|
| Edit team policy automations: calendar events, install software, and run script\* | | | ✅ | ✅ | ✅ |
|
|
| Edit team policy automations: other workflows (tickets and webhooks)\* | | | | ✅ | ✅ |
|
|
| Create, edit, view, and delete users | | | | ✅ | |
|
|
| Add and remove team users\* | | | | ✅ | ✅ |
|
|
| Create, edit, and delete teams\* | | | | ✅ | ✅ |
|
|
| Create, edit, and delete [enroll secrets](https://fleetdm.com/docs/deploying/faq#when-do-i-need-to-deploy-a-new-enroll-secret-to-my-hosts) | | | ✅ | ✅ | ✅ |
|
|
| Create, edit, and delete [enroll secrets for teams](https://fleetdm.com/docs/using-fleet/rest-api#get-enroll-secrets-for-a-team)\* | | | ✅ | ✅ | |
|
|
| Read organization settings\** | ✅ | ✅ | ✅ | ✅ | ✅ |
|
|
| Read Single Sign-On settings\** | | | | ✅ | |
|
|
| Read SMTP settings\** | | | | ✅ | |
|
|
| Read osquery agent options\** | | | | ✅ | |
|
|
| Edit organization settings | | | | ✅ | ✅ |
|
|
| Edit agent options | | | | ✅ | ✅ |
|
|
| Edit agent options for hosts assigned to teams\* | | | | ✅ | ✅ |
|
|
| Initiate [file carving](https://fleetdm.com/docs/using-fleet/rest-api#file-carving) | | | ✅ | ✅ | |
|
|
| Retrieve contents from file carving | | | | ✅ | |
|
|
| Create Apple Push Certificates service (APNs) certificate signing request (CSR) | | | | ✅ | |
|
|
| View, edit, and delete APNs certificate | | | | ✅ | |
|
|
| View, edit, and delete Apple Business Manager (ABM) connections | | | | ✅ | |
|
|
| View, edit, and delete Volume Purchasing Program (VPP) connections | | | | ✅ | |
|
|
| Connect Android Enterprise | | | | ✅ | |
|
|
| View disk encryption key for macOS and Windows hosts | ✅ | ✅ | ✅ | ✅ | |
|
|
| Edit OS updates for macOS, Windows, iOS, and iPadOS hosts | | | | ✅ | ✅ |
|
|
| Create, edit, resend and delete configuration profiles for macOS and Windows hosts | | | ✅ | ✅ | ✅ |
|
|
| Execute MDM commands on macOS and Windows hosts\** | | | ✅ | ✅ | ✅ |
|
|
| View results of MDM commands executed on macOS and Windows hosts\** | ✅ | ✅ | ✅ | ✅ | |
|
|
| Edit [OS settings](https://fleetdm.com/docs/rest-api/rest-api#os-settings) | | | ✅ | ✅ | ✅ |
|
|
| View all [OS settings](https://fleetdm.com/docs/rest-api/rest-api#os-settings) | | | ✅ | ✅ | ✅ |
|
|
| Edit [macOS setup experience](https://fleetdm.com/guides/macos-setup-experience)\* | | | ✅ | ✅ | ✅ |
|
|
| Add and edit identity provider for end user authentication, end user license agreement (EULA), and end user migration workflow\* | | | | ✅ | |
|
|
| Add and edit certificate authorities (CA)\* | | | | ✅ | ✅ |
|
|
| Run scripts on hosts | | | ✅ | ✅ | |
|
|
| View saved scripts\* | ✅ | ✅ | ✅ | ✅ | |
|
|
| Edit/upload saved scripts\* | | | ✅ | ✅ | ✅ |
|
|
| Lock, unlock, and wipe hosts\* | | | ✅ | ✅ | |
|
|
| Configure Microsoft Entra conditional access integration | | | | ✅ | |
|
|
|
|
\* Applies only to Fleet Premium
|
|
|
|
\** Applies only to [Fleet REST API](https://fleetdm.com/docs/using-fleet/rest-api)
|
|
|
|
## Team user permissions
|
|
|
|
`Applies only to Fleet Premium`
|
|
|
|
Users in Fleet either have team access or global access.
|
|
|
|
Users with team access only have access to the [hosts](https://fleetdm.com/docs/using-fleet/rest-api#hosts), [software](https://fleetdm.com/docs/using-fleet/rest-api#software), and [policies](https://fleetdm.com/docs/using-fleet/rest-api#policies) assigned to
|
|
their team.
|
|
|
|
Users with global access have access to all
|
|
[hosts](https://fleetdm.com/docs/using-fleet/rest-api#hosts), [software](https://fleetdm.com/docs/using-fleet/rest-api#software), [queries](https://fleetdm.com/docs/using-fleet/rest-api#queries), and [policies](https://fleetdm.com/docs/using-fleet/rest-api#policies). Check out [the user permissions
|
|
table](#user-permissions) above for global user permissions.
|
|
|
|
Users can be assigned to multiple teams in Fleet.
|
|
|
|
Users with access to multiple teams can be assigned different roles for each team. For example, a user can be given access to the "Workstations" team and assigned the "Observer" role. This same user can be given access to the "Servers" team and assigned the "Maintainer" role.
|
|
|
|
| **Action** | Team observer | Team observer+ | Team maintainer | Team admin | Team GitOps |
|
|
| -------------------------------------------------------------------------------------------------------------------------------- | :-----------: | :------------: | :-------------: | :--------: | :---------: |
|
|
| View hosts | ✅ | ✅ | ✅ | ✅ | |
|
|
| View a host by identifier | ✅ | ✅ | ✅ | ✅ | ✅ |
|
|
| Filter hosts using [labels](https://fleetdm.com/docs/using-fleet/rest-api#labels) | ✅ | ✅ | ✅ | ✅ | |
|
|
| Target hosts using labels | ✅ | ✅ | ✅ | ✅ | |
|
|
| View hosts' [past](https://fleetdm.com/docs/rest-api/rest-api#get-hosts-past-activity) and [upcoming](https://fleetdm.com/docs/rest-api/rest-api#get-hosts-upcoming-activity) activity | ✅ | ✅ | ✅ | ✅ | |
|
|
| Cancel hosts' [upcoming](https://fleetdm.com/docs/rest-api/rest-api#get-hosts-upcoming-activity) activity | | | ✅ | ✅ | |
|
|
| Add/remove manual labels to/from hosts | | | ✅ | ✅ | ✅ |
|
|
| Create and edit self-authored labels | | | | | ✅ |
|
|
| Add and delete hosts | | | ✅ | ✅ | |
|
|
| View software | ✅ | ✅ | ✅ | ✅ | |
|
|
| Add and delete software | | | ✅ | ✅ | ✅ |
|
|
| Download added software | | | ✅ | ✅ | |
|
|
| Install/uninstall software on hosts | | | ✅ | ✅ | |
|
|
| Filter software by [vulnerabilities](https://fleetdm.com/docs/using-fleet/vulnerability-processing#vulnerability-processing) | ✅ | ✅ | ✅ | ✅ | |
|
|
| Filter hosts by software | ✅ | ✅ | ✅ | ✅ | |
|
|
| Filter software | ✅ | ✅ | ✅ | ✅ | |
|
|
| Run queries designated "**observer can run**" as live queries against hosts | ✅ | ✅ | ✅ | ✅ | |
|
|
| Run any query as [live query](https://fleetdm.com/docs/using-fleet/fleet-ui#run-a-query) | | ✅ | ✅ | ✅ | |
|
|
| Create, edit, and delete self-authored queries | | | ✅ | ✅ | ✅ |
|
|
| View team queries and their reports | ✅ | ✅ | ✅ | ✅ | |
|
|
| View global (inherited) queries and their reports\** | ✅ | ✅ | ✅ | ✅ | |
|
|
| Manage [query automations](https://fleetdm.com/docs/using-fleet/fleet-ui#schedule-a-query) | | | ✅ | ✅ | ✅ |
|
|
| View team policies | ✅ | ✅ | ✅ | ✅ | |
|
|
| Run team policies as a live policy | | ✅ | ✅ | ✅ | |
|
|
| View global (inherited) policies | ✅ | ✅ | ✅ | ✅ | |
|
|
| Run global (inherited) policies as a live policy | | ✅ | ✅ | ✅ | |
|
|
| Filter hosts using policies | ✅ | ✅ | ✅ | ✅ | |
|
|
| Create, edit, and delete team policies | | | ✅ | ✅ | ✅ |
|
|
| Edit team policy automations: calendar events, install software, and run script | | | ✅ | ✅ | ✅ |
|
|
| Edit team policy automations: other workflows (tickets and webhooks) | | | | ✅ | ✅ |
|
|
| Add and remove team users | | | | ✅ | ✅ |
|
|
| Edit team name | | | | ✅ | ✅ |
|
|
| Create, edit, and delete [team enroll secrets](https://fleetdm.com/docs/using-fleet/rest-api#get-enroll-secrets-for-a-team) | | | ✅ | ✅ | |
|
|
| Read organization settings\* | ✅ | ✅ | ✅ | ✅ | ✅ |
|
|
| Read agent options\* | ✅ | ✅ | ✅ | ✅ | |
|
|
| Edit agent options | | | | ✅ | ✅ |
|
|
| Initiate [file carving](https://fleetdm.com/docs/using-fleet/rest-api#file-carving) | | | ✅ | ✅ | |
|
|
| View disk encryption key for macOS hosts | ✅ | ✅ | ✅ | ✅ | |
|
|
| Edit OS updates for macOS, Windows, iOS, and iPadOS hosts | | | | ✅ | ✅ |
|
|
| Create, edit, resend and delete configuration profiles for macOS and Windows hosts | | | ✅ | ✅ | ✅ |
|
|
| Execute MDM commands on macOS and Windows hosts* | | | ✅ | ✅ | |
|
|
| View results of MDM commands executed on macOS and Windows hosts* | ✅ | ✅ | ✅ | ✅ | |
|
|
| Edit [team OS settings](https://fleetdm.com/docs/rest-api/rest-api#os-settings) | | | ✅ | ✅ | ✅ |
|
|
| Edit [macOS setup experience](https://fleetdm.com/guides/macos-setup-experience#macos-setup-assistant)\* | | | ✅ | ✅ | ✅ |
|
|
| Run scripts on hosts | | | ✅ | ✅ | |
|
|
| View saved scripts | ✅ | ✅ | ✅ | ✅ | |
|
|
| Edit/upload saved scripts | | | ✅ | ✅ | |
|
|
| View script details by host | ✅ | ✅ | ✅ | ✅ | |
|
|
| Lock, unlock, and wipe hosts | | | ✅ | ✅ | |
|
|
|
|
|
|
\* Applies only to [Fleet REST API](https://fleetdm.com/docs/using-fleet/rest-api)
|
|
|
|
\** Team-level users only see global query results for hosts on teams where they have access.
|
|
|
|
<meta name="category" value="guides">
|
|
<meta name="authorGitHubUsername" value="noahtalerman">
|
|
<meta name="authorFullName" value="Noah Talerman">
|
|
<meta name="publishedOn" value="2024-10-31">
|
|
<meta name="articleTitle" value="Role-based access">
|
|
<meta name="description" value="Learn about the different roles and permissions in Fleet.">
|