mirror of
https://github.com/fleetdm/fleet
synced 2026-05-06 06:48:54 +00:00
62b8a77acd
# Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [ ] Added/updated automated tests - [ ] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [ ] QA'd all new/changed functionality manually For unreleased bug fixes in a release candidate, one of: - [ ] Confirmed that the fix is not expected to adversely impact load test results - [ ] Alerted the release DRI if additional load testing is needed ## Database migrations - [ ] Checked table schema to confirm autoupdate - [ ] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [ ] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [ ] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). ## New Fleet configuration settings - [ ] Setting(s) is/are explicitly excluded from GitOps If you didn't check the box above, follow this checklist for GitOps-enabled settings: - [ ] Verified that the setting is exported via `fleetctl generate-gitops` - [ ] Verified the setting is documented in a separate PR to [the GitOps documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485) - [ ] Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional) - [ ] Verified that any relevant UI is disabled when GitOps mode is enabled ## fleetd/orbit/Fleet Desktop - [ ] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [ ] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [ ] Verified that fleetd runs on macOS, Linux and Windows - [ ] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) Signed-off-by: Emmanuel Ferdman <emmanuelferdman@gmail.com>
27 KiB
27 KiB
Role-based access
Users have different abilities depending on the access level they have.
Roles
Admin
Users with the admin role receive all permissions.
Maintainer
Maintainers can manage most entities in Fleet, like queries, policies, and labels. Unlike admins, maintainers cannot edit higher level settings like application configuration, teams or users.
Observer
The observer role is a read-only role. It can access most entities in Fleet, like queries, policies, labels, application configuration, teams, etc.
They can also run queries configured with the observer_can_run flag set to true.
Observer+
Applies only to Fleet Premium
Observer+ is an observer with the added ability to run any query.
GitOps
Applies only to Fleet Premium
GitOps is a modern approach to Continuous Deployment (CD) that uses Git as the single source of truth for declarative infrastructure and application configurations. GitOps is an API-only and write-only role that can be used on CI/CD pipelines.
User permissions
| Action | Observer | Observer+* | Maintainer | Admin | GitOps* |
|---|---|---|---|---|---|
| View all activity | ✅ | ✅ | ✅ | ✅ | |
| Cancel hosts' upcoming activity | ✅ | ✅ | |||
| Manage activity automations | ✅ | ✅ | |||
| View all hosts | ✅ | ✅ | ✅ | ✅ | |
| View a host by identifier | ✅ | ✅ | ✅ | ✅ | ✅ |
| Filter hosts using labels | ✅ | ✅ | ✅ | ✅ | |
| Target hosts using labels | ✅ | ✅ | ✅ | ✅ | |
| Add/remove manual labels to/from hosts | ✅ | ✅ | ✅ | ||
| Add and delete hosts | ✅ | ✅ | |||
| Transfer hosts between teams* | ✅ | ✅ | ✅ | ||
| Add user information from IdP to hosts* | ✅ | ✅ | |||
| Create, edit, and delete labels | ✅ | ✅ | ✅ | ||
| View all software | ✅ | ✅ | ✅ | ✅ | |
| Add, edit, and delete software | ✅ | ✅ | ✅ | ||
| Download added software | ✅ | ✅ | |||
| Install/uninstall software on hosts | ✅ | ✅ | |||
| Filter software by vulnerabilities | ✅ | ✅ | ✅ | ✅ | |
| Filter hosts by software | ✅ | ✅ | ✅ | ✅ | |
| Filter software by team* | ✅ | ✅ | ✅ | ✅ | |
| Manage vulnerability automations | ✅ | ✅ | |||
| Run queries designated "observer can run" as live queries against all hosts | ✅ | ✅ | ✅ | ✅ | |
| Run any query as live query against all hosts | ✅ | ✅ | ✅ | ||
| Create, edit, and delete queries | ✅ | ✅ | ✅ | ||
| View all queries and their reports | ✅ | ✅ | ✅ | ✅ | ✅ |
| Manage query automations | ✅ | ✅ | ✅ | ||
| Create, edit, view, and delete packs | ✅ | ✅ | ✅ | ||
| View all policies | ✅ | ✅ | ✅ | ✅ | ✅ |
| Run all policies | ✅ | ✅ | ✅ | ||
| Filter hosts using policies | ✅ | ✅ | ✅ | ✅ | |
| Create, edit, and delete policies for all hosts | ✅ | ✅ | ✅ | ||
| Create, edit, and delete policies for all hosts assigned to team* | ✅ | ✅ | ✅ | ||
| Edit global ("All teams") policy automations | ✅ | ✅ | |||
| Edit team policy automations: calendar events, install software, and run script* | ✅ | ✅ | ✅ | ||
| Edit team policy automations: other workflows (tickets and webhooks)* | ✅ | ✅ | |||
| Create, edit, view, and delete users | ✅ | ||||
| Add and remove team users* | ✅ | ✅ | |||
| Create, edit, and delete teams* | ✅ | ✅ | |||
| Create, edit, and delete enroll secrets | ✅ | ✅ | ✅ | ||
| Create, edit, and delete enroll secrets for teams* | ✅ | ✅ | |||
| Read organization settings** | ✅ | ✅ | ✅ | ✅ | ✅ |
| Read Single Sign-On settings** | ✅ | ||||
| Read SMTP settings** | ✅ | ||||
| Read osquery agent options** | ✅ | ||||
| Edit organization settings | ✅ | ✅ | |||
| Edit agent options | ✅ | ✅ | |||
| Edit agent options for hosts assigned to teams* | ✅ | ✅ | |||
| Initiate file carving | ✅ | ✅ | |||
| Retrieve contents from file carving | ✅ | ||||
| Create Apple Push Certificates service (APNs) certificate signing request (CSR) | ✅ | ||||
| View, edit, and delete APNs certificate | ✅ | ||||
| View, edit, and delete Apple Business Manager (ABM) connections | ✅ | ||||
| View, edit, and delete Volume Purchasing Program (VPP) connections | ✅ | ||||
| Connect Android Enterprise | ✅ | ||||
| View disk encryption key for macOS and Windows hosts | ✅ | ✅ | ✅ | ✅ | |
| Edit OS updates for macOS, Windows, iOS, and iPadOS hosts | ✅ | ✅ | |||
| Create, edit, resend and delete configuration profiles for macOS and Windows hosts | ✅ | ✅ | ✅ | ||
| Execute MDM commands on macOS and Windows hosts** | ✅ | ✅ | ✅ | ||
| View results of MDM commands executed on macOS and Windows hosts** | ✅ | ✅ | ✅ | ✅ | |
| Edit OS settings | ✅ | ✅ | ✅ | ||
| View all OS settings | ✅ | ✅ | ✅ | ||
| Edit macOS setup experience* | ✅ | ✅ | ✅ | ||
| Add and edit identity provider for end user authentication, end user license agreement (EULA), and end user migration workflow* | ✅ | ||||
| Add and edit certificate authorities (CA)* | ✅ | ✅ | |||
| Run scripts on hosts | ✅ | ✅ | |||
| View saved scripts* | ✅ | ✅ | ✅ | ✅ | |
| Edit/upload saved scripts* | ✅ | ✅ | ✅ | ||
| Lock, unlock, and wipe hosts* | ✅ | ✅ | |||
| Configure Microsoft Entra conditional access integration | ✅ |
* Applies only to Fleet Premium
** Applies only to Fleet REST API
Team user permissions
Applies only to Fleet Premium
Users in Fleet either have team access or global access.
Users with team access only have access to the hosts, software, and policies assigned to their team.
Users with global access have access to all hosts, software, queries, and policies. Check out the user permissions table above for global user permissions.
Users can be assigned to multiple teams in Fleet.
Users with access to multiple teams can be assigned different roles for each team. For example, a user can be given access to the "Workstations" team and assigned the "Observer" role. This same user can be given access to the "Servers" team and assigned the "Maintainer" role.
| Action | Team observer | Team observer+ | Team maintainer | Team admin | Team GitOps |
|---|---|---|---|---|---|
| View hosts | ✅ | ✅ | ✅ | ✅ | |
| View a host by identifier | ✅ | ✅ | ✅ | ✅ | ✅ |
| Filter hosts using labels | ✅ | ✅ | ✅ | ✅ | |
| Target hosts using labels | ✅ | ✅ | ✅ | ✅ | |
| View hosts' past and upcoming activity | ✅ | ✅ | ✅ | ✅ | |
| Cancel hosts' upcoming activity | ✅ | ✅ | |||
| Add/remove manual labels to/from hosts | ✅ | ✅ | ✅ | ||
| Create and edit self-authored labels | ✅ | ||||
| Add and delete hosts | ✅ | ✅ | |||
| View software | ✅ | ✅ | ✅ | ✅ | |
| Add and delete software | ✅ | ✅ | ✅ | ||
| Download added software | ✅ | ✅ | |||
| Install/uninstall software on hosts | ✅ | ✅ | |||
| Filter software by vulnerabilities | ✅ | ✅ | ✅ | ✅ | |
| Filter hosts by software | ✅ | ✅ | ✅ | ✅ | |
| Filter software | ✅ | ✅ | ✅ | ✅ | |
| Run queries designated "observer can run" as live queries against hosts | ✅ | ✅ | ✅ | ✅ | |
| Run any query as live query | ✅ | ✅ | ✅ | ||
| Create, edit, and delete self-authored queries | ✅ | ✅ | ✅ | ||
| View team queries and their reports | ✅ | ✅ | ✅ | ✅ | |
| View global (inherited) queries and their reports** | ✅ | ✅ | ✅ | ✅ | |
| Manage query automations | ✅ | ✅ | ✅ | ||
| View team policies | ✅ | ✅ | ✅ | ✅ | |
| Run team policies as a live policy | ✅ | ✅ | ✅ | ||
| View global (inherited) policies | ✅ | ✅ | ✅ | ✅ | |
| Run global (inherited) policies as a live policy | ✅ | ✅ | ✅ | ||
| Filter hosts using policies | ✅ | ✅ | ✅ | ✅ | |
| Create, edit, and delete team policies | ✅ | ✅ | ✅ | ||
| Edit team policy automations: calendar events, install software, and run script | ✅ | ✅ | ✅ | ||
| Edit team policy automations: other workflows (tickets and webhooks) | ✅ | ✅ | |||
| Add and remove team users | ✅ | ✅ | |||
| Edit team name | ✅ | ✅ | |||
| Create, edit, and delete team enroll secrets | ✅ | ✅ | |||
| Read organization settings* | ✅ | ✅ | ✅ | ✅ | ✅ |
| Read agent options* | ✅ | ✅ | ✅ | ✅ | |
| Edit agent options | ✅ | ✅ | |||
| Initiate file carving | ✅ | ✅ | |||
| View disk encryption key for macOS hosts | ✅ | ✅ | ✅ | ✅ | |
| Edit OS updates for macOS, Windows, iOS, and iPadOS hosts | ✅ | ✅ | |||
| Create, edit, resend and delete configuration profiles for macOS and Windows hosts | ✅ | ✅ | ✅ | ||
| Execute MDM commands on macOS and Windows hosts* | ✅ | ✅ | |||
| View results of MDM commands executed on macOS and Windows hosts* | ✅ | ✅ | ✅ | ✅ | |
| Edit team OS settings | ✅ | ✅ | ✅ | ||
| Edit macOS setup experience* | ✅ | ✅ | ✅ | ||
| Run scripts on hosts | ✅ | ✅ | |||
| View saved scripts | ✅ | ✅ | ✅ | ✅ | |
| Edit/upload saved scripts | ✅ | ✅ | |||
| View script details by host | ✅ | ✅ | ✅ | ✅ | |
| Lock, unlock, and wipe hosts | ✅ | ✅ |
* Applies only to Fleet REST API
** Team-level users only see global query results for hosts on teams where they have access.