fleet/docs/Using-Fleet/Permissions.md

# Permissions

Users have different abilities depending on the access level they have.

Users with the Admin role receive all permissions.

## User permissions

| **Action**                                           | Observer | Maintainer | Admin |
| ---------------------------------------------------- | -------- | ---------- | ----- |
| View all activity                                        | ✅       | ✅         | ✅    |
| View all hosts                                       | ✅       | ✅         | ✅    |
| Filter hosts using labels                            | ✅       | ✅         | ✅    |
| Target hosts using labels                            | ✅       | ✅         | ✅    |
| Add and delete hosts                                         |          | ✅         | ✅    |
| Transfer hosts between teams\*                       |          | ✅         | ✅    |
| Create, edit, and delete labels                      |          | ✅         | ✅    |
| View all software                                    | ✅       | ✅         | ✅    |
| Filter software by vulnerabilities                   | ✅       | ✅         | ✅    |
| Filter hosts by software                             | ✅       | ✅         | ✅    |
| Filter software by team*                             | ✅       | ✅         | ✅    |
| Manage vulnerability automations                     |          |           | ✅    |
| Run only designated, _observer can run_ ,queries as live queries against all hosts  | ✅       | ✅         | ✅    |
| Run any query as live query against all hosts        |          | ✅         | ✅    |
| Create, edit, and delete queries                     |          | ✅         | ✅    |
| View all queries                                     | ✅       | ✅         | ✅    |
| Add, edit, and remove queries from all schedules  |          | ✅         | ✅    |
| Create, edit, view, and delete packs                       |          | ✅         | ✅    |
| View all policies                                    | ✅       | ✅         | ✅    |
| Filter hosts using policies                          | ✅       | ✅         | ✅    |
| Create, edit, and delete policies for all hosts      |          | ✅         | ✅    |
| Create, edit, and delete policies for all hosts assigned to team\*     |          | ✅         | ✅    |
| Manage policy automations      |          |           | ✅    |
| Create, edit, view, and delete users                       |          |            | ✅    |
| Add and remove team members\*                        |          |            | ✅    |
| Create, edit, and delete teams\*                     |          |            | ✅    |
| Create, edit, and delete enroll secrets              |          | ✅         | ✅    |
| Create, edit, and delete enroll secrets for teams\*  |          | ✅         | ✅    |
| Edit organization settings                           |          |            | ✅    |
| Edit agent options                                   |          |            | ✅    |
| Edit agent options for hosts assigned to teams\*     |          |            | ✅    |


\*Applies only to Fleet Premium

## Team member permissions

`Applies only to Fleet Premium`

Users in Fleet either have team access or global access. 

Users with team access only have access to the hosts, software, schedules, and policies assigned to
their team.

Users with global access have access to all
hosts, software, queries, schedules, and policies. Check out [the user permissions
table](#user-permissions) above for global user permissions.

Users can be a member of multiple teams in Fleet.

Users that are members of multiple teams can be assigned different roles for each team. For example, a user can be given access to the "Workstations" team and assigned the "Observer" role. This same user can be given access to the "Servers" team and assigned the "Maintainer" role.

| **Action**                                                   | Team observer | Team maintainer | Team admin   |
| ------------------------------------------------------------ | -------- | ---------- | ------- |
| View hosts                                                   | ✅       | ✅         | ✅       |
| Filter hosts using labels                                    | ✅       | ✅         | ✅       |
| Target hosts using labels                                    | ✅       | ✅         | ✅       |
| Add and delete hosts                                         |          | ✅         | ✅       |
| Filter software by vulnerabilities                           | ✅       | ✅         | ✅       |
| Filter hosts by software                                     | ✅       | ✅         | ✅       |
| Filter software                                              | ✅       | ✅         | ✅       |
| Run only designated, _observer can run_ ,queries as live queries against all hosts  | ✅       | ✅         | ✅    |
| Run any query as live query        |          | ✅         | ✅    |
| Create, edit, and delete only _self authored_ queries        |          | ✅         | ✅       |
| Add, edit, and remove queries from the schedule                    |          | ✅         | ✅       |
| View policies                                     | ✅       | ✅         | ✅       |
| View global (inherited) policies                             | ✅       | ✅         | ✅       |
| Filter hosts using policies                 | ✅       | ✅         | ✅       |
| Create, edit, and delete policies                  |          | ✅         | ✅       |
| Add and remove team members                                  |          |            | ✅       |
| Edit team name                                               |          |            | ✅       |
| Create, edit, and delete team enroll secrets                 |          | ✅         | ✅       |
| Edit agent options                                      |          |            | ✅       |


<meta name="pageOrderInSection" value="900">
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md 2021-06-09 23:12:45 +00:00			`# Permissions`

			`Users have different abilities depending on the access level they have.`

			`Users with the Admin role receive all permissions.`

			`## User permissions`

Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> 2022-04-18 16:10:33 +00:00			`\| Action \| Observer \| Maintainer \| Admin \|`
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md 2021-06-09 23:12:45 +00:00			`\| ---------------------------------------------------- \| -------- \| ---------- \| ----- \|`
Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> 2022-04-18 16:10:33 +00:00			`\| View all activity \| ✅ \| ✅ \| ✅ \|`
			`\| View all hosts \| ✅ \| ✅ \| ✅ \|`
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md 2021-06-09 23:12:45 +00:00			`\| Filter hosts using labels \| ✅ \| ✅ \| ✅ \|`
			`\| Target hosts using labels \| ✅ \| ✅ \| ✅ \|`
Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> 2022-04-18 16:10:33 +00:00			`\| Add and delete hosts \| \| ✅ \| ✅ \|`
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md 2021-06-09 23:12:45 +00:00			`\| Transfer hosts between teams\* \| \| ✅ \| ✅ \|`
Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> 2022-04-18 16:10:33 +00:00			`\| Create, edit, and delete labels \| \| ✅ \| ✅ \|`
			`\| View all software \| ✅ \| ✅ \| ✅ \|`
			`\| Filter software by vulnerabilities \| ✅ \| ✅ \| ✅ \|`
			`\| Filter hosts by software \| ✅ \| ✅ \| ✅ \|`
			`\| Filter software by team* \| ✅ \| ✅ \| ✅ \|`
			`\| Manage vulnerability automations \| \| \| ✅ \|`
			`\| Run only designated, _observer can run_ ,queries as live queries against all hosts \| ✅ \| ✅ \| ✅ \|`
			`\| Run any query as live query against all hosts \| \| ✅ \| ✅ \|`
			`\| Create, edit, and delete queries \| \| ✅ \| ✅ \|`
			`\| View all queries \| ✅ \| ✅ \| ✅ \|`
			`\| Add, edit, and remove queries from all schedules \| \| ✅ \| ✅ \|`
			`\| Create, edit, view, and delete packs \| \| ✅ \| ✅ \|`
			`\| View all policies \| ✅ \| ✅ \| ✅ \|`
			`\| Filter hosts using policies \| ✅ \| ✅ \| ✅ \|`
			`\| Create, edit, and delete policies for all hosts \| \| ✅ \| ✅ \|`
			`\| Create, edit, and delete policies for all hosts assigned to team\* \| \| ✅ \| ✅ \|`
			`\| Manage policy automations \| \| \| ✅ \|`
			`\| Create, edit, view, and delete users \| \| \| ✅ \|`
			`\| Add and remove team members\* \| \| \| ✅ \|`
			`\| Create, edit, and delete teams\* \| \| \| ✅ \|`
			`\| Create, edit, and delete enroll secrets \| \| ✅ \| ✅ \|`
			`\| Create, edit, and delete enroll secrets for teams\* \| \| ✅ \| ✅ \|`
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md 2021-06-09 23:12:45 +00:00			`\| Edit organization settings \| \| \| ✅ \|`
Update permissions documentation (#2721) - Removed create/edit/delete enroll secret permissions from team level users - Update verbiage to clarify the distinction between users with global access and users with team access. 2021-10-28 18:27:03 +00:00			`\| Edit agent options \| \| \| ✅ \|`
			`\| Edit agent options for hosts assigned to teams\* \| \| \| ✅ \|`
Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> 2022-04-18 16:10:33 +00:00


Documentation for RBAC and teams (#472) - Add permissions.md and teams.md 2021-06-09 23:12:45 +00:00
Updated product name on website and docs (#1731) Updated product name on website and docs 2021-08-19 17:50:21 +00:00			`\*Applies only to Fleet Premium`
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md 2021-06-09 23:12:45 +00:00
			`## Team member permissions`

Updated product name on website and docs (#1731) Updated product name on website and docs 2021-08-19 17:50:21 +00:00			`Applies only to Fleet Premium`
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md 2021-06-09 23:12:45 +00:00
Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> 2022-04-18 16:10:33 +00:00			`Users in Fleet either have team access or global access.`
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md 2021-06-09 23:12:45 +00:00
Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> 2022-04-18 16:10:33 +00:00			`Users with team access only have access to the hosts, software, schedules, and policies assigned to`
			`their team.`
Update permissions documentation (#2721) - Removed create/edit/delete enroll secret permissions from team level users - Update verbiage to clarify the distinction between users with global access and users with team access. 2021-10-28 18:27:03 +00:00
Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> 2022-04-18 16:10:33 +00:00			`Users with global access have access to all`
			`hosts, software, queries, schedules, and policies. Check out [the user permissions`
			`table](#user-permissions) above for global user permissions.`
Documentation for RBAC and teams (#472) - Add permissions.md and teams.md 2021-06-09 23:12:45 +00:00
			`Users can be a member of multiple teams in Fleet.`

			`Users that are members of multiple teams can be assigned different roles for each team. For example, a user can be given access to the "Workstations" team and assigned the "Observer" role. This same user can be given access to the "Servers" team and assigned the "Maintainer" role.`

Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> 2022-04-18 16:10:33 +00:00			`\| Action \| Team observer \| Team maintainer \| Team admin \|`
Issue 2134 add team admin role (#2499) * wip * Add team admin role and tests * Revert change in invites * Update permission doc * Fix lint 2021-10-13 15:34:59 +00:00			`\| ------------------------------------------------------------ \| -------- \| ---------- \| ------- \|`
Add and modify permissions tables (#4936) Handful of policy updates and clarification. Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> 2022-04-18 16:10:33 +00:00			`\| View hosts \| ✅ \| ✅ \| ✅ \|`
			`\| Filter hosts using labels \| ✅ \| ✅ \| ✅ \|`
			`\| Target hosts using labels \| ✅ \| ✅ \| ✅ \|`
			`\| Add and delete hosts \| \| ✅ \| ✅ \|`
			`\| Filter software by vulnerabilities \| ✅ \| ✅ \| ✅ \|`
			`\| Filter hosts by software \| ✅ \| ✅ \| ✅ \|`
			`\| Filter software \| ✅ \| ✅ \| ✅ \|`
			`\| Run only designated, _observer can run_ ,queries as live queries against all hosts \| ✅ \| ✅ \| ✅ \|`
			`\| Run any query as live query \| \| ✅ \| ✅ \|`
			`\| Create, edit, and delete only _self authored_ queries \| \| ✅ \| ✅ \|`
			`\| Add, edit, and remove queries from the schedule \| \| ✅ \| ✅ \|`
			`\| View policies \| ✅ \| ✅ \| ✅ \|`
			`\| View global (inherited) policies \| ✅ \| ✅ \| ✅ \|`
			`\| Filter hosts using policies \| ✅ \| ✅ \| ✅ \|`
			`\| Create, edit, and delete policies \| \| ✅ \| ✅ \|`
			`\| Add and remove team members \| \| \| ✅ \|`
			`\| Edit team name \| \| \| ✅ \|`
			`\| Create, edit, and delete team enroll secrets \| \| ✅ \| ✅ \|`
			`\| Edit agent options \| \| \| ✅ \|`

Remove numbers from documentation filenames in Fleet repo (#4313) * Renaming files and a lot of find and replace * pageRank meta tags, sorting by page rank * reranking * removing numbers * revert changing links that are locked to a commit * update metatag name, uncomment github contributers * Update basic-documentation.page.js * revert link change * more explicit errors, change pageOrderInSection numbers, updated sort * Update build-static-content.js * update comment * update handbook link * handbook entry * update sort * update changelog doc links to use fleetdm.com * move standard query library back to old location, update links/references to location * revert unintentional link changes * Update handbook/community.md Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com> Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com> Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com> 2022-02-23 18:17:55 +00:00
Allow global admin to change anyone's password. (#4582) 2022-03-15 12:11:53 +00:00			`<meta name="pageOrderInSection" value="900">`