21 KiB
Manage access
Users have different abilities depending on the access level they have.
Roles
Admin
Users with the admin role receive all permissions.
Maintainer
Maintainers can manage most entities in Fleet, like queries, policies, and labels. Unlike admins, maintainers cannot edit higher level settings like application configuration, teams or users.
Observer
The observer role is a read-only role. It can access most entities in Fleet, like queries, policies, labels, application configuration, teams, etc.
They can also run queries configured with the observer_can_run
flag set to true
.
Observer+
Applies only to Fleet Premium
Observer+ is an observer with the added ability to run any query.
GitOps
Applies only to Fleet Premium
GitOps is a modern approach to Continuous Deployment (CD) that uses Git as the single source of truth for declarative infrastructure and application configurations. GitOps is an API-only and write-only role that can be used on CI/CD pipelines.
User permissions
Action | Observer | Observer+* | Maintainer | Admin | GitOps* |
---|---|---|---|---|---|
View all activity | ✅ | ✅ | ✅ | ✅ | |
View all hosts | ✅ | ✅ | ✅ | ✅ | |
Filter hosts using labels | ✅ | ✅ | ✅ | ✅ | |
Target hosts using labels | ✅ | ✅ | ✅ | ✅ | |
Add and delete hosts | ✅ | ✅ | |||
Transfer hosts between teams* | ✅ | ✅ | ✅ | ||
Create, edit, and delete labels | ✅ | ✅ | ✅ | ||
View all software | ✅ | ✅ | ✅ | ✅ | |
Filter software by vulnerabilities | ✅ | ✅ | ✅ | ✅ | |
Filter hosts by software | ✅ | ✅ | ✅ | ✅ | |
Filter software by team* | ✅ | ✅ | ✅ | ✅ | |
Manage vulnerability automations | ✅ | ✅ | |||
Run queries designated "observer can run" as live queries against all hosts | ✅ | ✅ | ✅ | ✅ | |
Run any query as live query against all hosts | ✅ | ✅ | ✅ | ||
Create, edit, and delete queries | ✅ | ✅ | ✅ | ||
View all queries** | ✅ | ✅ | ✅ | ✅ | |
Manage query automations | ✅ | ✅ | ✅ | ||
Create, edit, view, and delete packs | ✅ | ✅ | ✅ | ||
View all policies | ✅ | ✅ | ✅ | ✅ | |
Filter hosts using policies | ✅ | ✅ | ✅ | ✅ | |
Create, edit, and delete policies for all hosts | ✅ | ✅ | ✅ | ||
Create, edit, and delete policies for all hosts assigned to team* | ✅ | ✅ | ✅ | ||
Manage policy automations | ✅ | ✅ | |||
Create, edit, view, and delete users | ✅ | ||||
Add and remove team members* | ✅ | ✅ | |||
Create, edit, and delete teams* | ✅ | ✅ | |||
Create, edit, and delete enroll secrets | ✅ | ✅ | ✅ | ||
Create, edit, and delete enroll secrets for teams* | ✅ | ✅ | |||
Read organization settings*** | ✅ | ✅ | ✅ | ✅ | |
Read Single Sign-On settings*** | ✅ | ||||
Read SMTP settings*** | ✅ | ||||
Read osquery agent options*** | ✅ | ||||
Edit organization settings | ✅ | ✅ | |||
Edit agent options | ✅ | ✅ | |||
Edit agent options for hosts assigned to teams* | ✅ | ✅ | |||
Initiate file carving | ✅ | ✅ | |||
Retrieve contents from file carving | ✅ | ||||
View Apple mobile device management (MDM) certificate information | ✅ | ||||
View Apple business manager (BM) information | ✅ | ||||
Generate Apple mobile device management (MDM) certificate signing request (CSR) | ✅ | ||||
View disk encryption key for macOS hosts | ✅ | ✅ | ✅ | ✅ | |
Create edit and delete configuration profiles for macOS hosts | ✅ | ✅ | ✅ | ||
Execute MDM commands on macOS hosts*** | ✅ | ✅ | |||
View results of MDM commands executed on macOS hosts*** | ✅ | ✅ | ✅ | ✅ | |
Edit MDM settings | ✅ | ✅ | |||
Edit MDM settings for teams | ✅ | ✅ | |||
Upload an EULA file for MDM automatic enrollment* | ✅ | ||||
View/download MDM macOS setup assistant* | ✅ | ✅ | |||
Edit/upload MDM macOS setup assistant* | ✅ | ✅ | ✅ | ||
View metadata of MDM macOS bootstrap packages* | ✅ | ✅ | |||
Edit/upload MDM macOS bootstrap packages* | ✅ | ✅ | ✅ | ||
Enable/disable MDM macOS setup end user authentication* | ✅ | ✅ | ✅ |
* Applies only to Fleet Premium
** Global observers can view all queries but the UI and fleetctl only list the ones they can run (observer can run).
*** Applies only to Fleet REST API
Team member permissions
Applies only to Fleet Premium
Users in Fleet either have team access or global access.
Users with team access only have access to the hosts, software, and policies assigned to their team.
Users with global access have access to all hosts, software, queries, and policies. Check out the user permissions table above for global user permissions.
Users can be a member of multiple teams in Fleet.
Users that are members of multiple teams can be assigned different roles for each team. For example, a user can be given access to the "Workstations" team and assigned the "Observer" role. This same user can be given access to the "Servers" team and assigned the "Maintainer" role.
Action | Team observer | Team observer+ | Team maintainer | Team admin | Team GitOps |
---|---|---|---|---|---|
View hosts | ✅ | ✅ | ✅ | ✅ | |
Filter hosts using labels | ✅ | ✅ | ✅ | ✅ | |
Target hosts using labels | ✅ | ✅ | ✅ | ✅ | |
Add and delete hosts | ✅ | ✅ | |||
Filter software by vulnerabilities | ✅ | ✅ | ✅ | ✅ | |
Filter hosts by software | ✅ | ✅ | ✅ | ✅ | |
Filter software | ✅ | ✅ | ✅ | ✅ | |
Run queries designated "observer can run" as live queries against hosts | ✅ | ✅ | ✅ | ✅ | |
Run any query as live query | ✅ | ✅ | ✅ | ||
Create, edit, and delete only self authored queries | ✅ | ✅ | ✅ | ||
View all queries** | ✅ | ✅ | ✅ | ✅ | |
Manage query automations | ✅ | ✅ | ✅ | ||
View policies | ✅ | ✅ | ✅ | ✅ | |
View global (inherited) policies | ✅ | ✅ | ✅ | ✅ | |
Run global (inherited) policies as a live policy | ✅ | ✅ | |||
Filter hosts using policies | ✅ | ✅ | ✅ | ✅ | |
Create, edit, and delete team policies | ✅ | ✅ | ✅ | ||
Manage policy automations | ✅ | ✅ | |||
Add and remove team members | ✅ | ✅ | |||
Edit team name | ✅ | ✅ | |||
Create, edit, and delete team enroll secrets | ✅ | ✅ | |||
Read organization settings* | ✅ | ✅ | ✅ | ✅ | |
Read agent options* | ✅ | ✅ | ✅ | ✅ | |
Edit agent options | ✅ | ✅ | |||
Initiate file carving | ✅ | ✅ | |||
View disk encryption key for macOS hosts | ✅ | ✅ | ✅ | ✅ | |
Create edit and delete configuration profiles for macOS hosts | ✅ | ✅ | ✅ | ||
Execute MDM commands on macOS hosts, and read command results* | ✅ | ✅ | |||
Execute MDM commands on macOS hosts* | ✅ | ✅ | |||
View results of MDM commands executed on macOS hosts* | ✅ | ✅ | ✅ | ✅ | |
Edit team MDM settings | ✅ | ✅ | |||
View/download MDM macOS setup assistant | ✅ | ✅ | |||
Edit/upload MDM macOS setup assistant | ✅ | ✅ | ✅ | ||
View metadata of MDM macOS bootstrap packages | ✅ | ✅ | |||
Edit/upload MDM macOS bootstrap packages | ✅ | ✅ | ✅ | ||
Enable/disable MDM macOS setup end user authentication | ✅ | ✅ | ✅ |
* Applies only to Fleet REST API
** Team observers can view all queries but the UI and fleetctl only list the ones they can run (observer can run).