fleet/docs/Using Fleet/manage-access.md

21 KiB

Manage access

Users have different abilities depending on the access level they have.

Roles

Admin

Users with the admin role receive all permissions.

Maintainer

Maintainers can manage most entities in Fleet, like queries, policies, and labels. Unlike admins, maintainers cannot edit higher level settings like application configuration, teams or users.

Observer

The observer role is a read-only role. It can access most entities in Fleet, like queries, policies, labels, application configuration, teams, etc. They can also run queries configured with the observer_can_run flag set to true.

Observer+

Applies only to Fleet Premium

Observer+ is an observer with the added ability to run any query.

GitOps

Applies only to Fleet Premium

GitOps is a modern approach to Continuous Deployment (CD) that uses Git as the single source of truth for declarative infrastructure and application configurations. GitOps is an API-only and write-only role that can be used on CI/CD pipelines.

User permissions

Action Observer Observer+* Maintainer Admin GitOps*
View all activity
View all hosts
Filter hosts using labels
Target hosts using labels
Add and delete hosts
Transfer hosts between teams*
Create, edit, and delete labels
View all software
Filter software by vulnerabilities
Filter hosts by software
Filter software by team*
Manage vulnerability automations
Run queries designated "observer can run" as live queries against all hosts
Run any query as live query against all hosts
Create, edit, and delete queries
View all queries**
Manage query automations
Create, edit, view, and delete packs
View all policies
Filter hosts using policies
Create, edit, and delete policies for all hosts
Create, edit, and delete policies for all hosts assigned to team*
Manage policy automations
Create, edit, view, and delete users
Add and remove team members*
Create, edit, and delete teams*
Create, edit, and delete enroll secrets
Create, edit, and delete enroll secrets for teams*
Read organization settings***
Read Single Sign-On settings***
Read SMTP settings***
Read osquery agent options***
Edit organization settings
Edit agent options
Edit agent options for hosts assigned to teams*
Initiate file carving
Retrieve contents from file carving
View Apple mobile device management (MDM) certificate information
View Apple business manager (BM) information
Generate Apple mobile device management (MDM) certificate signing request (CSR)
View disk encryption key for macOS hosts
Create edit and delete configuration profiles for macOS hosts
Execute MDM commands on macOS hosts***
View results of MDM commands executed on macOS hosts***
Edit MDM settings
Edit MDM settings for teams
Upload an EULA file for MDM automatic enrollment*
View/download MDM macOS setup assistant*
Edit/upload MDM macOS setup assistant*
View metadata of MDM macOS bootstrap packages*
Edit/upload MDM macOS bootstrap packages*
Enable/disable MDM macOS setup end user authentication*

* Applies only to Fleet Premium

** Global observers can view all queries but the UI and fleetctl only list the ones they can run (observer can run).

*** Applies only to Fleet REST API

Team member permissions

Applies only to Fleet Premium

Users in Fleet either have team access or global access.

Users with team access only have access to the hosts, software, and policies assigned to their team.

Users with global access have access to all hosts, software, queries, and policies. Check out the user permissions table above for global user permissions.

Users can be a member of multiple teams in Fleet.

Users that are members of multiple teams can be assigned different roles for each team. For example, a user can be given access to the "Workstations" team and assigned the "Observer" role. This same user can be given access to the "Servers" team and assigned the "Maintainer" role.

Action Team observer Team observer+ Team maintainer Team admin Team GitOps
View hosts
Filter hosts using labels
Target hosts using labels
Add and delete hosts
Filter software by vulnerabilities
Filter hosts by software
Filter software
Run queries designated "observer can run" as live queries against hosts
Run any query as live query
Create, edit, and delete only self authored queries
View all queries**
Manage query automations
View policies
View global (inherited) policies
Run global (inherited) policies as a live policy
Filter hosts using policies
Create, edit, and delete team policies
Manage policy automations
Add and remove team members
Edit team name
Create, edit, and delete team enroll secrets
Read organization settings*
Read agent options*
Edit agent options
Initiate file carving
View disk encryption key for macOS hosts
Create edit and delete configuration profiles for macOS hosts
Execute MDM commands on macOS hosts, and read command results*
Execute MDM commands on macOS hosts*
View results of MDM commands executed on macOS hosts*
Edit team MDM settings
View/download MDM macOS setup assistant
Edit/upload MDM macOS setup assistant
View metadata of MDM macOS bootstrap packages
Edit/upload MDM macOS bootstrap packages
Enable/disable MDM macOS setup end user authentication

* Applies only to Fleet REST API

** Team observers can view all queries but the UI and fleetctl only list the ones they can run (observer can run).