empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 17:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
d425367c9e
fleet/docs/Using-Fleet/Permissions.md
Noah Talerman ddb5ba4e07
Update Permissions docs (#10440) 
- Global observers can read configuration via the API (not the UI)
- Team observers can read team configuration via the API (not the UI)
2023-03-13 15:26:06 -04:00

13 KiB
Raw Blame History

Permissions

Users have different abilities depending on the access level they have.

Users with the Admin role receive all permissions.

User permissions

Action Observer Maintainer Admin
View all activity
View all hosts
Filter hosts using labels
Target hosts using labels
Add and delete hosts
Transfer hosts between teams*
Create, edit, and delete labels
View all software
Filter software by vulnerabilities
Filter hosts by software
Filter software by team*
Manage vulnerability automations
Run only designated, observer can run ,queries as live queries against all hosts
Run any query as live query against all hosts
Create, edit, and delete queries
View all queries
Add, edit, and remove queries from all schedules
Create, edit, view, and delete packs
View all policies
Filter hosts using policies
Create, edit, and delete policies for all hosts
Create, edit, and delete policies for all hosts assigned to team*
Manage policy automations
Create, edit, view, and delete users
Add and remove team members*
Create, edit, and delete teams*
Create, edit, and delete enroll secrets
Create, edit, and delete enroll secrets for teams*
Read organization settings and agent options**
Edit organization settings
Edit agent options
Edit agent options for hosts assigned to teams*
Initiate file carving
Retrieve contents from file carving
View Apple mobile device management (MDM) certificate information
View Apple business manager (BM) information
Generate Apple mobile device management (MDM) certificate signing request (CSR)
View disk encryption key for macOS hosts enrolled in Fleet's MDM
Create edit and delete configuration profiles for macOS hosts enrolled in Fleet's MDM

*Applies only to Fleet Premium

** Applies only to Fleet REST API

Team member permissions

Applies only to Fleet Premium

Users in Fleet either have team access or global access.

Users with team access only have access to the hosts, software, schedules , and policies assigned to their team.

Users with global access have access to all hosts, software, queries, schedules , and policies. Check out the user permissions table above for global user permissions.

Users can be a member of multiple teams in Fleet.

Users that are members of multiple teams can be assigned different roles for each team. For example, a user can be given access to the "Workstations" team and assigned the "Observer" role. This same user can be given access to the "Servers" team and assigned the "Maintainer" role.

Action Team observer Team maintainer Team admin
View hosts
Filter hosts using labels
Target hosts using labels
Add and delete hosts
Filter software by vulnerabilities
Filter hosts by software
Filter software
Run only designated, observer can run ,queries as live queries against all hosts
Run any query as live query
Create, edit, and delete only self authored queries
Add, edit, and remove queries from the schedule
View policies
View global (inherited) policies
Filter hosts using policies
Create, edit, and delete policies
Manage policy automations
Add and remove team members
Edit team name
Create, edit, and delete team enroll secrets
Read agent options*
Edit agent options
Initiate file carving
View disk encryption key for macOS hosts enrolled in Fleet's MDM
Create edit and delete configuration profiles for macOS hosts enrolled in Fleet's MDM

* Applies only to Fleet REST API