Permissions

Users have different abilities depending on the access level they have.

Users with the Admin role receive all permissions.

User permissions

Action	Observer	Maintainer	Admin
View all activity	✅	✅	✅
View all hosts	✅	✅	✅
Filter hosts using labels	✅	✅	✅
Target hosts using labels	✅	✅	✅
Add and delete hosts		✅	✅
Transfer hosts between teams*		✅	✅
Create, edit, and delete labels		✅	✅
View all software	✅	✅	✅
Filter software by vulnerabilities	✅	✅	✅
Filter hosts by software	✅	✅	✅
Filter software by team*	✅	✅	✅
Manage vulnerability automations			✅
Run only designated, observer can run ,queries as live queries against all hosts	✅	✅	✅
Run any query as live query against all hosts		✅	✅
Create, edit, and delete queries		✅	✅
View all queries	✅	✅	✅
Add, edit, and remove queries from all schedules		✅	✅
Create, edit, view, and delete packs		✅	✅
View all policies	✅	✅	✅
Filter hosts using policies	✅	✅	✅
Create, edit, and delete policies for all hosts		✅	✅
Create, edit, and delete policies for all hosts assigned to team*		✅	✅
Manage policy automations			✅
Create, edit, view, and delete users			✅
Add and remove team members*			✅
Create, edit, and delete teams*			✅
Create, edit, and delete enroll secrets		✅	✅
Create, edit, and delete enroll secrets for teams*		✅	✅
Edit organization settings			✅
Edit agent options			✅
Edit agent options for hosts assigned to teams*			✅
Initiate file carving		✅	✅
Retrieve contents from file carving			✅
View Apple mobile device management (MDM) certificate information			✅
View Apple business manager (BM) information			✅
Generate Apple mobile device management (MDM) certificate signing request (CSR)			✅

*Applies only to Fleet Premium

Team member permissions

Applies only to Fleet Premium

Users in Fleet either have team access or global access.

Users with team access only have access to the hosts, software, schedules , and policies assigned to their team.

Users with global access have access to all hosts, software, queries, schedules , and policies. Check out the user permissions table above for global user permissions.

Users can be a member of multiple teams in Fleet.

Users that are members of multiple teams can be assigned different roles for each team. For example, a user can be given access to the "Workstations" team and assigned the "Observer" role. This same user can be given access to the "Servers" team and assigned the "Maintainer" role.

Action	Team observer	Team maintainer	Team admin
View hosts	✅	✅	✅
Filter hosts using labels	✅	✅	✅
Target hosts using labels	✅	✅	✅
Add and delete hosts		✅	✅
Filter software by vulnerabilities	✅	✅	✅
Filter hosts by software	✅	✅	✅
Filter software	✅	✅	✅
Run only designated, observer can run ,queries as live queries against all hosts	✅	✅	✅
Run any query as live query		✅	✅
Create, edit, and delete only self authored queries		✅	✅
Add, edit, and remove queries from the schedule		✅	✅
View policies	✅	✅	✅
View global (inherited) policies	✅	✅	✅
Filter hosts using policies	✅	✅	✅
Create, edit, and delete policies		✅	✅
Manage policy automations			✅
Add and remove team members			✅
Edit team name			✅
Create, edit, and delete team enroll secrets		✅	✅
Edit agent options			✅
Initiate file carving		✅	✅

Need more help?

Ask the community on Slack

Did we miss anything?

If you notice something we've missed or could be improved on, please follow this link and submit a pull request to the Fleet repo.

Fleet documentation

{{page.title}}

Permissions

Permissions

User permissions

Team member permissions

Need more help?

Did we miss anything?

SUCCESS STORIES

Fleet documentation

{{page.title}}

Permissions

Permissions

User permissions

Team member permissions

Need more help?

Did we miss anything?