{{thisPage.meta.articleTitle}}
search

Role-based access

{{articleSubtitle}}

| The author's GitHub profile picture

Noah Talerman

Role-based access

{{articleSubtitle}}

| The author's GitHub profile picture

Noah Talerman

Role-based access

Users have different abilities depending on the access level they have.

Roles

Admin

Users with the admin role receive all permissions.

Maintainer

Maintainers can manage most entities in Fleet, like queries, policies, and labels. Unlike admins, maintainers cannot edit higher level settings like application configuration, teams or users.

Observer

The observer role is a read-only role. It can access most entities in Fleet, like queries, policies, labels, application configuration, teams, etc. They can also run queries configured with the observer_can_run flag set to true.

Observer+

Applies only to Fleet Premium

Observer+ is an observer with the added ability to run any query.

GitOps

Applies only to Fleet Premium

GitOps is a modern approach to Continuous Deployment (CD) that uses Git as the single source of truth for declarative infrastructure and application configurations. GitOps is an API-only and write-only role that can be used on CI/CD pipelines.

User permissions

Action Observer Observer+* Maintainer Admin GitOps*
View all activity
Manage activity automations
View all hosts
View a host by identifier
Filter hosts using labels
Target hosts using labels
Add/remove manual labels to/from hosts
Add and delete hosts
Transfer hosts between teams*
Create, edit, and delete labels
View all software
Add, edit, and delete software
Download added software
Install/uninstall software on hosts
Filter software by vulnerabilities
Filter hosts by software
Filter software by team*
Manage vulnerability automations
Run queries designated "observer can run" as live queries against all hosts
Run any query as live query against all hosts
Create, edit, and delete queries
View all queries and their reports
Manage query automations
Create, edit, view, and delete packs
View all policies
Run all policies
Filter hosts using policies
Create, edit, and delete policies for all hosts
Create, edit, and delete policies for all hosts assigned to team*
Edit global ("All teams") policy automations
Edit team policy automations: calendar events, install software, and run script*
Edit team policy automations: other workflows (tickets and webhooks)*
Create, edit, view, and delete users
Add and remove team users*
Create, edit, and delete teams*
Create, edit, and delete enroll secrets
Create, edit, and delete enroll secrets for teams*
Read organization settings**
Read Single Sign-On settings**
Read SMTP settings**
Read osquery agent options**
Edit organization settings
Edit agent options
Edit agent options for hosts assigned to teams*
Initiate file carving
Retrieve contents from file carving
Create Apple Push Certificates service (APNs) certificate signing request (CSR)
View, edit, and delete APNs certificate
View, edit, and delete Apple Business Manager (ABM) connections
View, edit, and delete Volume Purchasing Program (VPP) connections
View disk encryption key for macOS and Windows hosts
Edit OS updates for macOS, Windows, iOS, and iPadOS hosts
Create, edit, resend and delete configuration profiles for macOS and Windows hosts
Execute MDM commands on macOS and Windows hosts**
View results of MDM commands executed on macOS and Windows hosts**
Edit MDM settings
Edit MDM settings for teams
View all MDM settings
Edit macOS setup experience*
Edit end user license agreement (EULA)*
Run scripts on hosts
View saved scripts*
Edit/upload saved scripts*
Lock, unlock, and wipe hosts*

* Applies only to Fleet Premium

** Applies only to Fleet REST API

Team user permissions

Applies only to Fleet Premium

Users in Fleet either have team access or global access.

Users with team access only have access to the hosts, software, and policies assigned to their team.

Users with global access have access to all hosts, software, queries, and policies. Check out the user permissions table above for global user permissions.

Users can be assigned to multiple teams in Fleet.

Users with access to multiple teams can be assigned different roles for each team. For example, a user can be given access to the "Workstations" team and assigned the "Observer" role. This same user can be given access to the "Servers" team and assigned the "Maintainer" role.

Action Team observer Team observer+ Team maintainer Team admin Team GitOps
View hosts
View a host by identifier
Filter hosts using labels
Target hosts using labels
Add/remove manual labels to/from hosts
Add and delete hosts
View software
Add and delete software
Download added software
Install/uninstall software on hosts
Filter software by vulnerabilities
Filter hosts by software
Filter software
Run queries designated "observer can run" as live queries against hosts
Run any query as live query
Create, edit, and delete only self authored queries
View team queries and their reports
View global (inherited) queries and their reports**
Manage query automations
View team policies
Run team policies as a live policy
View global (inherited) policies
Run global (inherited) policies as a live policy
Filter hosts using policies
Create, edit, and delete team policies
Edit team policy automations: calendar events, install software, and run script
Edit team policy automations: other workflows (tickets and webhooks)
Add and remove team users
Edit team name
Create, edit, and delete team enroll secrets
Read organization settings*
Read agent options*
Edit agent options
Initiate file carving
View disk encryption key for macOS hosts
Edit OS updates for macOS, Windows, iOS, and iPadOS hosts
Create, edit, resend and delete configuration profiles for macOS and Windows hosts
Execute MDM commands on macOS and Windows hosts*
View results of MDM commands executed on macOS and Windows hosts*
Edit team MDM settings
Edit macOS setup experience*
Run scripts on hosts
View saved scripts
Edit/upload saved scripts
View script details by host
Lock, unlock, and wipe hosts

* Applies only to Fleet REST API

** Team-level users only see global query results for hosts on teams where they have access.