Only maintainers and admins can run scripts

Patagonia121 commented 3 months ago

Goal

User story
As a Fleet Admin (role),
I want to make sure that only maintainers and admins (no observer or observer+) can run scripts
so that I can grant my IT co-workers Maintainer and up on the "Workstations" team in Fleet and my security co-workers observer+ on all teams (global). Some security folks who are authorized to run scripts will get maintainer.

Context

Requestor(s): @Patagonia121
Product designer: @rachaelshaw

Changes

Product

[x] UI changes: Figma
[x] REST API changes: If global observer/+ or team observer/+ tries to run a script via the API, respond with 403 error.
[ ] Permissions changes: https://github.com/fleetdm/fleet/pull/20624
- Global observer/+ can no longer run saved scripts
- Team observer/+ can no longer run saved scripts
[ ] Outdated documentation changes: Permissions docs: https://github.com/fleetdm/fleet/pull/20624

Engineering

[ ] Database schema migrations: TODO
[ ] Load testing: TODO

ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

Risk level: Low

Manual testing steps

Interface matrix 1: [API, fleetctl] User matrix: [global observer, global observer+, team observer, team observer+]

Try running a script (either saved or ad-hoc) using the above interfaces x users -- should get a 403 (unauthorized)
Try running a script with global/team admin/maintainer -- should work.

Testing notes

Confirmation

[ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
[ ] QA (@____): Added comment to user story confirming successful completion of QA.

Patagonia121 commented 3 months ago

@nonpunctual intook this FR today from customer-faltona, feel free to edit/modify as you see fit. Maybe we can tag customer-rocher as well?

cc @dherder

Patagonia121 commented 3 months ago

An alternate view of these permissions with a bit more context:

nonpunctual commented 3 months ago

customer-reedtimmer also expressed additional control over script security. Currently controlling with packages but also could see use cases for controls at Fleet admin user level.

noahtalerman commented 3 months ago

@nonpunctual and @Patagonia121 thanks for tracking this one.

Added customer-rocher to this one.

Looking forward to chatting w/ them on Monday (2024-05-20)

noahtalerman commented 3 months ago

Hey @Patagonia121 heads up, I updated this issue to user story format and moved your original issue description (awesome description) below:

Summary

Customer requires more granular control over permissions for running and executing scripts within their Fleet MDM instance. This feature will allow specific teams, such as engineering or IT, to execute scripts without granting access to all users, particularly those in the security team.

Background

Currently, script execution permissions within Fleet MDM are too broad, creating a roadblock for customers that need to limit script execution to certain teams. This particular customer has had to disable script execution across their entire system to prevent unauthorized use, which has hindered their operations. They need a solution that allows more tailored permissions to enhance security while maintaining functionality for authorized teams.

Desired Functionality

Granular Permission Settings: Implement a system that allows administrators to set script execution permissions at a more granular level. This should include the ability to: • Assign script execution rights to specific teams or roles. • Restrict script execution from certain users or teams (e.g., security team).
Endpoint-Specific Permissions: Allow admins to tailor script execution permissions based on different endpoints within their Fleet MDM instance. This ensures that only authorized personnel can run scripts on designated devices or groups of devices.
Audit and Logging: Include auditing and logging capabilities to track script execution activities. Administrators should be able to monitor who executed scripts, when, and on which endpoints.

Benefits

•Enhanced Security: By restricting script execution to authorized teams, the risk of unauthorized actions is minimized. •Operational Efficiency: Allows teams like engineering and IT to perform necessary script-based tasks without broad access limitations. •Compliance: Helps organizations adhere to internal security policies and regulatory requirements.

noahtalerman commented 3 months ago

Marko: We could add an "Observers can run" option to scripts. Like we do for live queries.

Noah: I think this is a great idea. Let's come back to this when a customer is trying to enable help desk.

sharon-fdm commented 2 months ago

Est: FE 1 BE 2

georgekarrv commented 2 months ago

@noahtalerman does this conflict with any other customers we have that might use observer+ for their support staff that use run save script to attempt to fix some known issues? Would this break them and is that acceptable? Thinking about customer-eponym here.

georgekarrv commented 2 months ago

https://github.com/fleetdm/fleet/issues/19055#issuecomment-2142486129 basically I am saying I think we already have this customer

noahtalerman commented 2 months ago

does this conflict with any other customers we have that might use observer+ for their support staff that use run save script to attempt to fix some known issues? Would this break them and is that acceptable? Thinking about customer-eponym here.

@georgekarrv I don't think any customers are letting users w/ observer or observer+ role run scripts.

@zayhanlon and @Patagonia121 please let me know if you think we're wrong.

nonpunctual commented 2 months ago

my 2¢ on this is, if possible, we should try to think about allowing users to assign granular capabilities to administrator access levels, not pre-bundling capabilities into levels for them, unless, those groupings of capabilities are well-understood as something that will be useful to 80/20% of customers rather than 1 thing that 1 customer requested.

getvictor commented 2 months ago

Backend portion merged to main. Moving back to ready for @jacobshandling

zayhanlon commented 2 months ago

@nonpunctual we discussed this when the request for more granular roles came up (when we added GitOps and Observer+) for a customer last year but the scope of work is large and we needed to get something out faster / more aligned to our sprint cadence. Something we could do for the future but not soon

zayhanlon commented 2 months ago

@noahtalerman @georgekarrv @marko-lisica

The feedback from customer-eponym is "What would be ideal for us would be being able to selectively allow some scripts or all scripts, as something observer roles could run and have the default be the script runs being locked to maintainer. Then we could be very granular about it if need be."

noahtalerman commented 1 month ago

Hey @Patagonia121 heads up that this customer request was shipped in Fleet 4.54.

Updating the permissions docs is still TODO. The open PR is here: https://github.com/fleetdm/fleet/pull/20624

Also, updating features.yml is still TODO: https://github.com/fleetdm/fleet/blob/main/handbook/company/pricing-features-table.yml#L87

I assigned myself.

noahtalerman commented 1 month ago

Also, updating features.yml is still TODO: https://github.com/fleetdm/fleet/blob/main/handbook/company/pricing-features-table.yml#L87

PR is up here: https://github.com/fleetdm/fleet/pull/20682

fleet-release commented 1 month ago

In Fleet's glass city, Scripts run by those trusted, Safe, with no pity.

fleetdm / fleet