search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.11k stars 427 forks source link

Add option for Observer+ to run scripts #20634

Open pacamaster opened 3 months ago

pacamaster commented 3 months ago

Problem

Currently, have Observers+ configured that are not able to run scripts to assist clients. Want specific scripts that could be helpful to be run, similar to allowing queries to be run.

What have you tried?

Do not have a workaround. We have to be a role that can run scripts. Either have to find someone else with the correct role, or be assigned a role temporarily.

Potential solutions

Have a checkbox or dropdown on scripts as "Observer+ can run this"

What is the expected workflow as a result of your proposal?

Admin/maintainers could enable certain helpful scripts that have been vetted, and could then remediate and better assist clients faster.

JoStableford commented 3 months ago

Related to a Slack conversation

noahtalerman commented 3 months ago

@pacamaster thanks for tracking this.

It sounds like they want help desk folks to be able to run some scripts.

Admin/maintainers could enable certain helpful scripts that have been vetted

Do you know some example scripts and what role specifically would be running these scripts?

These exact use cases will help us arrive at the best solution.

zayhanlon commented 3 months ago

Internal slack link: https://fleetdm.slack.com/archives/C072L58U878/p1721233034479249

Comments from the customer: -for security/RBAC compliance, we need roles with the minimum amount of access needed to do their job, and the existing defined roles might be too permissive for what we need -our automation team would need something like the "maintainer" role, but with fewer permissions. The GitOps role doesn't quite fit, but the maintainer role is a bit more permissive than they need -the main permission that is missing between Observer+ and Maintainer is the ability to edit/upload saved scripts (reasoning here is to push files to a device)

@noahtalerman

zayhanlon commented 3 months ago

additional feedback that i provided from customer-eponym: https://github.com/fleetdm/fleet/issues/19055#issuecomment-2191754190

@noahtalerman

zayhanlon commented 3 months ago

suggestion from Mike: observer+ to run all self service scripts, as opposed to script by script checkbox