search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.16k stars 432 forks source link

New "Operator" role #23268

Open ddribeiro opened 1 month ago

ddribeiro commented 1 month ago

In addition to Observer permissions the role should able to:

  1. View disk encryption recovery keys
  2. Remote lock/wipe devices
  3. Perform install software action from software library on individual hosts
  4. Run scripts on on individual hosts

The role should not be able to:

  1. Transfer hosts between teams in Fleet
  2. Upload/add new software installers to Fleet
  3. Upload/add new scripts to Fleet
  4. Possibly not be able to add/create new queries
  5. Run queries on a batch of devices (performance concerns)
JoStableford commented 1 month ago

Linked to Unthread ticket:

Conversation #3408)

noahtalerman commented 4 weeks ago

@ddribeiro thanks for tracking this one. Do we have a Gong snippet from eponym?

noahtalerman commented 4 weeks ago

Problem

customer-eponym would like to grant a set of user permissions to their help desk staff that is not covered by existing roles. The desired set of permissions likely sits somewhere between Observer+ and Maintainer. Notes from our call:

Requirements: (Not listed in any order)

  1. View disk encryption recovery keys
  2. Remote lock/wipe devices
  3. Perform install software action from software library on individual hosts
  4. Run scripts on on individual hosts

The role should not be able to:

  1. Transfer hosts between teams in Fleet
  2. Upload/add new software installers to Fleet
  3. Upload/add new scripts to Fleet
  4. Possibly not be able to add/create new queries
  5. Run queries on a batch of devices (performance concerns)

To finalize what this new role should and shouldn't be able to do, we are going to ask the customer to look through our existing role based access documentation and select what actions they want to have.

What have you tried?

The customer looked at the existing set of user permissions and found that Observer+ did not offer enough capability and Maintainer offered too much.

Specifically:

Potential solutions

Potential solutions include either:

  1. Building RBAC to allow Fleet admins to create custom roles with specific sets of permissions
  2. Create a new role that would fit between Observer+ and Maintainer that fits customer-eponym's use case.

What is the expected workflow as a result of your proposal?

As a result of this workflow, `customer-eponym` would allow their help desk staff to log into Fleet and perform specific (possibly time sensitive) actions like lock/wipe device. They would be able to use Fleet to triage support issues (running queries on specific hosts) or remediate (running scripts on specific hosts) from Fleet. They _would not_ have the ability to add or modify anything in Fleet itself, like adding new queries, scripts, or transferring hosts between
noahtalerman commented 4 weeks ago

To finalize what this new role should and shouldn't be able to do, we are going to ask the customer to look through our existing role based access documentation and select what actions they want to have.

@ddribeiro did we already do this exercise w/ the customer? I'm not sure if this request is ready to go through the unpacking the why ritual: https://fleetdm.com/handbook/product-design#unpacking-the-why

noahtalerman commented 3 weeks ago

To finalize what this new role should and shouldn't be able to do, we are going to ask the customer to look through our existing role based access documentation and select what actions they want to have.

Hey @ddribeiro just giving you another ping!

Did we already do this exercise w/ the customer? Is the list of actions that came out of this exercise the same as the ones in the issue description?

ddribeiro commented 3 weeks ago

@noahtalerman Apologies, I was offsite for a different customer last week and did not follow up on this. I just pinged customer-eponym to clarify if the list of actions in the issue is suffice or if they want to go through the existing list of actions and pick which ones they'd want.

cc: @Patagonia121

lashomb commented 3 weeks ago

Thanks @ddribeiro for tracking this. I think in the end this role would be what we were calling 'operator' or observer+. So you would have three roles in order of least to most privilege: Observer (read-only), Operator (use but not create new policies or tooling) and Admin (full control).

noahtalerman commented 3 weeks ago

Thanks @lashomb. Heads up that we already have an observer+ role: https://fleetdm.com/guides/role-based-access#user-permissions

So maybe this becomes a fourth role? I like "Operator"

JoStableford commented 3 weeks ago

Linked to Unthread ticket:

Conversation #3495)