Policy > Manage automations: maintainers can't turn on/off calendar automations for policies

[iansltx]

• @noahtalerman: Closed the related feature request and user story. Let's use this bug to track the improvement.

---

Fleet version: 4.57.0+ (installs), 4.58.0+ (scripts)

---

💥  Actual behavior

Per @RachelElysia's comment, maintainers can't set policy automations for software installs or script runs in the UI, though they can in the API. Per today's design review outcome, the API permission is the reasonable one here, so we should match that in the UI.

🧑‍💻  Steps to reproduce

1. Add a policy to a team
2. While logged in as a Maintainer, observe that policy automations on the team are unavailable

🛠️ To fix

Show the policy automation drop-down in team-specific view, containing script and install automation options, for Maintainers, subject to the gating we do by license type.

[RachelElysia]

Please add your planning poker estimate with Zenhub @jacobshandling

[RachelElysia]

Add quick test if time allows

[RachelElysia]

I just tested this manually, maintainers have access to the API for install software and run script but not for calendar events and other workflows (errors: [{name: "base", reason: "forbidden"}].

I'm thinking for maintainers, we should show to the dropdown but disable calendar events and other workflows with a tooltip OR we should remove calendar events and other workflows from the dropdown.

wdyt? @rachaelshaw / @noahtalerman

Visual of admin dropdown and what works for maintainers and what doesnt:

[RachelElysia]

Adding this to my plate since I think we should get this into 4.60 major release as we are preventing major flows for maintainers in the UI that are available in the API.

[rachaelshaw]

Here's the permissions we have documented, looks like this doesn't quite match up with what @RachelElysia found (says maintainers can manage calendar events):

[iansltx]

@rachaelshaw Calendar events permissions mismatch is covered in #23483. The issue there is that the current modal covers both things that a maintainer is allowed to do (toggling per policy) and things that require an admin (setting the web hook and turning on/off calendar integrations entirely).

[RachelElysia]

Check other workflows APIs if maintainer has access to either of them

[RachelElysia]

@rachaelshaw decide if we should try to fix in 4.60

[RachelElysia]

related to #23483

[eugkuo]

@RachelElysia & @rachaelshaw

Per our discussion, I've created the following two wireframes:

1. Calendar event modal for maintainer roles a. Removed the enable switch b. Removed webhook URL c. Note: I've retained the preview link and have it rendering on the same line as the "Show example payload" action. LMK if y'all see any issues with this.
2. Mange automations dropdown for maintainer roles a. Disabled the "Calendar events" option and added a tooltip to tell a maintainer how to enable this. LMK what y'all think of verbiage. b. Removed the "Other workflows" option. c. Question: I notice that there is a case in which policies are not added to a team, which greys out the "Calendar events" and shows a tooltip to Select a team to manage. I imagine this tooltip will take precedent and then the tooltip rendered here would show only for maintainers that have put a policy on a team who do not have access to Calendar events. Thoughts?

LMK what you think. I'm also not sure of the process on how to move tickets along. I'm assuming this ticket should not move until we've all approved the above, after which I'll move these sections to the "Ready" page?