Policy > Manage automations: maintainers can't turn on/off calendar automations for policies

[iansltx]

• @noahtalerman: Closed the related feature request and user story. Let's use this bug to track the improvement.

---

Fleet version: 4.57.0+ (installs), 4.58.0+ (scripts)

---

💥  Actual behavior

Per @RachelElysia's comment, maintainers can't set policy automations for software installs or script runs in the UI, though they can in the API. Per today's design review outcome, the API permission is the reasonable one here, so we should match that in the UI.

🧑‍💻  Steps to reproduce

1. Add a policy to a team
2. While logged in as a Maintainer, observe that policy automations on the team are unavailable

🛠️ To fix

Per our discussion, I've created the following two wireframes:

Calendar event modal for maintainer roles

1. Removed the enable switch
2. Removed webhook URL
3. Note: I've retained the preview link and have it rendering on the same line as the "Show example payload" action. LMK if y'all see any issues with this.

Mange automations dropdown for maintainer roles

1. Disabled the "Calendar events" option and added a tooltip to tell a maintainer how to enable this. LMK what y'all think of verbiage.
2. Removed the "Other workflows" option.
3. Question: I notice that there is a case in which policies are not added to a team, which greys out the "Calendar events" and shows a tooltip to Select a team to manage. I imagine this tooltip will take precedent and then the tooltip rendered here would show only for maintainers that have put a policy on a team who do not have access to Calendar events. Thoughts?

[RachelElysia]

Please add your planning poker estimate with Zenhub @jacobshandling

[RachelElysia]

Add quick test if time allows

[RachelElysia]

I just tested this manually, maintainers have access to the API for install software and run script but not for calendar events and other workflows (errors: [{name: "base", reason: "forbidden"}].

I'm thinking for maintainers, we should show to the dropdown but disable calendar events and other workflows with a tooltip OR we should remove calendar events and other workflows from the dropdown.

wdyt? @rachaelshaw / @noahtalerman

Visual of admin dropdown and what works for maintainers and what doesnt:

[RachelElysia]

Adding this to my plate since I think we should get this into 4.60 major release as we are preventing major flows for maintainers in the UI that are available in the API.

[rachaelshaw]

Here's the permissions we have documented, looks like this doesn't quite match up with what @RachelElysia found (says maintainers can manage calendar events):

[iansltx]

@rachaelshaw Calendar events permissions mismatch is covered in #23483. The issue there is that the current modal covers both things that a maintainer is allowed to do (toggling per policy) and things that require an admin (setting the web hook and turning on/off calendar integrations entirely).

[RachelElysia]

Check other workflows APIs if maintainer has access to either of them

[RachelElysia]

@rachaelshaw decide if we should try to fix in 4.60

[RachelElysia]

related to #23483

[eugkuo]

@RachelElysia & @rachaelshaw

Per our discussion, I've created the following two wireframes:

1. Calendar event modal for maintainer roles
   a. Removed the enable switch
   b. Removed webhook URL
   c. Note: I've retained the preview link and have it rendering on the same line as the "Show example payload" action. LMK if y'all see any issues with this.
2. Mange automations dropdown for maintainer roles
   a. Disabled the "Calendar events" option and added a tooltip to tell a maintainer how to enable this. LMK what y'all think of verbiage.
   b. Removed the "Other workflows" option.
   c. Question: I notice that there is a case in which policies are not added to a team, which greys out the "Calendar events" and shows a tooltip to Select a team to manage. I imagine this tooltip will take precedent and then the tooltip rendered here would show only for maintainers that have put a policy on a team who do not have access to Calendar events. Thoughts?

LMK what you think. I'm also not sure of the process on how to move tickets along. I'm assuming this ticket should not move until we've all approved the above, after which I'll move these sections to the "Ready" page?

[RachelElysia]

Adding to my plate since I already started this and a little blocked this morning on any current tickets.

[RachelElysia]

Per our discussion, I've created the following two wireframes:

Calendar event modal for maintainer roles
a. Removed the enable switch
b. Removed webhook URL
c. Note: I've retained the preview link and have it rendering on the same line as the "Show example payload" action. LMK if y'all see any issues with this.
Mange automations dropdown for maintainer roles
a. Disabled the "Calendar events" option and added a tooltip to tell a maintainer how to enable this. LMK what y'all think of verbiage.
b. Removed the "Other workflows" option.
c. Question: I notice that there is a case in which policies are not added to a team, which greys out the "Calendar events" and shows a tooltip to Select a team to manage. I imagine this tooltip will take precedent and then the tooltip rendered here would show only for maintainers that have put a policy on a team who do not have access to Calendar events. Thoughts?
LMK what you think. I'm also not sure of the process on how to move tickets along. I'm assuming this ticket should not move until we've all approved the above, after which I'll move these sections to the "Ready" page?

I was able to implement as you described and looks good to me! @eugkuo

[jmwatts]

QA Notes:

• Maintainer can enable "Install software" automation for team policies
• Maintainer can enable "Run script" automation for team policies
• Tooltip to "Select a team to manage calendar events" takes precedent when logged in as an Admin but a team is not selected
• Tooltip to "Contact a user with an admin role for access" is rendered only for maintainers when the team does not have calendar events enabled for team policies.
• Maintainer is able to view calendar events modal once calendar events have been enabled for the team by an admin
• Maintainer can enable specific team policy calendar events for team(s) they have access to, but can not enable calendar events for inherited policies
• Maintainer is NOT able to toggle "enable/disable calendar events" for a team
• Maintainer does NOT have access to view "Resolution webhook URL"
• Maintainer still has access to "Show example payload" dropdown
• Maintainer still has access to "Preview calendar event" modal (via link at top of Calendar events modal and "⏿ Preview" link for each policy.
• Admin is able to toggle "enable/disable calendar events" for teams as well as enable specific team policy calendar events
• Admin has access to view/edit "Resolution webhook URL"

[jmwatts]

@eugkuo and @RachelElysia
QA Wolf noticed something I didn't and I just wanted to make sure it was intended. Before this change Global Maintainers didn't see the "Manage automations" option when "All Teams" was selected, now they see the option but all of the automations are greyed out with a message to choose a team. So I guess functionally the same access but different presentation in the UI. Is this correct or something we need to change?

[eugkuo]

@jmwatts Weird that this would have just "happened." I don't mind keeping the 'Manage automations' UI there when 'All teams' is selected so stuff doesn't appear and disappear off the screen. But if I were to do this, I would grey out the 'Manage automations' entirely with a tooltip to select a team in cases where everything underneath is in the same state.

Is this something that was introduced with this ticket?

@RachelElysia thoughts?

[xpkoala]

The last few comments relate to a new issue that has not been created just yet. The original issue has been fixed with the PR attached. Moving this to Ready for Released. I'll attach the new ticket as a comment once it's been created to track the above.

[fleet-release]

Maintainers find peace,
Turning on, off as they please,
Cloud city's pulse eased.