Multiple teams (w/ role-based access control)

[noahtalerman]

This project describes the addition of the Teams feature to Fleet and holds the list of issues that contribute to Teams.

Goal

Teams will attempt to achieve two high-level goals in Fleet:

1. Separating hosts into exclusive groups, which map to the separation of responsibility in an organization. This way, users can easily observe and apply specific operations to familiar and consistent groups of hosts.
2. Defining a user's access to information and features in Fleet, which maps to their role within their organization or specific team(s). This way, more individuals in an organization can utilize Fleet with appropriate levels of access.

Estimated release date

2021-06-04 (June 4th) 2021-06-30

[noahtalerman]

Link to roles and features matrix for Teams (Google sheets): https://docs.google.com/spreadsheets/d/1Z2qP90V_P1jqtbApM_9sck62CUn3lVciiKE0-bjY1pc/edit#gid=1625888529

[noahtalerman]

Update on roles and features (3-22-2021)

• There will be no Team admin role in v1 of the Teams feature.
  • This change greatly simplifies the complexity of managing a user's teams and will reduce development time.
  • Therefore, only the Global admin role will have access to the Settings page in Fleet (Update settings, manage users, manage teams).
• Only Global admins and Global maintainers can create/edit/delete labels.
  • All users can filter and target hosts using labels. For team-level users filtering/targeting with labels, the hosts returned will be filtered both by label and by team.

[noahtalerman]

Update on configuration files for teams (4-16-2021)

• Backend and API changes to support the teams UI is prioritized over the fleetctl features needed to support configuration files for teams.
  • Updates to both the Fleet UI and fleetctl to support the Teams feature will be included in the release of Fleet 4.0

[noahtalerman]

New roles and the Fleet UI (5-17-2021)

This comment outlines how the Fleet UI will respond to the 3 roles (admin, maintainer, observer) and the 2 plans (core, basic).

Roles

Fleet 4.0 will introduce the Admin, Maintainer, and Observer roles.

A user, according to their assigned role, will have varying levels of access to features in the Fleet UI.

Query pages

EDIT: The query page permissions have been updated.

• “Observers can run” column if not Global observer or Team observer
• “Create new query” button if not Global observer or Team observer
• “Show query” if Global observer or Team observer and observers can run is false. “Run query” if the same but observers can run is true

Pack pages

• As an Observer, all Pack pages (manage, new, edit) are hidden. The "Packs" tab in the top navigation is hidden.
  • This is because only users with the Admin and Maintainer roles have edit access for Packs.

Settings pages

• As an Observer or Maintainer, all Settings pages are hidden. The "Settings" tab in the top navigation is hidden.

Plans

Fleet 4.0 will introduce the Teams feature.

A user, according to their organization's plan, will have varying levels of access to features in the Fleet UI.

[noahtalerman]

The Teams and RBAC features are included in the release of Fleet 4.0.0: https://github.com/fleetdm/fleet/releases/tag/v4.0.0