Allow team admins to invite new users to their team via email

[iansltx]

• @noahtalerman: User requested this because they noticed that the "Invite user" option was missing when a team admin goes to create a user. This means the team admin has to create a user and then manually notify that user. Instead, if they had the invite option, Fleet would automatically send an email for the.
  • @noahtalerman: In the interim the team admin can create a user without an invite.
  • @noahtalerman: Eventually the "Invite user" option could be available for team admins.
• @allenhouchins: For tech evals we use the same Fleet instance and create a team for each propsect. We give propsects the team admin role. It would be nice to be able to showcase and let the prospect touch all the features.

---

[noahtalerman]

Problem

Currently team admins cannot use the existing email invite system to set users up (global admins can).

Unlike #24660, this is not an API/UI consistency issue; team admins are disallowed from creating invites in the API.

What have you tried?

Currently team admins wishing to add users have to create the users and then either tell the user to reset their password out-of-band or hand them the newly created password out-of-band.

Potential solutions

Allow team admins to create user invites as long as the user is conferred access to only the team the admin admins. We'll likely need invite editing for team admins for this, with similar scope restrictions (and only being able to touch invites for users matching teams they're an admin of).

What is the expected workflow as a result of your proposal?

As a team admin, when clicking "Create user" in the team UI, I should have the option to invite the user (subject to email being configured), same as a global admin. I should also be able to revoke an invite for a user when that invite would confer roles on the team(s) I'm admin'ing.