Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict enabling / disabling GitOps mode in Fleet UI to Admin role only #26788

Open
nonpunctual opened this issue Mar 3, 2025 · 3 comments
Open

Restrict enabling / disabling GitOps mode in Fleet UI to Admin role only #26788

nonpunctual opened this issue Mar 3, 2025 · 3 comments
Assignees
@nonpunctual
Labels
~apple-mdm-maturity Contributes to maturity in macOS, iOS, or iPadOS MDM product category. ~csa Issue was created by or deemed important by the Customer Solutions Architect. ~dogfood Issue resulted from Fleet's product dogfooding. ~engineering-initiated Engineering-initiated story, such as a bug, refactor, or contributor experience improvement. :help-customers Customer success issue.

Comments

@nonpunctual
Copy link
Contributor

@noahtalerman See: #26743 (comment)

Problem

Because

  • there is no PR gate for enabling / disabling GitOps mode in the Fleet UI &
  • because enabling / disabling GitOps mode could result in customer data loss

it should only be accessible by users with Fleet UI admin privileges or perhaps even a new superadmin role.

What have you tried?

Feature is new & only on 1st iteration.

Potential solutions

Make GitOps mode enable / disable accessible only by Fleet admin role.

Additionally, consider adding superadmin role for access.

What is the expected workflow as a result of your proposal?

Access to GitOps mode enable / disable will be protected.
@nonpunctual nonpunctual added :product Product Design department (shows up on 🦢 Drafting board) ~apple-mdm-maturity Contributes to maturity in macOS, iOS, or iPadOS MDM product category. ~csa Issue was created by or deemed important by the Customer Solutions Architect. ~dogfood Issue resulted from Fleet's product dogfooding. ~engineering-initiated Engineering-initiated story, such as a bug, refactor, or contributor experience improvement. labels Mar 3, 2025
@nonpunctual nonpunctual mentioned this issue Mar 3, 2025
Open
@rachaelshaw
Copy link
Member

rachaelshaw commented Mar 3, 2025
edited
Loading

@nonpunctual #25478 specifies that only admins have access to enable/disable GitOps mode, but I realize that conflicts with the permissions documented in the Role-based access docs:

Image

Is this what you're after? If so I think we can have it be part of this fix.

@nonpunctual
Copy link
Contributor Author

@rachaelshaw Yes. Thanks!

@noahtalerman
Copy link
Member

@nonpunctual can you please update this request to cover what you're thinking for the "super" admin role?

@noahtalerman noahtalerman added :help-customers Customer success issue. and removed :product Product Design department (shows up on 🦢 Drafting board) labels Mar 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nonpunctual nonpunctual

Labels
~apple-mdm-maturity Contributes to maturity in macOS, iOS, or iPadOS MDM product category. ~csa Issue was created by or deemed important by the Customer Solutions Architect. ~dogfood Issue resulted from Fleet's product dogfooding. ~engineering-initiated Engineering-initiated story, such as a bug, refactor, or contributor experience improvement. :help-customers Customer success issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rachaelshaw @noahtalerman @nonpunctual