Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify GitOps user permissions to modify gitops org settings #26790

Closed
wants to merge 1 commit into from
Closed

Clarify GitOps user permissions to modify gitops org settings #26790

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion articles/role-based-access.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines.
| Read Single Sign-On settings\** | | | | ✅ | |
| Read SMTP settings\** | | | | ✅ | |
| Read osquery agent options\** | | | | ✅ | |
| Edit organization settings | | | | ✅ | ✅ |
| Edit organization settings\*** | | | | ✅ | ✅ |
| Edit agent options | | | | ✅ | ✅ |
| Edit agent options for hosts assigned to teams\* | | | | ✅ | ✅ |
| Initiate [file carving](https://fleetdm.com/docs/using-fleet/rest-api#file-carving) | | | ✅ | ✅ | |
Expand Down Expand Up @@ -105,6 +105,8 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines.

\** Applies only to [Fleet REST API](https://fleetdm.com/docs/using-fleet/rest-api)

\*** GitOps users do not have access to modify `gitops` settings.
Copy link
Member

@noahtalerman noahtalerman Mar 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @rachaelshaw as someone looking at this for the first time (new user), I'm not sure I understand what "gitops settings means". This is about editing GitOps mode right? Maybe we add a new "Edit GitOps mode" row to the table?

That said, I thought we weren't adding any permissions changes as part of the user story. Did that change?

Screenshot 2025-03-04 at 9 30 33 AM

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@noahtalerman ah I see what you mean, we should still allow the GitOps role to modify GitOps mode org settings (if someone wanted to do that via the API for some reason), but just not allow it to be updated via YAML. I was conflating the GitOps role with the fleetctl gitops command in my mind.

I'll close this.


## Team user permissions

`Applies only to Fleet Premium`
Expand Down
Loading