fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago verified publisher icon fleetdm

Turn off teams

Open nonpunctual opened this issue 9 months ago • 7 comments

  • customer-preston:
    • Slack thread: https://fleetdm.slack.com/archives/C061ZA91Y1J/p1740680003270299
    • Gong snippet: https://us-65885.app.gong.io/call?id=2508710359637544725&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A2365%2C%22to%22%3A2410%7D%5D
    • Gong snippet: https://us-65885.app.gong.io/call?id=2585305282234715347&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1759%2C%22to%22%3A1815%7D%5D
  • @noahtalerman: User requested this because they're building a white-label solution on top of Fleet. customer-preston wants their users to be able to add/renew APNs and ABM certificates. Right now, to do this in Fleet, the user needs global admin role. When preston gives their users global admin, they also create teams and upload software to those teams. This software doesn't show up in preston's UI which is a confusing experience.
    • @noahtalerman: In the interim preston could give their users global maintainer role and handle APNs and ABM for them.
    • @noahtalerman: Eventually Fleet could add an environment variable to turn off teams (or something in the API; whatever's easiest). Creating/editing teams in the API will still work. UI could show "Teams have been disabled. Learn how to enable here" with a link to the environment variable reference docs. This message could show up everywhere in the UI the references teams, similar to how we handling disabling query reports.

nonpunctual avatar Feb 27 '25 20:02 nonpunctual

@pintomi1989 we were working on this request and we though wait a minute, what if we gave the users the global maintainer role. They can still add software, add labels, add profiles, scripts, etc. Then they can't touch anything, including teams Fleet URL, under settings.

What do you think?

noahtalerman avatar Feb 27 '25 21:02 noahtalerman

@noahtalerman

Brock Walters: Does everything on this page apply to "No Team" as well as a Team that's been created by a Fleet admin? Thanks. https://fleetdm.com/guides/role-based-access#user-permissions

Victor Lyuboslavsky: "No Team" does not have Team users. So only the first global "User permissions" table applies to "No Team"

nonpunctual avatar Feb 27 '25 21:02 nonpunctual

Brock Walters: Does everything on this page apply to "No Team" as well as a Team that's been created by a Fleet admin? Thanks. https://fleetdm.com/guides/role-based-access#user-permissions

Victor Lyuboslavsky: "No Team" does not have Team users. So only the first global "User permissions" table applies to "No Team"

@nonpunctual we're thinking we could give these users "global maintainer" role:

https://fleetdm.com/guides/role-based-access#maintainer

noahtalerman avatar Feb 27 '25 22:02 noahtalerman

Another wrinkle I thought of on this one: there are certain actions that are only valid for "All Teams" (like managing automations on the Software page) and other actions that are only valid for a specific team (like managing automations for policies via calendar events, installing software or running scripts) and even actions that are only valid for a specific team that is not "no team" (like managing automations for policies via "other workflows"). We'll have to think through the repercussions of hiding the teams dropdown for those actions.

sgress454 avatar Feb 28 '25 00:02 sgress454

@sgress454 Agreed. Didn't want to get too specific about that in the ticket as I don't want to prescribe solutions, but, the customer did raise this during the discussion, i.e., that whatever this turns out to be it would be best if it covered the bases of all places where Team configs are touched. Thanks.

nonpunctual avatar Feb 28 '25 01:02 nonpunctual

Hey @noahtalerman,

I presented the idea of using a maintainer role to customer-preston, and they stated that this will not work to fix their problem

What’s global maintainer missing?

Michael Pinto

Preston customers go into Fleet to add & scope apps, get more host details, stream logs, integrate ABM & VPP and more they need their users to be able to access ABM, VPP

Noah Talerman

integrate ABM & VPP and more.

Ah, yup. You’re right. Only global admins can do this.

pintomi1989 avatar Feb 28 '25 13:02 pintomi1989

Problem

customer-preston does not use Teams. All management is predicated on using "No Team" as the only Team for their customers.

Because of the way the Fleet UI is presented inside the customer-preston app, they would like a global setting that would allow them to prevent use of the Teams pulldown in the Fleet UI & to prevent new Teams from being created.

What have you tried?

customer-preston said they have considered or tried blocking the Teams pulldown with a UI element. This may not have been an adequate solution for the problem.

Potential solutions

A checkbox in Settings > Advanced Options that would prevent use of the Teams pulldown if selected.

Perhaps it could be restricted to a single Team in the view at Advanced Options, i.e., if a Team was selected (e.g., "Team X", or "No Team") to be the 1 Team intended for use globally, then, the Teams pulldown would no longer appear anywhere else in the Fleet UI under the assumption that only "Team X" or "No Team" would be in use.

What is the expected workflow as a result of your proposal?

Prevent admins from creating new Teams or seeing the Teams pulldown if the advanced option for selecting a single Team was in use.

noahtalerman avatar Mar 04 '25 21:03 noahtalerman

@pintomi1989 https://github.com/fleetdm/fleet/issues/28221 shipped in 4.69.0

rachaelshaw avatar Jul 30 '25 22:07 rachaelshaw