Enable MFA checkbox is always greyed out for team admins

[jmwatts]

Fleet version: v4.61.0

Web browser and operating system: Chrome 131.0.6778.109 running on macOS

---

💥  Actual behavior

🧑‍💻  Steps to reproduce

Ensure SMTP is enabled

1. Create a team admin user and another team user of any role for the same team
2. Log in as the team admin
3. Attempt to enable 2FA for the other team user

🕯️ Expected behavior

The team admin should be able to enable 2FA for other users on their team

[jacobshandling]

tl;dr – config response is missing smtp_settings for team admins

---

Seems like this is a backend bug with the config response for team admins. Whether to disable the 2fa option depends on !!config?.smtp_settings?.configured – you can see here that the response for a team admin on the Apples team from the config endpoint is missing that field, even though the setting is enabled for the organization and a global admin does see a the expected response:

[jacobshandling]

It looks like the above is intentional based on this comment:
// Only the Global Admin should be able to see see SMTP, SSO and osquery agent settings.

[jacobshandling]

@noahtalerman, to over communicate, we do want team admins to be able to enable MFA like this right? If so, do we want to expose the org-level smtp settings to team admins for the purpose of this UI? Another idea, we could just have the UI allow it if it doesn't know the smtp settings and the server error if they aren't set. cc @iansltx @lucasmrod (left the comment above)

[jacobshandling]

another idea – just expose config.smtp_settings.configured boolean to team admins, excluding the rest of the fields, which is enough for this UI

[iansltx]

Chatted with @noahtalerman and for this iteration we'll stay consistent with the existing UI...which doesn't expose any advanced user management (SSO, MFA, invites) for team admins. This represents a gap between what the API can do and what the UI can do, and I'll get a bug up covering that delta (which will require BE work to expose both SMTP and SSO enableement flags to team admins so we en/disable UI controls properly).

So the fix for this particular ticket is to drop the checkbox entirely for team admins, as a FE-only change.

[iansltx]

QA plan /cc @jmwatts:

• Team admins don't see an MFA checkbox when creating users
• Team admins don't see an MFA checkbox when editing users
• Global admins do see the MFA checkbox
• Team admins creating a user without touching the role <select> get the new user correctly assigned as an Observer (regression check since I fixed janky capitalization on that role as part of this PR)

[jmwatts]

@iansltx Just want to confirm that Team admins shouldn't be able to see if another user has 2FA enabled or not.
I confirmed they don't see the checkbox on create but they also can't see if it is enabled right now when editing. I know #24465 is in the backlog, so I'm fine with it as-is... just wanted to confirm before putting my seal of approval on it :)

ALSO -
A team admin can still create a team user with 2FA using the API... I want to say that's addressed in another ticket but please correct me if I'm wrong.

[iansltx]

Re: viewing user info, correct; neither SSO status nor MFA status are expected to be shown for users when viewed/editing with a team admin.

Re: creating with MFA using the API, that's expected. The API is correct here, and #24660 will fix the gap between UI and API (and will get worked on sooner than #24465).

[jmwatts]

QA Note:

Verified team admins no longer see MFA checkbox for create/edit user per comments above.

[fleet-release]

Greyed out box unsealed,
Team admins with power yield,
Security field.