Skip to content

Latest commit

 

History

History
94 lines (52 loc) · 20.3 KB

docker-roles-and-permissions.md

File metadata and controls

94 lines (52 loc) · 20.3 KB

Docker roles and permissions

This document describes the permission levels each RBAC role has within the Portainer application for both Docker Standalone and Docker Swarm environments. Refer to the linked notes for further requirements on each operation.

{% hint style="info" %} Role-Based Access Control is only available in Portainer Business Edition. {% endhint %}

Legend

AbbreviationRole name
EAEnvironment Administrator
OPOperator
HDHelpdesk
STStandard user
RORead-only user

Roles and permissions

Templates

OperationEAOPHDSTRONotes
View app templatestruetruetruetruetrue
Deploy app templatestruefalsefalsetruefalse
View custom templatestruetruetruetruetrue1
Create custom templatestruefalsefalsetruefalse
Deploy custom templatestruefalsefalsetruefalse1
Edit custom templatestruefalsefalsetruefalse1
Change custom template ownershiptruefalsefalsetruefalse1
Delete custom templatetruefalsefalsetruefalse1

Stacks

Access to these operations can be affected by the Disable the use of Stacks for non-administrators security setting (Docker, Swarm).

OperationEAOPHDSTRONotes
View stackstruetruetruetruetrue1
Create a stacktruefalsefalsetruefalse3
Edit a stacktruefalsefalsetruefalse1
View stack detailstruetruetruetruetrue1
Change stack ownershiptruetruefalsetruefalse1
Stop a stacktruefalsefalsetruefalse1
Start a stacktruefalsefalsetruefalse1
Duplicate a stacktruefalsefalsetruefalse1
Migrate a stacktruefalsefalsetruefalse1
Create template from a stacktruefalsefalsetruefalse1
Update service in stacktruefalsefalsetruefalse1, 2
Remove service from stacktruefalsefalsetruefalse1, 2
Delete a stacktruefalsefalsetruefalse1

Services

These operations are only relevant for Docker Swarm environments.

OperationEAOPHDSTRONotes
View servicestruetruetruetruetrue1
Create servicetruefalsefalsetruefalse3.5
View service detailstruetruetruetruetrue1
Edit servicetruefalsefalsetruefalse1, 3.5
Update servicetruefalsefalsetruefalse1
Roll back servicetruefalsefalsetruefalse1
View service logstruetruetruetruetrue1
Change service ownershiptruetruefalsetruefalse1
Delete servicetruefalsefalsetruefalse1

Containers

OperationEAOPHDSTRONotes
View containerstruetruetruetruetrue1
Create containertruefalsefalsetruefalse3
Build an image from a containertruefalsefalsetruefalse1
View container detailstruetruetruetruetrue1
Start containertruefalsefalsetruefalse1
Stop containertruefalsefalsetruefalse1
Kill containertruefalsefalsetruefalse1
Restart containertruefalsefalsetruefalse1
Pause containertruefalsefalsetruefalse1
Resume containertruefalsefalsetruefalse1
Edit containertruefalsefalsetruefalse1, 3
Duplicate containertruefalsefalsetruefalse1, 3
Recreate containertruefalsefalsetruefalse1, 3
Container consoletruetruefalsetruefalse1
Container attachtruetruefalsetruefalse1
Join container to networktruefalsefalsetruefalse1
Remove container from networktruefalsefalsetruefalse1
View container logstruetruetruetruetrue1
Change container ownershiptruetruefalsetruefalse1
Delete containertruefalsefalsetruefalse1

Images

OperationEAOPHDSTRONotes
View imagestruetruetruetruetrue
Pull an imagetruefalsefalsetruefalse
Push an imagetruefalsefalsefalsefalse
Build an imagetruefalsefalsetruefalse
Import an imagetruefalsefalsetruefalse
View image detailstruetruetruetruetrue
Add tag to imagetruefalsefalsetruefalse
Remove tag from imagetruefalsefalsetruefalse
Export imagetruefalsefalsefalsefalse
Delete an imagetruefalsefalsefalsefalse

Volumes

OperationEAOPHDSTRONotes
View volumestruetruetruetruetrue1
Create a volumetruefalsefalsetruefalse
View volume detailstruetruetruetruetrue1
Browse a volumetruetruetruetruetrue1, 4
Change volume ownershiptruetruefalsetruefalse1
Delete a volumetruefalsefalsetruefalse1

Networks

OperationEAOPHDSTRONotes
View networkstruetruetruetruetrue1
Create a networktruefalsefalsetruefalse
View network detailstruetruetruetruetrue1
Change network ownershiptruetruefalsetruefalse1
Delete a networktruefalsefalsetruefalse1

Events

These operations are only relevant for Docker Standalone environments.

OperationEAOPHDSTRONotes
View eventsfalsefalsefalsefalsefalse

Configs

These operations are only relevant for Docker Swarm environments.

OperationEAOPHDSTRONotes
View configstruetruetruetruetrue1
Create a configtruefalsefalsetruefalse
View config detailstruetruetruetruetrue1
Clone a configtruefalsefalsetruefalse1
Change config ownershiptruetruefalsetruefalse1
Delete a configtruefalsefalsetruefalse1

Secrets

These operations are only relevant for Docker Swarm environments.

OperationEAOPHDSTRONotes
View secretstruetruetruetruetrue1
Create a secrettruefalsefalsetruefalse
View secret detailstruetruetruetruetrue1
Change secret ownershiptruetruefalsetruefalse1
Delete a secrettruefalsefalsetruefalse1

Host

These operations are only relevant for Docker Standalone environments.

OperationEAOPHDSTRONotes
View host detailstruetruetruetruetrue

Swarm

These operations are only relevant for Docker Swarm environments.

OperationEAOPHDSTRONotes
View cluster detailstruetruetruetruetrue

Registries

OperationEAOPHDSTRONotes
Read registrytruetruetruetruetrue1
Browse registrytruetruetruetruetrue1
Update repositoriestruetruetruetruefalse5
Delete repositoriestruetruetruetruefalse5

Notes

  1. Standard / Read only users (and Operators in the case of ownership operations) have permission only if they are given access to the resource. This can be inherited, for example inheriting a service from a stack.
  2. This operation is only relevant for Swarm environments.
  3. This operation can be affected by the following security settings (Docker, Swarm):
    1. Disable privileged mode for non-administrators
    2. Disable the use of host PID 1 for non-administrators
    3. Disable device mappings for non-administrators
    4. Disable container capabilities for non-administrators
    5. Disable bind mounts for non-administrators
  4. This operation can be affected by the Enable volume management for non-administrators setting (Docker, Swarm), and requires the use of the Portainer Agent.
  5. This operation can only be performed under the allowed registry.