101 lines
20 KiB
Markdown
101 lines
20 KiB
Markdown
# Docker roles and permissions
|
|
|
|
This document describes the permission levels each [RBAC role](../admin/users/roles.md) has within the Portainer application for both Docker Standalone and Docker Swarm environments. Refer to the linked notes for further requirements on each operation.
|
|
|
|
{% hint style="info" %}
|
|
Role-Based Access Control is only available in Portainer Business Edition.
|
|
{% endhint %}
|
|
|
|
## Legend
|
|
|
|
| Abbreviation | Role name |
|
|
| ------------ | ------------------------- |
|
|
| EA | Environment Administrator |
|
|
| OP | Operator |
|
|
| HD | Helpdesk |
|
|
| ST | Standard user |
|
|
| RO | Read-only user |
|
|
|
|
## Roles and permissions
|
|
|
|
### Templates
|
|
|
|
<table><thead><tr><th>Operation</th><th data-type="checkbox">EA</th><th data-type="checkbox">OP</th><th data-type="checkbox">HD</th><th data-type="checkbox">ST</th><th data-type="checkbox">RO</th><th>Notes</th></tr></thead><tbody><tr><td>View app templates</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td></td></tr><tr><td>Deploy app templates</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td></td></tr><tr><td>View custom templates</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Create custom templates</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td></td></tr><tr><td>Deploy custom templates</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Edit custom templates</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Change custom template ownership</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Delete custom template</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr></tbody></table>
|
|
|
|
### Stacks
|
|
|
|
Access to these operations can be affected by the **Disable the use of Stacks for non-administrators** security setting ([Docker](../user/docker/host/setup.md#docker-security-settings), [Swarm](../user/docker/swarm/setup.md#docker-security-settings)).
|
|
|
|
<table><thead><tr><th>Operation</th><th data-type="checkbox">EA</th><th data-type="checkbox">OP</th><th data-type="checkbox">HD</th><th data-type="checkbox">ST</th><th data-type="checkbox">RO</th><th>Notes</th></tr></thead><tbody><tr><td>View stacks</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Create a stack</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">3</a></td></tr><tr><td>Edit a stack</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>View stack details</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Change stack ownership</td><td>true</td><td>true</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Stop a stack</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Start a stack</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Duplicate a stack</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Migrate a stack</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Create template from a stack</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Update service in stack</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a>, <a href="docker-roles-and-permissions.md#notes">2</a></td></tr><tr><td>Remove service from stack</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a>, <a href="docker-roles-and-permissions.md#notes">2</a></td></tr><tr><td>Delete a stack</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr></tbody></table>
|
|
|
|
### Services
|
|
|
|
These operations are only relevant for Docker Swarm environments.
|
|
|
|
<table><thead><tr><th>Operation</th><th data-type="checkbox">EA</th><th data-type="checkbox">OP</th><th data-type="checkbox">HD</th><th data-type="checkbox">ST</th><th data-type="checkbox">RO</th><th>Notes</th></tr></thead><tbody><tr><td>View services</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Create service</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">3.5</a></td></tr><tr><td>View service details</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Edit service</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a>, <a href="docker-roles-and-permissions.md#notes">3.5</a></td></tr><tr><td>Update service</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Roll back service</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>View service logs</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Change service ownership</td><td>true</td><td>true</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Delete service</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr></tbody></table>
|
|
|
|
### Containers
|
|
|
|
<table><thead><tr><th>Operation</th><th data-type="checkbox">EA</th><th data-type="checkbox">OP</th><th data-type="checkbox">HD</th><th data-type="checkbox">ST</th><th data-type="checkbox">RO</th><th>Notes</th></tr></thead><tbody><tr><td>View containers</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Create container</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">3</a></td></tr><tr><td>Build an image from a container</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>View container details</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Start container</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Stop container</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Kill container</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Restart container</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Pause container</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Resume container</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Edit container</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a>, <a href="docker-roles-and-permissions.md#notes">3</a></td></tr><tr><td>Duplicate container</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a>, <a href="docker-roles-and-permissions.md#notes">3</a></td></tr><tr><td>Recreate container</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a>, <a href="docker-roles-and-permissions.md#notes">3</a></td></tr><tr><td>Container console</td><td>true</td><td>true</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Container attach</td><td>true</td><td>true</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Join container to network</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Remove container from network</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>View container logs</td><td>true</td><td>true</td><td>true</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Change container ownership</td><td>true</td><td>true</td><td>false</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Delete container</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr></tbody></table>
|
|
|
|
### Images
|
|
|
|
<table><thead><tr><th>Operation</th><th data-type="checkbox">EA</th><th data-type="checkbox">OP</th><th data-type="checkbox">HD</th><th data-type="checkbox">ST</th><th data-type="checkbox">RO</th><th>Notes</th></tr></thead><tbody><tr><td>View images</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td></td></tr><tr><td>Pull an image</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td></td></tr><tr><td>Push an image</td><td>true</td><td>false</td><td>false</td><td>false</td><td>false</td><td></td></tr><tr><td>Build an image</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td></td></tr><tr><td>Import an image</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td></td></tr><tr><td>View image details</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td></td></tr><tr><td>Add tag to image</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td></td></tr><tr><td>Remove tag from image</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td></td></tr><tr><td>Export image</td><td>true</td><td>false</td><td>false</td><td>false</td><td>false</td><td></td></tr><tr><td>Delete an image</td><td>true</td><td>false</td><td>false</td><td>false</td><td>false</td><td></td></tr></tbody></table>
|
|
|
|
### Volumes
|
|
|
|
<table><thead><tr><th>Operation</th><th data-type="checkbox">EA</th><th data-type="checkbox">OP</th><th data-type="checkbox">HD</th><th data-type="checkbox">ST</th><th data-type="checkbox">RO</th><th>Notes</th></tr></thead><tbody><tr><td>View volumes</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Create a volume</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td></td></tr><tr><td>View volume details</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Browse a volume</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a>, <a href="docker-roles-and-permissions.md#notes">4</a></td></tr><tr><td>Change volume ownership</td><td>true</td><td>true</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Delete a volume</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr></tbody></table>
|
|
|
|
### Networks
|
|
|
|
<table><thead><tr><th>Operation</th><th data-type="checkbox">EA</th><th data-type="checkbox">OP</th><th data-type="checkbox">HD</th><th data-type="checkbox">ST</th><th data-type="checkbox">RO</th><th>Notes</th></tr></thead><tbody><tr><td>View networks</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Create a network</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td></td></tr><tr><td>View network details</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Change network ownership</td><td>true</td><td>true</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Delete a network</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr></tbody></table>
|
|
|
|
### Events
|
|
|
|
These operations are only relevant for Docker Standalone environments.
|
|
|
|
<table><thead><tr><th>Operation</th><th data-type="checkbox">EA</th><th data-type="checkbox">OP</th><th data-type="checkbox">HD</th><th data-type="checkbox">ST</th><th data-type="checkbox">RO</th><th>Notes</th></tr></thead><tbody><tr><td>View events</td><td>false</td><td>false</td><td>false</td><td>false</td><td>false</td><td></td></tr></tbody></table>
|
|
|
|
### Configs
|
|
|
|
These operations are only relevant for Docker Swarm environments.
|
|
|
|
<table><thead><tr><th>Operation</th><th data-type="checkbox">EA</th><th data-type="checkbox">OP</th><th data-type="checkbox">HD</th><th data-type="checkbox">ST</th><th data-type="checkbox">RO</th><th>Notes</th></tr></thead><tbody><tr><td>View configs</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Create a config</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td></td></tr><tr><td>View config details</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Clone a config</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Change config ownership</td><td>true</td><td>true</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Delete a config</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr></tbody></table>
|
|
|
|
### Secrets
|
|
|
|
These operations are only relevant for Docker Swarm environments.
|
|
|
|
<table><thead><tr><th>Operation</th><th data-type="checkbox">EA</th><th data-type="checkbox">OP</th><th data-type="checkbox">HD</th><th data-type="checkbox">ST</th><th data-type="checkbox">RO</th><th>Notes</th></tr></thead><tbody><tr><td>View secrets</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Create a secret</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td></td></tr><tr><td>View secret details</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Change secret ownership</td><td>true</td><td>true</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Delete a secret</td><td>true</td><td>false</td><td>false</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr></tbody></table>
|
|
|
|
### Host
|
|
|
|
These operations are only relevant for Docker Standalone environments.
|
|
|
|
<table><thead><tr><th>Operation</th><th data-type="checkbox">EA</th><th data-type="checkbox">OP</th><th data-type="checkbox">HD</th><th data-type="checkbox">ST</th><th data-type="checkbox">RO</th><th>Notes</th></tr></thead><tbody><tr><td>View host details</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td></td></tr></tbody></table>
|
|
|
|
### Swarm
|
|
|
|
These operations are only relevant for Docker Swarm environments.
|
|
|
|
<table><thead><tr><th>Operation</th><th data-type="checkbox">EA</th><th data-type="checkbox">OP</th><th data-type="checkbox">HD</th><th data-type="checkbox">ST</th><th data-type="checkbox">RO</th><th>Notes</th></tr></thead><tbody><tr><td>View cluster details</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td></td></tr></tbody></table>
|
|
|
|
### Registries
|
|
|
|
<table><thead><tr><th>Operation</th><th data-type="checkbox">EA</th><th data-type="checkbox">OP</th><th data-type="checkbox">HD</th><th data-type="checkbox">ST</th><th data-type="checkbox">RO</th><th>Notes</th></tr></thead><tbody><tr><td>Read registry</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Browse registry</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td><a href="docker-roles-and-permissions.md#notes">1</a></td></tr><tr><td>Update repositories</td><td>true</td><td>true</td><td>true</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">5</a></td></tr><tr><td>Delete repositories</td><td>true</td><td>true</td><td>true</td><td>true</td><td>false</td><td><a href="docker-roles-and-permissions.md#notes">5</a></td></tr></tbody></table>
|
|
|
|
|
|
|
|
## Notes
|
|
|
|
1. Standard / Read only users (and Operators in the case of ownership operations) have permission only if they are given access to the resource. This can be inherited, for example inheriting a service from a stack.
|
|
2. This operation is only relevant for Swarm environments.
|
|
3. This operation can be affected by the following security settings ([Docker](../user/docker/host/setup.md#docker-security-settings), [Swarm](../user/docker/swarm/setup.md#docker-security-settings)):
|
|
1. **Disable privileged mode for non-administrators**
|
|
2. **Disable the use of host PID 1 for non-administrators**
|
|
3. **Disable device mappings for non-administrators**
|
|
4. **Disable container capabilities for non-administrators**
|
|
5. **Disable bind mounts for non-administrators**
|
|
4. This operation can be affected by the **Enable volume management for non-administrators** setting ([Docker](../user/docker/host/setup.md#enable-volume-management-for-non-administrators), [Swarm](../user/docker/swarm/setup.md#host-and-filesystem)), and requires the use of the Portainer Agent.
|
|
5. This operation can only be performed under the allowed registry.
|