Docker roles and permissions
This document describes the permission levels each RBAC role has within the Portainer application for both Docker Standalone and Docker Swarm environments. Refer to the linked notes for further requirements on each operation.
Role-Based Access Control is only available in Portainer Business Edition.
Legend
EA
Environment Administrator
OP
Operator
HD
Helpdesk
ST
Standard user
RO
Read-only user
Roles and permissions
Templates
Stacks
Access to these operations can be affected by the Disable the use of Stacks for non-administrators security setting (Docker, Swarm).
Services
These operations are only relevant for Docker Swarm environments.
Containers
View containers
Create container
Build an image from a container
View container details
Start container
Stop container
Kill container
Restart container
Pause container
Resume container
Container console
Container attach
Join container to network
Remove container from network
View container logs
Change container ownership
Delete container
Images
View images
Pull an image
Push an image
Build an image
Import an image
View image details
Add tag to image
Remove tag from image
Export image
Delete an image
Volumes
Networks
Events
These operations are only relevant for Docker Standalone environments.
View events
Configs
These operations are only relevant for Docker Swarm environments.
Secrets
These operations are only relevant for Docker Swarm environments.
Host
These operations are only relevant for Docker Standalone environments.
View host details
Swarm
These operations are only relevant for Docker Swarm environments.
View cluster details
Registries
Notes
Standard / Read only users (and Operators in the case of ownership operations) have permission only if they are given access to the resource. This can be inherited, for example inheriting a service from a stack.
This operation is only relevant for Swarm environments.
This operation can be affected by the following security settings (Docker, Swarm):
Disable privileged mode for non-administrators
Disable the use of host PID 1 for non-administrators
Disable device mappings for non-administrators
Disable container capabilities for non-administrators
Disable bind mounts for non-administrators
This operation can only be performed under the allowed registry.
Last updated