Docker roles and permissions

This document describes the permission levels each RBAC role has within the Portainer application for both Docker Standalone and Docker Swarm environments. Refer to the linked notes for further requirements on each operation.

Role-Based Access Control is only available in Portainer Business Edition.

Legend

Roles and permissions

Templates

Stacks

Access to these operations can be affected by the Disable the use of Stacks for non-administrators security setting (Docker, Swarm).

Services

These operations are only relevant for Docker Swarm environments.

Containers

Images

Volumes

Networks

Events

These operations are only relevant for Docker Standalone environments.

Configs

These operations are only relevant for Docker Swarm environments.

Secrets

These operations are only relevant for Docker Swarm environments.

Host

These operations are only relevant for Docker Standalone environments.

Swarm

These operations are only relevant for Docker Swarm environments.

Registries

Notes

  1. Standard / Read only users (and Operators in the case of ownership operations) have permission only if they are given access to the resource. This can be inherited, for example inheriting a service from a stack.

  2. This operation is only relevant for Swarm environments.

  3. This operation can be affected by the following security settings (Docker, Swarm):

    1. Disable privileged mode for non-administrators

    2. Disable the use of host PID 1 for non-administrators

    3. Disable device mappings for non-administrators

    4. Disable container capabilities for non-administrators

    5. Disable bind mounts for non-administrators

  4. This operation can be affected by the Enable volume management for non-administrators setting (Docker, Swarm), and requires the use of the Portainer Agent.

  5. This operation can only be performed under the allowed registry.

Last updated