Docker roles and permissions
This document describes the permission levels each RBAC role has within the Portainer application for both Docker Standalone and Docker Swarm environments. Refer to the linked notes for further requirements on each operation.
Role-Based Access Control is only available in Portainer Business Edition.
Legend
EA
Environment Administrator
OP
Operator
HD
Helpdesk
ST
Standard user
RO
Read-only user
Roles and permissions
Templates
View app templates
Deploy app templates
View custom templates
Create custom templates
Deploy custom templates
Edit custom templates
Change custom template ownership
Delete custom template
Stacks
Access to these operations can be affected by the Disable the use of Stacks for non-administrators security setting (Docker, Swarm).
View stacks
Create a stack
Edit a stack
View stack details
Change stack ownership
Stop a stack
Start a stack
Duplicate a stack
Migrate a stack
Create template from a stack
Update service in stack
Remove service from stack
Delete a stack
Services
These operations are only relevant for Docker Swarm environments.
View services
Create service
View service details
Edit service
Update service
Roll back service
View service logs
Change service ownership
Delete service
Containers
View containers
Create container
Build an image from a container
View container details
Start container
Stop container
Kill container
Restart container
Pause container
Resume container
Edit container
Duplicate container
Recreate container
Container console
Container attach
Join container to network
Remove container from network
View container logs
Change container ownership
Delete container
Images
View images
Pull an image
Push an image
Build an image
Import an image
View image details
Add tag to image
Remove tag from image
Export image
Delete an image
Volumes
View volumes
Create a volume
View volume details
Browse a volume
Change volume ownership
Delete a volume
Networks
View networks
Create a network
View network details
Change network ownership
Delete a network
Events
These operations are only relevant for Docker Standalone environments.
View events
Configs
These operations are only relevant for Docker Swarm environments.
View configs
Create a config
View config details
Clone a config
Change config ownership
Delete a config
Secrets
These operations are only relevant for Docker Swarm environments.
View secrets
Create a secret
View secret details
Change secret ownership
Delete a secret
Host
These operations are only relevant for Docker Standalone environments.
View host details
Swarm
These operations are only relevant for Docker Swarm environments.
View cluster details
Registries
Read registry
Browse registry
Update repositories
Delete repositories
Notes
Standard / Read only users (and Operators in the case of ownership operations) have permission only if they are given access to the resource. This can be inherited, for example inheriting a service from a stack.
This operation is only relevant for Swarm environments.
This operation can be affected by the following security settings (Docker, Swarm):
Disable privileged mode for non-administrators
Disable the use of host PID 1 for non-administrators
Disable device mappings for non-administrators
Disable container capabilities for non-administrators
Disable bind mounts for non-administrators
This operation can only be performed under the allowed registry.