Docker roles and permissions
This document describes the permission levels each RBAC role has within the Portainer application for both Docker Standalone and Docker Swarm environments. Refer to the linked notes for further requirements on each operation.
Role-Based Access Control is only available in Portainer Business Edition.
Legend
| Abbreviation | Role name |
|---|---|
EA | Environment Administrator |
OP | Operator |
HD | Helpdesk |
ST | Standard user |
RO | Read-only user |
Roles and permissions
Templates
| Operation | EA | OP | HD | ST | RO | Notes |
|---|---|---|---|---|---|---|
View app templates | ||||||
Deploy app templates | ||||||
View custom templates | ||||||
Create custom templates | ||||||
Deploy custom templates | ||||||
Edit custom templates | ||||||
Change custom template ownership | ||||||
Delete custom template |
Stacks
Access to these operations can be affected by the Disable the use of Stacks for non-administrators security setting (Docker, Swarm).
| Operation | EA | OP | HD | ST | RO | Notes |
|---|---|---|---|---|---|---|
View stacks | ||||||
Create a stack | ||||||
Edit a stack | ||||||
View stack details | ||||||
Change stack ownership | ||||||
Stop a stack | ||||||
Start a stack | ||||||
Duplicate a stack | ||||||
Migrate a stack | ||||||
Create template from a stack | ||||||
Update service in stack | ||||||
Remove service from stack | ||||||
Delete a stack |
Services
These operations are only relevant for Docker Swarm environments.
| Operation | EA | OP | HD | ST | RO | Notes |
|---|---|---|---|---|---|---|
View services | ||||||
Create service | ||||||
View service details | ||||||
Edit service | ||||||
Update service | ||||||
Roll back service | ||||||
View service logs | ||||||
Change service ownership | ||||||
Delete service |
Containers
| Operation | EA | OP | HD | ST | RO | Notes |
|---|---|---|---|---|---|---|
View containers | ||||||
Create container | ||||||
Build an image from a container | ||||||
View container details | ||||||
Start container | ||||||
Stop container | ||||||
Kill container | ||||||
Restart container | ||||||
Pause container | ||||||
Resume container | ||||||
Edit container | ||||||
Duplicate container | ||||||
Recreate container | ||||||
Container console | ||||||
Container attach | ||||||
Join container to network | ||||||
Remove container from network | ||||||
View container logs | ||||||
Change container ownership | ||||||
Delete container |
Images
| Operation | EA | OP | HD | ST | RO | Notes |
|---|---|---|---|---|---|---|
View images | ||||||
Pull an image | ||||||
Push an image | ||||||
Build an image | ||||||
Import an image | ||||||
View image details | ||||||
Add tag to image | ||||||
Remove tag from image | ||||||
Export image | ||||||
Delete an image |
Volumes
| Operation | EA | OP | HD | ST | RO | Notes |
|---|---|---|---|---|---|---|
View volumes | ||||||
Create a volume | ||||||
View volume details | ||||||
Browse a volume | ||||||
Change volume ownership | ||||||
Delete a volume |
Networks
| Operation | EA | OP | HD | ST | RO | Notes |
|---|---|---|---|---|---|---|
View networks | ||||||
Create a network | ||||||
View network details | ||||||
Change network ownership | ||||||
Delete a network |
Events
These operations are only relevant for Docker Standalone environments.
| Operation | EA | OP | HD | ST | RO | Notes |
|---|---|---|---|---|---|---|
View events |
Configs
These operations are only relevant for Docker Swarm environments.
| Operation | EA | OP | HD | ST | RO | Notes |
|---|---|---|---|---|---|---|
View configs | ||||||
Create a config | ||||||
View config details | ||||||
Clone a config | ||||||
Change config ownership | ||||||
Delete a config |
Secrets
These operations are only relevant for Docker Swarm environments.
| Operation | EA | OP | HD | ST | RO | Notes |
|---|---|---|---|---|---|---|
View secrets | ||||||
Create a secret | ||||||
View secret details | ||||||
Change secret ownership | ||||||
Delete a secret |
Host
These operations are only relevant for Docker Standalone environments.
| Operation | EA | OP | HD | ST | RO | Notes |
|---|---|---|---|---|---|---|
View host details |
Swarm
These operations are only relevant for Docker Swarm environments.
| Operation | EA | OP | HD | ST | RO | Notes |
|---|---|---|---|---|---|---|
View cluster details |
Registries
Notes
Standard / Read only users (and Operators in the case of ownership operations) have permission only if they are given access to the resource. This can be inherited, for example inheriting a service from a stack.
This operation is only relevant for Swarm environments.
This operation can be affected by the following security settings (Docker, Swarm):
Disable privileged mode for non-administrators
Disable the use of host PID 1 for non-administrators
Disable device mappings for non-administrators
Disable container capabilities for non-administrators
Disable bind mounts for non-administrators
This operation can only be performed under the allowed registry.