Official WebsiteKnowledge BasePricingGet 3 Nodes of BE Free

Docker roles and permissions

This document describes the permission levels each RBAC role has within the Portainer application for both Docker Standalone and Docker Swarm environments. Refer to the linked notes for further requirements on each operation.

Role-Based Access Control is only available in Portainer Business Edition.

Legend

Abbreviation
Role name

EA

Environment Administrator

OP

Operator

HD

Helpdesk

ST

Standard user

RO

Read-only user

Roles and permissions

Templates

Operation
EA
OP
HD
ST
RO
Notes

View app templates

Deploy app templates

View custom templates

1

Create custom templates

Deploy custom templates

1

Edit custom templates

1

Change custom template ownership

1

Delete custom template

1

Stacks

Access to these operations can be affected by the Disable the use of Stacks for non-administrators security setting (Docker, Swarm).

Operation
EA
OP
HD
ST
RO
Notes

View stacks

1

Create a stack

3

Edit a stack

1

View stack details

1

Change stack ownership

1

Stop a stack

1

Start a stack

1

Duplicate a stack

1

Migrate a stack

1

Create template from a stack

1

Update service in stack

1, 2

Remove service from stack

1, 2

Delete a stack

1

Services

These operations are only relevant for Docker Swarm environments.

Operation
EA
OP
HD
ST
RO
Notes

View services

1

Create service

3.5

View service details

1

Edit service

1, 3.5

Update service

1

Roll back service

1

View service logs

1

Change service ownership

1

Delete service

1

Containers

Operation
EA
OP
HD
ST
RO
Notes

View containers

1

Create container

3

Build an image from a container

1

View container details

1

Start container

1

Stop container

1

Kill container

1

Restart container

1

Pause container

1

Resume container

1

Edit container

1, 3

Duplicate container

1, 3

Recreate container

1, 3

Container console

1

Container attach

1

Join container to network

1

Remove container from network

1

View container logs

1

Change container ownership

1

Delete container

1

Images

Operation
EA
OP
HD
ST
RO
Notes

View images

Pull an image

Push an image

Build an image

Import an image

View image details

Add tag to image

Remove tag from image

Export image

Delete an image

Volumes

Operation
EA
OP
HD
ST
RO
Notes

View volumes

1

Create a volume

View volume details

1

Browse a volume

1, 4

Change volume ownership

1

Delete a volume

1

Networks

Operation
EA
OP
HD
ST
RO
Notes

View networks

1

Create a network

View network details

1

Change network ownership

1

Delete a network

1

Events

These operations are only relevant for Docker Standalone environments.

Operation
EA
OP
HD
ST
RO
Notes

View events

Configs

These operations are only relevant for Docker Swarm environments.

Operation
EA
OP
HD
ST
RO
Notes

View configs

1

Create a config

View config details

1

Clone a config

1

Change config ownership

1

Delete a config

1

Secrets

These operations are only relevant for Docker Swarm environments.

Operation
EA
OP
HD
ST
RO
Notes

View secrets

1

Create a secret

View secret details

1

Change secret ownership

1

Delete a secret

1

Host

These operations are only relevant for Docker Standalone environments.

Operation
EA
OP
HD
ST
RO
Notes

View host details

Swarm

These operations are only relevant for Docker Swarm environments.

Operation
EA
OP
HD
ST
RO
Notes

View cluster details

Registries

Operation
EA
OP
HD
ST
RO
Notes

Read registry

1

Browse registry

1

Update repositories

5

Delete repositories

5

Notes

  1. Standard / Read only users (and Operators in the case of ownership operations) have permission only if they are given access to the resource. This can be inherited, for example inheriting a service from a stack.

  2. This operation is only relevant for Swarm environments.

  3. This operation can be affected by the following security settings (Docker, Swarm):

    1. Disable privileged mode for non-administrators

    2. Disable the use of host PID 1 for non-administrators

    3. Disable device mappings for non-administrators

    4. Disable container capabilities for non-administrators

    5. Disable bind mounts for non-administrators

  4. This operation can be affected by the Enable volume management for non-administrators setting (Docker, Swarm), and requires the use of the Portainer Agent.

  5. This operation can only be performed under the allowed registry.

PreviousHelm chart configuration optionsNextKubernetes roles and bindings