# Docker roles and permissions This document describes the permission levels each [RBAC role](https://docs.portainer.io/admin/user/roles) has within the Portainer application for both Docker Standalone and Docker Swarm environments. Refer to the linked notes for further requirements on each operation. {% hint style="info" %} Role-Based Access Control is only available in Portainer Business Edition. {% endhint %} ## Legend

Abbreviation	Role name
EA	Environment Administrator
OP	Operator
HD	Helpdesk
ST	Standard user
RO	Read-only user

## Roles and permissions ### Templates

Operation	EA	OP	HD	ST	RO	Notes
View app templates	true	true	true	true	true
Deploy app templates	true	false	false	true	false
View custom templates	true	true	true	true	true	1
Create custom templates	true	false	false	true	false
Deploy custom templates	true	false	false	true	false	1
Edit custom templates	true	false	false	true	false	1
Change custom template ownership	true	false	false	true	false	1
Delete custom template	true	false	false	true	false	1

### Stacks Access to these operations can be affected by the **Disable the use of Stacks for non-administrators** security setting ([Docker](https://docs.portainer.io/user/docker/host/setup#docker-security-settings), [Swarm](https://docs.portainer.io/user/docker/swarm/setup#docker-security-settings)).

Operation	EA	OP	HD	ST	RO	Notes
View stacks	true	true	true	true	true	1
Create a stack	true	false	false	true	false	3
Edit a stack	true	false	false	true	false	1
View stack details	true	true	true	true	true	1
Change stack ownership	true	true	false	true	false	1
Stop a stack	true	false	false	true	false	1
Start a stack	true	false	false	true	false	1
Duplicate a stack	true	false	false	true	false	1
Migrate a stack	true	false	false	true	false	1
Create template from a stack	true	false	false	true	false	1
Update service in stack	true	false	false	true	false	1, 2
Remove service from stack	true	false	false	true	false	1, 2
Delete a stack	true	false	false	true	false	1

### Services These operations are only relevant for Docker Swarm environments.

Operation	EA	OP	HD	ST	RO	Notes
View services	true	true	true	true	true	1
Create service	true	false	false	true	false	3.5
View service details	true	true	true	true	true	1
Edit service	true	false	false	true	false	1, 3.5
Update service	true	false	false	true	false	1
Roll back service	true	false	false	true	false	1
View service logs	true	true	true	true	true	1
Change service ownership	true	true	false	true	false	1
Delete service	true	false	false	true	false	1

### Containers

Operation	EA	OP	HD	ST	RO	Notes
View containers	true	true	true	true	true	1
Create container	true	false	false	true	false	3
Build an image from a container	true	false	false	true	false	1
View container details	true	true	true	true	true	1
Start container	true	false	false	true	false	1
Stop container	true	false	false	true	false	1
Kill container	true	false	false	true	false	1
Restart container	true	false	false	true	false	1
Pause container	true	false	false	true	false	1
Resume container	true	false	false	true	false	1
Edit container	true	false	false	true	false	1, 3
Duplicate container	true	false	false	true	false	1, 3
Recreate container	true	false	false	true	false	1, 3
Container console	true	true	false	true	false	1
Container attach	true	true	false	true	false	1
Join container to network	true	false	false	true	false	1
Remove container from network	true	false	false	true	false	1
View container logs	true	true	true	true	true	1
Change container ownership	true	true	false	true	false	1
Delete container	true	false	false	true	false	1

### Images

Operation	EA	OP	HD	ST	RO
View images	true	true	true	true	true
Pull an image	true	false	false	true	false
Push an image	true	false	false	false	false
Build an image	true	false	false	true	false
Import an image	true	false	false	true	false
View image details	true	true	true	true	true
Add tag to image	true	false	false	true	false
Remove tag from image	true	false	false	true	false
Export image	true	false	false	false	false
Delete an image	true	false	false	false	false

### Volumes

Operation	EA	OP	HD	ST	RO	Notes
View volumes	true	true	true	true	true	1
Create a volume	true	false	false	true	false
View volume details	true	true	true	true	true	1
Browse a volume	true	true	true	true	true	1, 4
Change volume ownership	true	true	false	true	false	1
Delete a volume	true	false	false	true	false	1

### Networks

Operation	EA	OP	HD	ST	RO	Notes
View networks	true	true	true	true	true	1
Create a network	true	false	false	true	false
View network details	true	true	true	true	true	1
Change network ownership	true	true	false	true	false	1
Delete a network	true	false	false	true	false	1

### Events These operations are only relevant for Docker Standalone environments.

Operation	EA	OP	HD	ST	RO	Notes
View events	false	false	false	false	false

### Configs These operations are only relevant for Docker Swarm environments.

Operation	EA	OP	HD	ST	RO	Notes
View configs	true	true	true	true	true	1
Create a config	true	false	false	true	false
View config details	true	true	true	true	true	1
Clone a config	true	false	false	true	false	1
Change config ownership	true	true	false	true	false	1
Delete a config	true	false	false	true	false	1

### Secrets These operations are only relevant for Docker Swarm environments.

Operation	EA	OP	HD	ST	RO	Notes
View secrets	true	true	true	true	true	1
Create a secret	true	false	false	true	false
View secret details	true	true	true	true	true	1
Change secret ownership	true	true	false	true	false	1
Delete a secret	true	false	false	true	false	1

### Host These operations are only relevant for Docker Standalone environments.

Operation	EA	OP	HD	ST	RO	Notes
View host details	true	true	true	true	true

### Swarm These operations are only relevant for Docker Swarm environments.

Operation	EA	OP	HD	ST	RO	Notes
View cluster details	true	true	true	true	true

### Registries

Operation	EA	OP	HD	ST	RO	Notes
Read registry	true	true	true	true	true	1
Browse registry	true	true	true	true	true	1
Update repositories	true	true	true	true	false	5
Delete repositories	true	true	true	true	false	5

## Notes 1. Standard / Read only users (and Operators in the case of ownership operations) have permission only if they are given access to the resource. This can be inherited, for example inheriting a service from a stack. 2. This operation is only relevant for Swarm environments. 3. This operation can be affected by the following security settings ([Docker](https://docs.portainer.io/user/docker/host/setup#docker-security-settings), [Swarm](https://docs.portainer.io/user/docker/swarm/setup#docker-security-settings)): 1. **Disable privileged mode for non-administrators** 2. **Disable the use of host PID 1 for non-administrators** 3. **Disable device mappings for non-administrators** 4. **Disable container capabilities for non-administrators** 5. **Disable bind mounts for non-administrators** 4. This operation can be affected by the **Enable volume management for non-administrators** setting ([Docker](https://docs.portainer.io/user/docker/host/setup#enable-volume-management-for-non-administrators), [Swarm](https://docs.portainer.io/user/docker/swarm/setup#host-and-filesystem)), and requires the use of the Portainer Agent. 5. This operation can only be performed under the allowed registry.