Docker roles and permissions

This document describes the permission levels each RBAC role has within the Portainer application for both Docker Standalone and Docker Swarm environments. Refer to the linked notes for further requirements on each operation.

Role-Based Access Control is only available in Portainer Business Edition.

Legend

AbbreviationRole name

EA

Environment Administrator

OP

Operator

HD

Helpdesk

ST

Standard user

RO

Read-only user

Roles and permissions

Templates

OperationEAOPHDSTRONotes

View app templates

Deploy app templates

View custom templates

Create custom templates

Deploy custom templates

Edit custom templates

Change custom template ownership

Delete custom template

Stacks

Access to these operations can be affected by the Disable the use of Stacks for non-administrators security setting (Docker, Swarm).

OperationEAOPHDSTRONotes

View stacks

Create a stack

Edit a stack

View stack details

Change stack ownership

Stop a stack

Start a stack

Duplicate a stack

Migrate a stack

Create template from a stack

Update service in stack

1, 2

Remove service from stack

1, 2

Delete a stack

Services

These operations are only relevant for Docker Swarm environments.

OperationEAOPHDSTRONotes

View services

Create service

View service details

Edit service

Update service

Roll back service

View service logs

Change service ownership

Delete service

Containers

OperationEAOPHDSTRONotes

View containers

Create container

Build an image from a container

View container details

Start container

Stop container

Kill container

Restart container

Pause container

Resume container

Edit container

1, 3

Duplicate container

1, 3

Recreate container

1, 3

Container console

Container attach

Join container to network

Remove container from network

View container logs

Change container ownership

Delete container

Images

OperationEAOPHDSTRONotes

View images

Pull an image

Push an image

Build an image

Import an image

View image details

Add tag to image

Remove tag from image

Export image

Delete an image

Volumes

OperationEAOPHDSTRONotes

View volumes

Create a volume

View volume details

Browse a volume

1, 4

Change volume ownership

Delete a volume

Networks

OperationEAOPHDSTRONotes

View networks

Create a network

View network details

Change network ownership

Delete a network

Events

These operations are only relevant for Docker Standalone environments.

OperationEAOPHDSTRONotes

View events

Configs

These operations are only relevant for Docker Swarm environments.

OperationEAOPHDSTRONotes

View configs

Create a config

View config details

Clone a config

Change config ownership

Delete a config

Secrets

These operations are only relevant for Docker Swarm environments.

OperationEAOPHDSTRONotes

View secrets

Create a secret

View secret details

Change secret ownership

Delete a secret

Host

These operations are only relevant for Docker Standalone environments.

OperationEAOPHDSTRONotes

View host details

Swarm

These operations are only relevant for Docker Swarm environments.

OperationEAOPHDSTRONotes

View cluster details

Registries

OperationEAOPHDSTRONotes

Read registry

Browse registry

Update repositories

Delete repositories

Notes

  1. Standard / Read only users (and Operators in the case of ownership operations) have permission only if they are given access to the resource. This can be inherited, for example inheriting a service from a stack.

  2. This operation is only relevant for Swarm environments.

  3. This operation can be affected by the following security settings (Docker, Swarm):

    1. Disable privileged mode for non-administrators

    2. Disable the use of host PID 1 for non-administrators

    3. Disable device mappings for non-administrators

    4. Disable container capabilities for non-administrators

    5. Disable bind mounts for non-administrators

  4. This operation can be affected by the Enable volume management for non-administrators setting (Docker, Swarm), and requires the use of the Portainer Agent.

  5. This operation can only be performed under the allowed registry.