Portainer Documentation
Official WebsiteGet 5 Nodes of BE Free
Search…
CE 2.11
Welcome
Release Notes
Getting Started
Introduction
Portainer architecture
Requirements and prerequisites
Install Portainer CE
Upgrading Portainer
Using Portainer
Home
Docker/Swarm
Kubernetes
Azure ACI
Edge Compute
Account settings
Administering Portainer
Users
Environments
Registries
Authentication logs
Settings
Frequently Asked Questions
Portainer Concepts
Installing
Upgrading
Troubleshooting
Contributing
Advanced Topics
CLI configuration options
App templates
The Portainer Edge Agent
Access control
Reset the admin user's password
Security and compliance
Using your own SSL certificate with Portainer
Using Portainer with reverse proxies
Helm chart configuration options
Deprecated and removed features
API
Accessing the Portainer API
API documentation
API usage examples
Get More Help
YouTube
Slack
Discord
Contribute to Portainer
Contribute
Build instructions
Powered By GitBook
Access control
All Docker and Docker Swarm resources (except images) deployed through Portainer have access control settings. You can set these when resources are deployed or at a later time. Resources deployed through a stack or a service will inherit the same access as the parent.

Resources deployed through Portainer

Access to administrators only

This is an example access control section, showing access control enabled. With these settings, only Portainer administrators will have access to the resource and any other resources created by it (for example, a stack that creates containers, services, volumes, networks and secrets).

Access to all users

This is an example access control section showing access control disabled. All Portainer users will have access to the resource and any resources created by it.

Access restricted to specific groups or users

This is an example access control section showing access control enabled in Restricted mode. After you select the Restricted option, you can select more teams and users and give them access to the resource.

Resources deployed outside of Portainer

Any resources deployed to Docker or Docker Swarm outside of Portainer will be marked as external and you will have limited control over these resources. By default, these resources will have administrator-only access, but you can enable access control using these labels (examples used, swap out for your own parameters):
Label
Access Granted
io.portainer.accesscontrol.public
All Portainer users have access to the resource. Takes precedence over team/user assignments.
io.portainer.accesscontrol.teams=dev,prod
Access restricted to teams dev and prod only. Can be used in conjunction with io.portainer.accesscontrol.users
io.portainer.accesscontrol.users=bob,adam
Access is restricted to users bob and adam only. Can be used in conjunction with io.portainer.accesscontrol.teams

Example 1

Deploy a stack using Docker Compose and restrict access to teams dev and prod:
1
version: '3.2'
2
services:
3
ltest:
4
image: busybox:latest
5
command: "ping localhost"
6
labels:
7
io.portainer.accesscontrol.teams: dev,prod
Copied!

Example 2

Deploy a stack using the Docker CLI and restrict access to team testers and users bob and adam:
1
version: '3.2'
2
services:
3
ltest:
4
image: busybox:latest
5
command: "ping localhost"
6
labels:
7
io.portainer.accesscontrol.teams: testers
8
io.portainer.accesscontrol.users: bob,adam
Copied!

Example 3

Deploy a container using the Docker CLI and make it accessible to all Portainer users:
1
docker run -d --label io.portainer.accesscontrol.public nginx:latest
Copied!

Example 4

Deploy a container using the Docker CLI and restrict access to teams dev and prod and users bob:
1
docker run -d --label io.portainer.accesscontrol.teams=dev,prod --label io.portainer.accesscontrol.users=bob nginx:latest
Copied!
Advanced Topics - Previous
The Portainer Edge Agent
Next - Advanced Topics
Reset the admin user's password
Last modified 6mo ago
Copy link
Edit on GitHub
Contents
Resources deployed through Portainer
Access to administrators only
Access to all users
Access restricted to specific groups or users
Resources deployed outside of Portainer
Example 1
Example 2
Example 3
Example 4