ROLE BASED ACCESS CONTROL (RBAC)

Advanced access control for Portainer users and administrators

Portainer’s RBAC extension enables organisations of any size to manage access to Portainer for both internal and external resources. You control the level of access each user needs for the tasks and roles they need to perform – all managed remotely, in real-time, by a global administrator.

RBAC enables organisations to delegate roles within Portainer to appropriate users or teams based on:

  • The skills they have
  • the environment they are related to
  • or the endpoints they are responsible for.

RBAC roles in Portainer

RBAC also enables the comprehensive “nesting” of roles, so even the most complex organisational structure can be securely managed within Portainer.

There are four pre-defined roles covering almost every use case. They range from full control, to access to resources assigned to a user or their team, down to ‘read-only’ access across an environment. You can learn more about the defined roles on the RBAC product page.

How to get the RBAC Extension

If you have Portainer CE version 1.21.0 or above you can access the RBAC extension from the sidebar in the Portainer app or from the RBAC product page.

The product page also includes a more detailed description of RBAC and its licensing terms. For an even more technical overview, download the user guides for the RBAC extension.

RBAC At Work

An example of the sophisticated access control with Portainer RBAC:

Assume you have two endpoints defined in your inventory, Production and Development. You assign:

  • The Developers team the Endpoint Administrator role against Development,
  • The Helpdesk role against Production.

You then assign the IT Ops team:

  • The Endpoint Administrator role against Production
  • The Helpdesk role against Development.

As it’s an Agile team, a developer may need rights to make changes in Production. In that instance, the roles assigned to teams are overridden with a role assigned to a specific user. In this case Bob has an Endpoint Administrator role assigned to him for Production (but not the rest of his team).

Managing these roles is the “Administrator” (effectively a “Global Admin”) with complete control over the settings and resources on every endpoint under Portainer control.

rbac-example

Portainer Business Support

Take advantage of our cost effective support options to keep your Portainer environments running smoothly

Learn more

Portainer Extension Software

Add a range of advanced capability through Portainer Extensions

Learn more

Technical Documentation

Access the detailed function reference here

Learn more