Fine grained access control against Portainer and deployed resources

With the introduction of the Role-Based Access Control (RBAC) extension, it is now possible to further refine the access privileges available natively within Portainer through the addition of four new roles.

With a GUI based tool like Portainer, you can leave the complex CLI commands behind and focus on delivering outstanding software. Portainer CE lets you skip up the learning curve and get your docker environments up and running quickly. Once you are up and running, Portainer CE gives you the tools (and the built-in knowledge of our experts) to keep your environments up.

Once licensed and enabled, the extension allows you to create fine-grained access for users across all resources and all endpoints defined within Portainer.

A role is a predefined set of privileges. Privileges define rights to perform actions. Users are assigned roles and each role has specific privileges. To assign privileges, you pair a user or team with a role and associate that pairing with an endpoint or endpoint group.

A single user or team can have different roles for different endpoints in the Portainer inventory.

The access control available with this extension is sophisticated and can become complex. Here is an example:

Assume that you have two endpoints defined in your inventory, Production and Development. You assign the Developers team the Endpoint Administrator role against Development, and the Helpdesk role against Production.

You then assign the IT Ops team the Endpoint Administrator role against Production, and the Helpdesk role against Development.

In an Agile team, there may be a developer who also needs rights to make changes in Production, and in that instance, you can override roles assigned to teams with a role assigned to a specific user, so in this example, the user Bob who is a member of the Developers team, could have the Endpoint Administrator role assigned to him (but not the rest of his team) for Production.

Outside of these four roles, there is the built-in role of “Administrator” which is effectively a “Global Admin”. A user assigned this role has complete control over Portainer settings, and all resources on every endpoint under Portainer control.

Note: The Portainer RBAC Extension requires Portainer CE version 1.21.0 or later

Take a closer look at what the new RBAC extension offers here

Extension subscriptions are available from the Extensions menu in the sidebar of the Portainer app. Alternatively,purchase a license for the RBAC extension here. The RBAC extension is licensed per Portainer instance per year. Upon completion of the purchase process the appropriate license will be emailed automatically.

Portainer is unable to offer a trial license on this product. However a 90 day money back guarantee applies to all purchases

To download the user guides for the RBAC extension, please click here

Available Roles

  • Endpoint Administrator: The Endpoint Administrator has complete control over the resources deployed within a given endpoint, but is not able to make any changes to the infrastructure that underpins an endpoint (ie no host management), nor able to make any changes to Portainer internal settings
  • Helpdesk: The Helpdesk role has read-only access over the resources deployed within a given endpoint but is not able to make any changes to any resource, nor open a console to a container, or make changes to a container’s volumes
  • Standard User: The Standard User role has complete control over the resources that user deploys, or if the user is a member of a team, complete control over resources that users of that team deploy
  • Read-Only User: A Read-Only User has read only access over the resources they are entitled to see (resources created by members of their team, and public resources)


Portainer Business Support

Take advantage of our cost effective support options to keep your Portainer environments running smoothly

Learn more

Portainer Extension Software

Add a range of advanced capability through Portainer Extensions

Learn more

Technical Documentation

Access the detailed function reference here

Learn more