ROLE BASED ACCESS CONTROL (RBAC)

Fine grained access control against Portainer and deployed resources

With the introduction of the Portainer.io Role-Based Access Control (RBAC) extension, it is now possible to further refine the access privileges available natively within Portainer through the addition of four new roles.

With a GUI based tool like Portainer, you can leave the complex CLI commands behind and focus on delivering outstanding software. Portainer CE lets you skip up the learning curve and get your docker environments up and running quickly. Once you are up and running, Portainer CE gives you the tools (and the built-in knowledge of our experts) to keep your environments up.

Once licensed and enabled, the extension allows you to create fine-grained access for users across all resources and all endpoints defined within Portainer.

A role is a predefined set of privileges. Privileges define rights to perform actions. Users are assigned roles and each role has specific privileges. To assign privileges, you pair a user or team with a role and associate that pairing with an endpoint or endpoint group.

A single user or team can have different roles for different endpoints in the Portainer inventory.

The access control available with this extension is sophisticated and can become complex. Here is an example:

Assume that you have two endpoints defined in your inventory, Production and Development. You assign the Developers team the Endpoint Administrator role against Development, and the Helpdesk role against Production.

You then assign the IT Ops team the Endpoint Administrator role against Production, and the Helpdesk role against Development.

In an Agile team, there may be a developer who also needs rights to make changes in Production, and in that instance, you can override roles assigned to teams with a role assigned to a specific user, so in this example, the user Bob who is a member of the Developers team, could have the Endpoint Administrator role assigned to him (but not the rest of his team) for Production.

Outside of these four roles, there is the built-in role of “Administrator” which is effectively a “Global Admin”. A user assigned this role has complete control over Portainer settings, and all resources on every endpoint under Portainer control.

The Portainer Role Based Access Control extension is available for only US$9.95 per year. The subscription is available from the Extensions menu in the sidebar of the Portainer app. Upon completion of the purchase process the appropriate license will be emailed automatically.

Note: The Portainer RBAC Extension requires Portainer CE version 1.21.0 or later

Take a closer look at what the new RBAC extension offers here

Purchase a license for the RBAC extension here

To download the user guides for the RBAC extension, please click here

Available Roles

  • Endpoint Administrator: The Endpoint Administrator has complete control over the resources deployed within a given endpoint, but is not able to make any changes to the infrastructure that underpins an endpoint (ie no host management), nor able to make any changes to Portainer internal settings
  • Helpdesk: The Helpdesk role has read-only access over the resources deployed within a given endpoint but is not able to make any changes to any resource, nor open a console to a container, or make changes to a container’s volumes
  • Standard User: The Standard User role has complete control over the resources that user deploys, or if the user is a member of a team, complete control over resources that users of that team deploy
  • Read-Only User: A Read-Only User has read only access over the resources they are entitled to see (resources created by members of their team, and public resources)

rbac-example

Portainer Business Support

Take advantage of our cost effective support options to keep your Portainer environments running smoothly

Learn more

Portainer Extension Software

Add a range of advanced capability through Portainer Extensions

Learn more

Technical Documentation

Access the detailed function reference here

Learn more