Portainer Business includes a range of enhanced security, access control and identity management features including Resource Quota Enforcement and Role Based Access Control. Built on the highly secure open source platform, Portainer Business recognizes the increased security organizations need in operational and often, critical, environments.
Portainer users can either be created manually by a Portainer Administrator or auto-created if Portainer is configured with an external authentication source. The user is set as the owner when resources such as applications and volumes are created. The user is prompted to define if access is private, team or public. Users can be grouped into teams, with all members of a team able to collaborate with a shared view of the deployed resources.
External authentications, such as LDAP or oAUTH are a standard Portainer CE feature. However, for Portainer Business users, the external authentication is extended and can be configured via a "click to configure" function, which supports MS AD, Azure AD, Github and Google Authentication.
External authentication can be set so only those users meeting pre-defined attributes are allowed to login. It can also be configured to retrieve group membership information. You can then use this to auto-populate Portainer Teams based on a corresponding group membership.
Exclusive to Portainer Business, Resource Quota Enforcement functionality lets administrators define quotas against resource pools that users can then be assigned to. Quotas can include things like CPU, memory, storage and load balancers. When a user has deployed applications that consume their quota allocation, no additional applications can be deployed until an Administrator has increased the quota.
Another unique Portainer Business feature. RBAC provides users with the ability to associate a role to either a 'user' or a group of users (team). The associated role determines the rights and actions a user has against an endpoint. The roles being either: endpoint admin, helpdesk, user, or read-only user. Roles can be inherited or overridden based on team membership.