portainer icon indicating copy to clipboard operation
portainer copied to clipboard
verified publisher icon portainer

Business Edition - Custom RBAC roles

Open huib-portainer opened this issue 4 years ago • 6 comments

Is your feature request related to a problem? Please describe. Currently the RBAC roles are limited to the build in roles: https://docs.portainer.io/v/be-2.10/admin/users/roles#built-in-roles

This works as follows: image

Describe the solution you'd like Allow administrators to define custom roles.

Adding or editing a custom role: image

To add a new role for Docker: image

The “All resources in an endpoint” vs “Resources assigned to an individual/team“ determines if the role is for all resources in an environment, or only the ones that are explicitly assigned to a Portainer user.

There is a different tab for Docker, Kubernetes, ACI etc.

The different levels portrayed by the radio buttons are accumulative. So Operate implies both the Read and Operate permissions. And Create includes Read, Operate and Update permissions.

The default selection for the radio buttons is Read.

The quick select “Set all below“ sets all radio buttons below it to what the user selected in the button group. If a certain group of radio buttons doesn’t have the same level, we pick the one with less access. E.g. if the user sets all to Operator, we’ll select Read for the docker secret.

Kubernetes example: image

ACI example: image

huib-portainer avatar Dec 30 '21 04:12 huib-portainer

How about https://github.com/portainer/portainer/issues/5402 for Kubernetes Custom role? Would provide much more fine grained control especially for Kube Proxy side of things.

samdulam avatar Jan 11 '22 03:01 samdulam

I upvote this.

Yesterday I had my first contact with the roles in portainer and it took not many minutes, that I was looking for a way to adding own custom roles, because the factory did not satisfy. Because I did not find a way to do that, I was starting googling and found this smart request.

I would add, in the main-roles-page it shoult be possible to add, delete, edit and clone a role. I don't know, if following would make sense, but instead of radio buttons to use checkbox to set up the permissions.

BTW. In my yesterdays test drive with roles I was able to force delete other users image of a stopped container as a standard user. I think that should not have been possible. Actually I would have expected to not even see other users images.

geigervibe avatar Mar 05 '22 14:03 geigervibe

I was able to force delete other users image of a stopped container as a standard user

That will actually be fixed in the 2.12.0 release. The release notes for that are:

Standard users will no longer be able to remove or export images. Also, Operators, Help Desk, and ready only users will no longer be able to export images.

huib-portainer avatar Mar 06 '22 19:03 huib-portainer

+1 from me here. I need to give users the ability to star/stop/restart their own container and nothing more.

BenHippynet avatar Mar 28 '22 02:03 BenHippynet

Another upvote from me. I just noticed that a standard user can remove a container but not recreate it, at least the button is missing in users dashboard. From my point of view, that makes no sense at all, it should be the other way around, if there should be a meaningful restriction, then the user may recreate a new container and pull the latest image but not remove the container.

geigervibe avatar Apr 01 '22 14:04 geigervibe

count with plus 1 vote, please

wil-m avatar Jul 12 '22 08:07 wil-m

Are there any updates on this?

bduff-walleye avatar Oct 05 '22 16:10 bduff-walleye

+1

glauberferreira avatar Oct 14 '22 10:10 glauberferreira

+1 from me here. I need to give users the ability to star[t]/stop/restart their own container and nothing more.

+1. Even a new built-in role that covers exactly this case would be sufficient.

CM2Walki avatar Apr 05 '23 17:04 CM2Walki

+1

mcc-mcannizzaro avatar Jul 05 '23 00:07 mcc-mcannizzaro