Overhauls the permission docs

Cleans up existing permission docs to make it easier to find information.
Explodes existing article in:
* Authentication and authorization
* Create and manage users
* Create and manage teams
* Permission levels

This closes #1331
This commit is contained in:
Joao Fernandes 2016-06-16 16:39:05 -07:00
parent c1569ae65a
commit 2acf50e834
22 changed files with 502 additions and 199 deletions

View File

@ -19,7 +19,7 @@ For this reason, when running docker commands on a UCP node, you need to
authenticate your request using client certificates. When trying to run docker authenticate your request using client certificates. When trying to run docker
commands without a valid certificate, you get an authentication error: commands without a valid certificate, you get an authentication error:
```bash ```markdown
$ docker ps $ docker ps
An error occurred trying to connect: Get https://ucp:443/v1.22/containers/json: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" when trying to verify candidate authority certificate "UCP Client Root CA") An error occurred trying to connect: Get https://ucp:443/v1.22/containers/json: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" when trying to verify candidate authority certificate "UCP Client Root CA")
@ -64,7 +64,7 @@ certificates as part of the request to the Docker Engine. You can now use the
`docker info` command to see if the certificates are being sent to the Docker `docker info` command to see if the certificates are being sent to the Docker
Engine. Engine.
```bash ```markdown
$ docker info $ docker info
Containers: 11 Containers: 11

Binary file not shown.

Before

Width:  |  Height:  |  Size: 28 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 54 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 114 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 98 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 118 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 110 KiB

BIN
images/create-users-1.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 115 KiB

BIN
images/create-users-2.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 101 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 31 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 34 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 83 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 49 KiB

View File

@ -0,0 +1,94 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg width="690px" height="213px" viewBox="0 0 690 213" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 3.8.3 (29802) - http://www.bohemiancoding.com/sketch -->
<title>secure-your-infrastructure-1</title>
<desc>Created with Sketch.</desc>
<defs>
<rect id="path-1" x="0" y="7.10542736e-15" width="263" height="87" rx="2"></rect>
<mask id="mask-2" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="263" height="87" fill="white">
<use xlink:href="#path-1"></use>
</mask>
<rect id="path-3" x="0" y="7.10542736e-15" width="263" height="87" rx="2"></rect>
<mask id="mask-4" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="263" height="87" fill="white">
<use xlink:href="#path-3"></use>
</mask>
</defs>
<g id="Apps" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="secure-your-infrastructure-1">
<g id="apps" transform="translate(214.000000, 11.000000)">
<g id="billing" transform="translate(0.000000, 105.000000)">
<g id="label">
<use id="Rectangle-153" stroke="#C0C9CE" mask="url(#mask-2)" stroke-width="4" stroke-dasharray="5,5,5,5" fill="#FFFFFF" xlink:href="#path-1"></use>
<text id="com.docker.ucp.acces" font-family="OpenSans-Semibold, Open Sans" font-size="12" font-weight="500" fill="#C0C9CE">
<tspan x="6" y="16">com.docker.ucp.access.label = billing</tspan>
</text>
</g>
<g id="containers" transform="translate(27.000000, 32.000000)">
<path d="M40.25,0 L5.75,0 C2.5875,0 0,2.5875 0,5.75 L0,40.25 C0,43.4125 2.5875,46 5.75,46 L40.25,46 C43.4125,46 46,43.4125 46,40.25 L46,5.75 C46,2.5875 43.4125,0 40.25,0 L40.25,0 Z M40.25,40.25 L5.75,40.25 L5.75,5.75 L40.25,5.75 L40.25,40.25 L40.25,40.25 Z M31.625,14.375 L14.375,14.375 L14.375,31.625 L31.625,31.625 L31.625,14.375 L31.625,14.375 Z" id="container" fill="#00CBCA"></path>
<path d="M94.25,0 L59.75,0 C56.5875,0 54,2.5875 54,5.75 L54,40.25 C54,43.4125 56.5875,46 59.75,46 L94.25,46 C97.4125,46 100,43.4125 100,40.25 L100,5.75 C100,2.5875 97.4125,0 94.25,0 L94.25,0 Z M94.25,40.25 L59.75,40.25 L59.75,5.75 L94.25,5.75 L94.25,40.25 L94.25,40.25 Z M85.625,14.375 L68.375,14.375 L68.375,31.625 L85.625,31.625 L85.625,14.375 L85.625,14.375 Z" id="container-copy" fill="#00CBCA"></path>
<path d="M148.25,0 L113.75,0 C110.5875,0 108,2.5875 108,5.75 L108,40.25 C108,43.4125 110.5875,46 113.75,46 L148.25,46 C151.4125,46 154,43.4125 154,40.25 L154,5.75 C154,2.5875 151.4125,0 148.25,0 L148.25,0 Z M148.25,40.25 L113.75,40.25 L113.75,5.75 L148.25,5.75 L148.25,40.25 L148.25,40.25 Z M139.625,14.375 L122.375,14.375 L122.375,31.625 L139.625,31.625 L139.625,14.375 L139.625,14.375 Z" id="container-copy-2" fill="#00CBCA"></path>
<path d="M202.25,0 L167.75,0 C164.5875,0 162,2.5875 162,5.75 L162,40.25 C162,43.4125 164.5875,46 167.75,46 L202.25,46 C205.4125,46 208,43.4125 208,40.25 L208,5.75 C208,2.5875 205.4125,0 202.25,0 L202.25,0 Z M202.25,40.25 L167.75,40.25 L167.75,5.75 L202.25,5.75 L202.25,40.25 L202.25,40.25 Z M193.625,14.375 L176.375,14.375 L176.375,31.625 L193.625,31.625 L193.625,14.375 L193.625,14.375 Z" id="container-copy-3" fill="#00CBCA"></path>
<g id="container-copy-8">
<rect id="Rectangle-206" fill="#00CBCA" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-9" transform="translate(54.000000, 0.000000)">
<rect id="Rectangle-206" fill="#00CBCA" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-10" transform="translate(108.000000, 0.000000)">
<rect id="Rectangle-206" fill="#00CBCA" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-11" transform="translate(162.000000, 0.000000)">
<rect id="Rectangle-206" fill="#00CBCA" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
</g>
</g>
<g id="crm">
<g id="label">
<use id="Rectangle-153" stroke="#C0C9CE" mask="url(#mask-4)" stroke-width="4" stroke-dasharray="5,5,5,5" fill="#FFFFFF" xlink:href="#path-3"></use>
<text id="com.docker.ucp.acces" font-family="OpenSans-Semibold, Open Sans" font-size="12" font-weight="500" fill="#C0C9CE">
<tspan x="6" y="16">com.docker.ucp.access.label = crm</tspan>
</text>
</g>
<g id="containers" transform="translate(27.000000, 32.000000)">
<g id="container">
<rect id="Rectangle-206" fill="#1AAAF8" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-4" transform="translate(54.000000, 0.000000)">
<rect id="Rectangle-206" fill="#1AAAF8" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-5" transform="translate(108.000000, 0.000000)">
<rect id="Rectangle-206" fill="#1AAAF8" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-6" transform="translate(162.000000, 0.000000)">
<rect id="Rectangle-206" fill="#1AAAF8" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
</g>
</g>
</g>
</g>
</g>
</svg>

After

Width:  |  Height:  |  Size: 9.6 KiB

View File

@ -0,0 +1,147 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg width="690px" height="317px" viewBox="0 0 690 317" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 3.8.3 (29802) - http://www.bohemiancoding.com/sketch -->
<title>secure-your-infrastructure-2</title>
<desc>Created with Sketch.</desc>
<defs>
<rect id="path-1" x="0" y="7.10542736e-15" width="263" height="87" rx="2"></rect>
<mask id="mask-2" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="263" height="87" fill="white">
<use xlink:href="#path-1"></use>
</mask>
<rect id="path-3" x="0" y="7.10542736e-15" width="263" height="87" rx="2"></rect>
<mask id="mask-4" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="263" height="87" fill="white">
<use xlink:href="#path-3"></use>
</mask>
<rect id="path-5" x="0" y="0" width="690" height="317"></rect>
<mask id="mask-6" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="690" height="317" fill="white">
<use xlink:href="#path-5"></use>
</mask>
</defs>
<g id="Apps" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="secure-your-infrastructure-2">
<g id="Group" transform="translate(68.000000, 26.000000)">
<g id="teams" transform="translate(312.000000, 0.000000)">
<g id="ops-team" transform="translate(189.000000, 0.000000)">
<path d="M26.5,26.5 C33.820625,26.5 39.75,20.5540625 39.75,13.25 C39.75,5.929375 33.820625,0 26.5,0 C19.179375,0 13.25,5.929375 13.25,13.25 C13.25,20.5540625 19.179375,26.5 26.5,26.5 L26.5,26.5 Z M26.5,33.125 C17.6721875,33.125 0,37.5471875 0,46.375 L0,53 L53,53 L53,46.375 C53,37.5471875 35.3278125,33.125 26.5,33.125 L26.5,33.125 Z" id="Shape-Copy" fill="#9967FF"></path>
<text font-family="OpenSans-Semibold, Open Sans" font-size="12" font-weight="500" fill="#C0C9CE">
<tspan x="0" y="68">ops team</tspan>
</text>
</g>
<g id="billing-team" transform="translate(88.000000, 0.000000)">
<text font-family="OpenSans-Semibold, Open Sans" font-size="12" font-weight="500" fill="#C0C9CE">
<tspan x="0" y="68">billing team</tspan>
</text>
<path d="M34.5,26.5 C41.820625,26.5 47.75,20.5540625 47.75,13.25 C47.75,5.929375 41.820625,0 34.5,0 C27.179375,0 21.25,5.929375 21.25,13.25 C21.25,20.5540625 27.179375,26.5 34.5,26.5 L34.5,26.5 Z M34.5,33.125 C25.6721875,33.125 8,37.5471875 8,46.375 L8,53 L61,53 L61,46.375 C61,37.5471875 43.3278125,33.125 34.5,33.125 L34.5,33.125 Z" id="Shape-Copy-2" fill="#00CBCA"></path>
</g>
<g id="crm-team">
<text font-family="OpenSans-Semibold, Open Sans" font-size="12" font-weight="500" fill="#C0C9CE">
<tspan x="0" y="68">crm team</tspan>
</text>
<path d="M28.5,26.5 C35.820625,26.5 41.75,20.5540625 41.75,13.25 C41.75,5.929375 35.820625,0 28.5,0 C21.179375,0 15.25,5.929375 15.25,13.25 C15.25,20.5540625 21.179375,26.5 28.5,26.5 L28.5,26.5 Z M28.5,33.125 C19.6721875,33.125 2,37.5471875 2,46.375 L2,53 L55,53 L55,46.375 C55,37.5471875 37.3278125,33.125 28.5,33.125 L28.5,33.125 Z" id="Shape" fill="#1AAAF8"></path>
</g>
</g>
<g id="apps" transform="translate(0.000000, 72.000000)">
<g id="billing" transform="translate(0.000000, 105.000000)">
<g id="label">
<use id="Rectangle-153" stroke="#C0C9CE" mask="url(#mask-2)" stroke-width="4" stroke-dasharray="5,5,5,5" fill="#FFFFFF" xlink:href="#path-1"></use>
<text id="com.docker.ucp.acces" font-family="OpenSans-Semibold, Open Sans" font-size="12" font-weight="500" fill="#C0C9CE">
<tspan x="6" y="16">com.docker.ucp.access.label = billing</tspan>
</text>
</g>
<g id="containers" transform="translate(27.000000, 32.000000)">
<path d="M40.25,0 L5.75,0 C2.5875,0 0,2.5875 0,5.75 L0,40.25 C0,43.4125 2.5875,46 5.75,46 L40.25,46 C43.4125,46 46,43.4125 46,40.25 L46,5.75 C46,2.5875 43.4125,0 40.25,0 L40.25,0 Z M40.25,40.25 L5.75,40.25 L5.75,5.75 L40.25,5.75 L40.25,40.25 L40.25,40.25 Z M31.625,14.375 L14.375,14.375 L14.375,31.625 L31.625,31.625 L31.625,14.375 L31.625,14.375 Z" id="container" fill="#00CBCA"></path>
<path d="M94.25,0 L59.75,0 C56.5875,0 54,2.5875 54,5.75 L54,40.25 C54,43.4125 56.5875,46 59.75,46 L94.25,46 C97.4125,46 100,43.4125 100,40.25 L100,5.75 C100,2.5875 97.4125,0 94.25,0 L94.25,0 Z M94.25,40.25 L59.75,40.25 L59.75,5.75 L94.25,5.75 L94.25,40.25 L94.25,40.25 Z M85.625,14.375 L68.375,14.375 L68.375,31.625 L85.625,31.625 L85.625,14.375 L85.625,14.375 Z" id="container-copy" fill="#00CBCA"></path>
<path d="M148.25,0 L113.75,0 C110.5875,0 108,2.5875 108,5.75 L108,40.25 C108,43.4125 110.5875,46 113.75,46 L148.25,46 C151.4125,46 154,43.4125 154,40.25 L154,5.75 C154,2.5875 151.4125,0 148.25,0 L148.25,0 Z M148.25,40.25 L113.75,40.25 L113.75,5.75 L148.25,5.75 L148.25,40.25 L148.25,40.25 Z M139.625,14.375 L122.375,14.375 L122.375,31.625 L139.625,31.625 L139.625,14.375 L139.625,14.375 Z" id="container-copy-2" fill="#00CBCA"></path>
<path d="M202.25,0 L167.75,0 C164.5875,0 162,2.5875 162,5.75 L162,40.25 C162,43.4125 164.5875,46 167.75,46 L202.25,46 C205.4125,46 208,43.4125 208,40.25 L208,5.75 C208,2.5875 205.4125,0 202.25,0 L202.25,0 Z M202.25,40.25 L167.75,40.25 L167.75,5.75 L202.25,5.75 L202.25,40.25 L202.25,40.25 Z M193.625,14.375 L176.375,14.375 L176.375,31.625 L193.625,31.625 L193.625,14.375 L193.625,14.375 Z" id="container-copy-3" fill="#00CBCA"></path>
<g id="container-copy-8">
<rect id="Rectangle-206" fill="#00CBCA" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-9" transform="translate(54.000000, 0.000000)">
<rect id="Rectangle-206" fill="#00CBCA" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-10" transform="translate(108.000000, 0.000000)">
<rect id="Rectangle-206" fill="#00CBCA" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-11" transform="translate(162.000000, 0.000000)">
<rect id="Rectangle-206" fill="#00CBCA" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
</g>
</g>
<g id="crm">
<g id="label">
<use id="Rectangle-153" stroke="#C0C9CE" mask="url(#mask-4)" stroke-width="4" stroke-dasharray="5,5,5,5" fill="#FFFFFF" xlink:href="#path-3"></use>
<text id="com.docker.ucp.acces" font-family="OpenSans-Semibold, Open Sans" font-size="12" font-weight="500" fill="#C0C9CE">
<tspan x="6" y="16">com.docker.ucp.access.label = crm</tspan>
</text>
</g>
<g id="containers" transform="translate(27.000000, 32.000000)">
<g id="container">
<rect id="Rectangle-206" fill="#1AAAF8" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-4" transform="translate(54.000000, 0.000000)">
<rect id="Rectangle-206" fill="#1AAAF8" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-5" transform="translate(108.000000, 0.000000)">
<rect id="Rectangle-206" fill="#1AAAF8" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-6" transform="translate(162.000000, 0.000000)">
<rect id="Rectangle-206" fill="#1AAAF8" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
</g>
</g>
</g>
</g>
<g id="permissions" transform="translate(388.000000, 143.000000)">
<g id="permissions-copy-5" transform="translate(185.000000, 88.000000)" fill="#445D6E">
<path d="M12.09,0 C4.5,0 0,9 0,9 C0,9 4.5,18 12.09,18 C19.5,18 24,9 24,9 C24,9 19.5,0 12.09,0 L12.09,0 Z M12,15 C8.7,15 6,12.33 6,9 C6,5.7 8.7,3 12,3 C15.33,3 18,5.7 18,9 C18,12.33 15.33,15 12,15 L12,15 Z M15,9 C15,10.665 13.665,12 12,12 C10.335,12 9,10.665 9,9 C9,7.335 10.335,6 12,6 C13.665,6 15,7.335 15,9 L15,9 Z" id="Shape"></path>
<path d="M32,14.0272045 L32,18 L35.9727791,18 L46.5668567,7.40587876 L42.5940776,3.4330833 L32,14.0272045 L32,14.0272045 Z M35.9727791,16.6757348 L33.3242597,16.6757348 L33.3242597,14.0272045 L34.6485194,14.0272045 L34.6485194,15.3514697 L35.9727791,15.3514697 L35.9727791,16.6757348 L35.9727791,16.6757348 Z M49.612654,4.36006891 L47.8911164,6.08161361 L43.9183373,2.10881814 L45.6398749,0.387273441 C45.8873057,0.139333807 46.2231988,-8.8817842e-15 46.573478,-8.8817842e-15 C46.9237573,-8.8817842e-15 47.2596503,0.139333807 47.5070811,0.387273441 L49.612654,2.49285504 C50.1291153,3.00931845 50.1291153,3.8436055 49.612654,4.36006891 L49.612654,4.36006891 Z" id="Shape"></path>
</g>
<g id="permissions-copy-4" transform="translate(91.000000, 88.000000)" fill="#445D6E">
<path d="M12.09,0 C4.5,0 0,9 0,9 C0,9 4.5,18 12.09,18 C19.5,18 24,9 24,9 C24,9 19.5,0 12.09,0 L12.09,0 Z M12,15 C8.7,15 6,12.33 6,9 C6,5.7 8.7,3 12,3 C15.33,3 18,5.7 18,9 C18,12.33 15.33,15 12,15 L12,15 Z M15,9 C15,10.665 13.665,12 12,12 C10.335,12 9,10.665 9,9 C9,7.335 10.335,6 12,6 C13.665,6 15,7.335 15,9 L15,9 Z" id="Shape"></path>
<path d="M32,14.0272045 L32,18 L35.9727791,18 L46.5668567,7.40587876 L42.5940776,3.4330833 L32,14.0272045 L32,14.0272045 Z M35.9727791,16.6757348 L33.3242597,16.6757348 L33.3242597,14.0272045 L34.6485194,14.0272045 L34.6485194,15.3514697 L35.9727791,15.3514697 L35.9727791,16.6757348 L35.9727791,16.6757348 Z M49.612654,4.36006891 L47.8911164,6.08161361 L43.9183373,2.10881814 L45.6398749,0.387273441 C45.8873057,0.139333807 46.2231988,-8.8817842e-15 46.573478,-8.8817842e-15 C46.9237573,-8.8817842e-15 47.2596503,0.139333807 47.5070811,0.387273441 L49.612654,2.49285504 C50.1291153,3.00931845 50.1291153,3.8436055 49.612654,4.36006891 L49.612654,4.36006891 Z" id="Shape"></path>
</g>
<g id="permissions-copy-3" transform="translate(0.000000, 88.000000)" fill="#C0C9CE">
<path d="M12.09,0 C4.5,0 0,9 0,9 C0,9 4.5,18 12.09,18 C19.5,18 24,9 24,9 C24,9 19.5,0 12.09,0 L12.09,0 Z M12,15 C8.7,15 6,12.33 6,9 C6,5.7 8.7,3 12,3 C15.33,3 18,5.7 18,9 C18,12.33 15.33,15 12,15 L12,15 Z M15,9 C15,10.665 13.665,12 12,12 C10.335,12 9,10.665 9,9 C9,7.335 10.335,6 12,6 C13.665,6 15,7.335 15,9 L15,9 Z" id="Shape"></path>
<path d="M32,14.0272045 L32,18 L35.9727791,18 L46.5668567,7.40587876 L42.5940776,3.4330833 L32,14.0272045 L32,14.0272045 Z M35.9727791,16.6757348 L33.3242597,16.6757348 L33.3242597,14.0272045 L34.6485194,14.0272045 L34.6485194,15.3514697 L35.9727791,15.3514697 L35.9727791,16.6757348 L35.9727791,16.6757348 Z M49.612654,4.36006891 L47.8911164,6.08161361 L43.9183373,2.10881814 L45.6398749,0.387273441 C45.8873057,0.139333807 46.2231988,-8.8817842e-15 46.573478,-8.8817842e-15 C46.9237573,-8.8817842e-15 47.2596503,0.139333807 47.5070811,0.387273441 L49.612654,2.49285504 C50.1291153,3.00931845 50.1291153,3.8436055 49.612654,4.36006891 L49.612654,4.36006891 Z" id="Shape"></path>
</g>
<g id="permissions-copy-2" transform="translate(185.000000, 0.000000)" fill="#445D6E">
<path d="M12.09,0 C4.5,0 0,9 0,9 C0,9 4.5,18 12.09,18 C19.5,18 24,9 24,9 C24,9 19.5,0 12.09,0 L12.09,0 Z M12,15 C8.7,15 6,12.33 6,9 C6,5.7 8.7,3 12,3 C15.33,3 18,5.7 18,9 C18,12.33 15.33,15 12,15 L12,15 Z M15,9 C15,10.665 13.665,12 12,12 C10.335,12 9,10.665 9,9 C9,7.335 10.335,6 12,6 C13.665,6 15,7.335 15,9 L15,9 Z" id="Shape"></path>
<path d="M32,14.0272045 L32,18 L35.9727791,18 L46.5668567,7.40587876 L42.5940776,3.4330833 L32,14.0272045 L32,14.0272045 Z M35.9727791,16.6757348 L33.3242597,16.6757348 L33.3242597,14.0272045 L34.6485194,14.0272045 L34.6485194,15.3514697 L35.9727791,15.3514697 L35.9727791,16.6757348 L35.9727791,16.6757348 Z M49.612654,4.36006891 L47.8911164,6.08161361 L43.9183373,2.10881814 L45.6398749,0.387273441 C45.8873057,0.139333807 46.2231988,-8.8817842e-15 46.573478,-8.8817842e-15 C46.9237573,-8.8817842e-15 47.2596503,0.139333807 47.5070811,0.387273441 L49.612654,2.49285504 C50.1291153,3.00931845 50.1291153,3.8436055 49.612654,4.36006891 L49.612654,4.36006891 Z" id="Shape"></path>
</g>
<g id="permissions-copy" transform="translate(91.000000, 0.000000)" fill="#C0C9CE">
<path d="M12.09,0 C4.5,0 0,9 0,9 C0,9 4.5,18 12.09,18 C19.5,18 24,9 24,9 C24,9 19.5,0 12.09,0 L12.09,0 Z M12,15 C8.7,15 6,12.33 6,9 C6,5.7 8.7,3 12,3 C15.33,3 18,5.7 18,9 C18,12.33 15.33,15 12,15 L12,15 Z M15,9 C15,10.665 13.665,12 12,12 C10.335,12 9,10.665 9,9 C9,7.335 10.335,6 12,6 C13.665,6 15,7.335 15,9 L15,9 Z" id="Shape"></path>
<path d="M32,14.0272045 L32,18 L35.9727791,18 L46.5668567,7.40587876 L42.5940776,3.4330833 L32,14.0272045 L32,14.0272045 Z M35.9727791,16.6757348 L33.3242597,16.6757348 L33.3242597,14.0272045 L34.6485194,14.0272045 L34.6485194,15.3514697 L35.9727791,15.3514697 L35.9727791,16.6757348 L35.9727791,16.6757348 Z M49.612654,4.36006891 L47.8911164,6.08161361 L43.9183373,2.10881814 L45.6398749,0.387273441 C45.8873057,0.139333807 46.2231988,-8.8817842e-15 46.573478,-8.8817842e-15 C46.9237573,-8.8817842e-15 47.2596503,0.139333807 47.5070811,0.387273441 L49.612654,2.49285504 C50.1291153,3.00931845 50.1291153,3.8436055 49.612654,4.36006891 L49.612654,4.36006891 Z" id="Shape"></path>
</g>
<g id="Shape" fill="#445D6E">
<path d="M12.09,0 C4.5,0 0,9 0,9 C0,9 4.5,18 12.09,18 C19.5,18 24,9 24,9 C24,9 19.5,0 12.09,0 L12.09,0 Z M12,15 C8.7,15 6,12.33 6,9 C6,5.7 8.7,3 12,3 C15.33,3 18,5.7 18,9 C18,12.33 15.33,15 12,15 L12,15 Z M15,9 C15,10.665 13.665,12 12,12 C10.335,12 9,10.665 9,9 C9,7.335 10.335,6 12,6 C13.665,6 15,7.335 15,9 L15,9 Z"></path>
<path d="M32,14.0272045 L32,18 L35.9727791,18 L46.5668567,7.40587876 L42.5940776,3.4330833 L32,14.0272045 L32,14.0272045 Z M35.9727791,16.6757348 L33.3242597,16.6757348 L33.3242597,14.0272045 L34.6485194,14.0272045 L34.6485194,15.3514697 L35.9727791,15.3514697 L35.9727791,16.6757348 L35.9727791,16.6757348 Z M49.612654,4.36006891 L47.8911164,6.08161361 L43.9183373,2.10881814 L45.6398749,0.387273441 C45.8873057,0.139333807 46.2231988,-8.8817842e-15 46.573478,-8.8817842e-15 C46.9237573,-8.8817842e-15 47.2596503,0.139333807 47.5070811,0.387273441 L49.612654,2.49285504 C50.1291153,3.00931845 50.1291153,3.8436055 49.612654,4.36006891 L49.612654,4.36006891 Z"></path>
</g>
</g>
<use id="border" stroke="#C0C9CE" mask="url(#mask-6)" stroke-width="2" xlink:href="#path-5"></use>
</g>
</g>
</svg>

After

Width:  |  Height:  |  Size: 20 KiB

View File

@ -25,6 +25,6 @@ The UCP documentation includes the following topics:
* [Configuration](configuration/multi-host-networking.md) * [Configuration](configuration/multi-host-networking.md)
* [Monitor and troubleshoot](monitor/monitor-ucp.md) * [Monitor and troubleshoot](monitor/monitor-ucp.md)
* [High availability](high-availability/set-up-high-availability.md) * [High availability](high-availability/set-up-high-availability.md)
* [User management](user-management/manage-users.md) * [User management](user-management/authentication-and-authorization.md)
* [Applications](applications/deploy-app-ui.md) * [Applications](applications/deploy-app-ui.md)
* [Release notes](release_notes.md) * [Release notes](release_notes.md)

View File

@ -0,0 +1,69 @@
<!--[metadata]>
+++
aliases = [ "/ucp/manage/monitor-manage-users/",
"/ucp/user-management/manage-users/"]
title = "Authentication and authorization"
description = "Learn how to manage permissions in Docker Universal Control Plane."
keywords = ["authorization, authentication, users, teams, UCP"]
[menu.main]
parent="mn_ucp_user_management"
identifier="ucp_manage_users"
weight=0
+++
<![end-metadata]-->
# Authentication and authorization
With Docker Universal Control Plane you get to control who can create and edit
resources like images, networks, volumes, and containers in your cluster.
By default no one can make changes to your cluster. You can then grant and
manage permissions to enforce fine-grained access control. For that:
* Start by creating a user and assigning them with a default permission.
Default permissions specify the permission a user has to create and edit
resources. You can choose from four permission levels that range from
no access to full control over the resources.
When a user only has a default permission assigned, only them and admin
users can see the containers they deploy in the cluster.
* Extend the user permissions by adding users to a team.
You can extend the user's default permissions by granting them fine-grain
permissions over containers. You do this by adding the user to a team.
A team defines the permissions users have for containers that have the label
`com.docker.ucp.access.label` applied to them.
## Users and teams
When users create a container with no label, that container is only visible to
them and administrator users.
For a team of users to be able to see and edit the same container, that
container needs to have the `com.docker.ucp.access.label` label applied.
![](../images/secure-your-infrastructure-1.svg)
In the example above, we have two sets of containers. One set has all containers
labeled with `com.docker.ucp.access.label=crm`, the other has all containers
labeled with `com.docker.ucp.access.label=billing`.
You can now create different teams, and tune the permission level each
team has for those containers.
![](../images/secure-your-infrastructure-2.svg)
As an example you can create three different teams:
* The team that's developing the CRM app has access to create and edit
containers with the label `com.docker.ucp.access.label=crm`.
* The team that's developing the Billing app, has access to create and edit
containers with the label `com.docker.ucp.access.label=billing`.
* And of course, the operations team has access to create and edit containers
with any of the two labels.
## Where to go next
* [Create and manage users](create-and-manage-users.md)
* [Create and manage teams](create-and-manage-teams.md)

View File

@ -0,0 +1,73 @@
<!--[metadata]>
+++
title = "Create and manage teams"
description = "Learn how to create and manage user permissions, using teams in your Docker Universal Control Plane cluster."
keywords = ["authorize, authentication, users, teams, UCP, Docker"]
[menu.main]
parent="mn_ucp_user_management"
identifier="ucp_create_manage_teams"
weight=20
+++
<![end-metadata]-->
# Create and manage teams
You can extend the user's default permissions by granting them fine-grain
permissions over containers. You do this by adding the user to a team.
A team defines the permissions users have for containers that have the label
`com.docker.ucp.access.label` applied to them.
To create a new team, go to the **UCP web UI**, and navigate to the
**Users & Teams** page.
![](../images/create-and-manage-teams-1.png)
Click the **Create** button to create a new team.
![](../images/create-and-manage-teams-2.png)
Give a name to the team, and choose if the team is managed by UCP, or
discovered from an LDAP service:
* Managed: You'll manage the team and manually define the users that are part
of the team.
* Discovered: When integrating with an LDAP service, you can map a team to
an LDAP group. When a user is added to the LDAP group, it is automatically added
to the UCP team.
## Add users to a team
If you've created a managed team, you can now add and remove users from the
team.
Navigate to the **Members** tab, and click the **Add User to Team** button.
Then choose the list of users that you want to add to the team.
![](../images/create-and-manage-teams-3.png)
If you've created a discovered team, users are automatically added and removed
from the team the next time UCP synchronizes with the LDAP server.
## Manage team permissions
To manage the permissions of the team, click the **Permissions** tab.
Here you can specify a list of labels and the permission level users will have
for containers with those labels.
![](../images/create-and-manage-teams-4.png)
In the example above, members of the 'Operations' team have permissions to
create and edit containers that have the labels
`com.docker.ucp.access.label=crm` or `com.docker.ucp.access.label=billing`.
There are four permission levels available:
| Team permission level | Description |
|:----------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------|
| `No Access` | The user can't view containers with this label. |
| `View Only` | The user can view but can't create containers with this label. |
| `Restricted Control` | The user can view and create containers with this label. The user can't run `docker exec`, or containers that require privileged access to the host. |
| `Full Control` | The user can view and create containers with this label, without any restriction. |
## Where to go next
* [UCP permission levels](permission-levels.md)

View File

@ -0,0 +1,48 @@
<!--[metadata]>
+++
title = "Create and manage users"
description = "Learn how to create and manage users in your Docker Universal Control Plane cluster."
keywords = ["authorize, authentication, users, teams, UCP, Docker"]
[menu.main]
parent="mn_ucp_user_management"
identifier="ucp_create_manage_users"
weight=10
+++
<![end-metadata]-->
# Create and manage users
When using the UCP built-in authentication, you need to create users and
assign them with a default permission level so that they can access the
cluster.
To create a new user, go to the **UCP web UI**, and navigate to the
**Users & Teams** page.
![](../images/create-users-1.png)
Click the **Create User** button, and fill-in the user information.
![](../images/create-users-2.png)
Check the 'Is a UCP admin' option, if you want to grant permissions for the
user to change cluster configurations. Also, assign the user with a default
permission level.
Default permissions specify the permission a user has to create and edit
resources in the cluster. There are four permission levels:
| Default permission level | Description |
|:-------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `No Access` | The user can't view any resource, like volumes, networks, images, or containers. |
| `View Only` | The user can view volumes, networks and images, but can't create any containers. |
| `Restricted Control` | The user can view and edit volumes, networks, and images. They can create containers, but can't see other users containers, run `docker exec`, or run containers that require privileged access to the host. |
| `Full Control` | The user can view and edit volumes, networks, and images, They can create containers without any restriction, but can't see other users containers. |
[Learn more about the UCP permission levels](permission-levels.md). Finally,
click the **Create User** button, to create the user.
## Where to go next
* [Create and manage teams](create-and-manage-teams.md)
* [UCP permission levels](permission-levels.md)

View File

@ -14,4 +14,7 @@ weight=70
This section includes the following topics: This section includes the following topics:
* [Manage users](manage-users.md) * [Authentication and authorization](authentication-and-authorization.md)
* [Create and manage users](create-and-manage-users.md)
* [Create and manage teams](create-and-manage-teams.md)
* [Permission levels](permission-levels.md)

View File

@ -1,195 +0,0 @@
<!--[metadata]>
+++
aliases = [ "/ucp/manage/monitor-manage-users/"]
title = "Manage and authorize users"
description = "Manage and authorize users"
keywords = ["authorize, authentication, users, teams, UCP, Docker, objects"]
[menu.main]
parent="mn_ucp_user_management"
identifier="ucp_manage_users"
+++
<![end-metadata]-->
# Manage and authorize UCP users
This page explains how to manage users and authorize users within the UCP.
Managing users requires that you understand how to create users and combine them
into teams. Authorizing users requires that you understand how to apply roles
and create permissions within UCP. On this page, you learn to do both. You also
learn about the features and systems of UCP that support user management and
authorization.
## Understand user authorization
Users in UCP have two levels of authorization. They may have authorization to
manage UCP and they have authorization to access the Docker objects and
resources that UCP manages. You can authorize user to UCP manage UCP by enabling
the **IS A UCP ADMIN** in a user's **Account Details**.
![Account Details](../images/account_details.png)
Users that are UCP administrators have authorization to fully access all Docker
objects in your production system. This authorization is the granted both
whether access is through the GUI or the command line.
Users within UCP have *permissions* assigned to them by default. This authorizes
what a user can do to Docker resource such as volumes, networks, images, and
containers. UCP allows you define default permissions for a user when you create
that user. In this release of UCP, more granular access to just one object, the
container object, is possible through the use of teams.
The possible permissions are:
| Type | Description |
|:-------------------|:----------------------------------------------------------------------------------------------------------|
| No Access | Cannot access any resources. |
| View Only | Can view resources. This role grants the ability to view a container but not restart, kill, or remove it. |
| Restricted Control | Can edit resources. This role grants the ability to create, restart, kill, and remove containers. |
| Full Control | Can do anything possible to resources. This role grants full rights to all actions on containers. |
For containers only, you can extend the default access permissions with more
granular, role-based permissions. Docker Engine allows container creators to
apply arbitrary, descriptive strings called *labels* to a container. If you
define labels for use by container creators, you can leverage these
labels with UCP teams to configure role-based access to containers.
The general process for configuring role-based access to containers is:
* Identify one or more labels to apply to containers.
* Create one or more teams.
* Define a permission by combining a pre-identified label with a role value.
* Add users to the team.
* Ensure container creators use the pre-defined labels.
Once you configure it, users have this access through UCP and through their
interactions on the command line via the client bundle.
>**Note**: Users can by-pass all UCP authorization controls by logging into a UCP node via
standard SSH and addressing the Swarm cluster directly. For this reason, You
must be sure to secure network access to a cluster's nodes.
## Understand restricted control
Containers run as services on your network. Without proper knowledge, users can
launch a container with an insecure configuration. To reduce the risk of this
happening, the **Restricted Control** limits the options users can use when
launching containers.
A user with **Restricted Control** can create, restart, kill, or remove a
container. These users are can not `docker exec` into a container. Additionally,
**Restricted Control** prevents users from running a container with these
options:
| Prevented Option | Description |
|:---------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `--privileged` | A “privileged” container is given access to all devices. |
| `--cap-add` | The ability to expand the kernel-level capabilities a user or process has in a container. |
| host mounted volumes | Mount a volume from the host where the container is running. |
| `--ipc` | The ability to set a container's IPC (POSIX/SysV IPC) namespace mode. This provides separation of named shared memory segments, semaphores and message queues. mode |
| `--pid` | PID namespace provides separation of processes. The PID Namespace removes the view of the system processes, and allows process ids to be reused including pid 1. |
Users that attempt to create containers with these options receive an error message.
## Creating users on UCP
UCP offers two ways to create user accounts. You can manually create accounts
one-at-a-time or you can import users as a group into a team via UCP's LDAP
integration. To create an individual user, do the following:
1. Click **Users & Teams** from the UCP dashboard.
2. Click **Create User**.
![Create users](../images/create_user.png)
3. Complete the fields for the user.
The **DEFAULT PERMISSIONS** define the default access role a user has to all
the Docker objects and resources in the system. You can refine and extend access
on containers by adding a user to a **Team** later.
4. Click **Save** to create the user.
## Creating a team
UCP offers two ways to create teams. You can manually create teams one-at-a-time
or you can populate a team by importing multiple users via an LDAP or Active
Directory connection. The teams you populate one-at-a-time are **Managed** teams
meaning they contain only users managed by UCP.
Teams you create via an LDAP or Active Directory connection are known as
**Discovered** teams. To use LDAP or Active Directory, you must have already
configured the AUTH settings in UCP. When you create a **Discovered** team, the
system imports the members and applies the default authorization set in UCP's
**AUTH** settings. The value appears in the **DEFAULT PERMISSIONS FOR NEW
DISCOVERED ACCOUNTS** field.
![LDAP config](../images/ldap_access.png)
To create **Discovered** team with LDAP or Active Directory, do the following:
1. Login into UCP as a user with UCP ADMIN authorization.
2. Click **Users & Teams** from the UCP dashboard.
3. Click **Create a Team**.
The system displays the **Create Team** page. At this point, you decide what
**TYPE** of team you want to create. You can't change or convert the team
**TYPE** later.
4. Choose **Discovered** from the **TYPE** dropdown.
The system displays options for the **Discovered** team. Completing this
dialog requires that you have a basic understanding of LDAP or access to
someone who does.
5. Enter a **Name** for the team.
5. Enter an **LDAP DN** value.
This value is a distinguished name (DN) identify the group you want to
import. A distinguished name describes a position in an LDAP
directory information tree (DIT).
6. Enter a **LDAP MEMBER ATTRIBUTE** value.
This identifies the attribute you should use to retrieve the values.
![Create users](../images/save_team.png)
7. Save the team.
After a moment, the system creates a team with the users matching
your team specification.
![Match users](../images/match_list.png)
## Add permissions to a team
You can use a team to simply organize **Managed** users or to import/organize
**Discovered** users. Optionally, you can also add permissions to a the team.
Permissions are a combination of labels and roles you can apply to a team.
Permissions authorize users to act on containers with the matching labels
according to roles you define.
>**Note**: For correct application, you must ensure the labels exist on
containers deployed ins UCP.
To add **Permissions** to a team, do the following:
1. Select the team.
2. Choose **PERMISSIONS**.
3. Click **Add Label**.
![Add permission](../images/add_permission.png)
4. Click **Save**.
## Related information
To learn how to apply labels, see the how to [Apply custom
metadata](/engine/userguide/labels-custom-metadata.md)
Engine documentation.

View File

@ -0,0 +1,64 @@
<!--[metadata]>
+++
title = "Permission levels"
description = "Learn about the permission levels available in Docker Universal Control Plane."
keywords = ["authorization, authentication, users, teams, UCP"]
[menu.main]
parent="mn_ucp_user_management"
identifier="ucp_permission_levels"
weight=30
+++
<![end-metadata]-->
# Permission levels
Docker Universal Control Plane has two types of users: administrators and
regular users. Administrators can make changes to the UCP cluster, while
regular users have permissions that range from no access to full control over
volumes, networks, images, and containers.
## Administrator users
In Docker UCP, only users with administrator privileges can make changes to
cluster settings. This includes:
* Managing user and team permissions,
* Managing cluster configurations like adding and removing nodes to the cluster.
## Default permission levels
Regular users can't change cluster settings, and they are assigned with a
default permission level.
The default permission level specify the permission a user has to access or
edit resources. You can choose from four permission levels that range from no
access to full control over the resources.
| Default permission level | Description |
|:-------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `No Access` | The user can't view any resource, like volumes, networks, images, or containers. |
| `View Only` | The user can view volumes, networks and images, but can't create any containers. |
| `Restricted Control` | The user can view and edit volumes, networks, and images. They can create containers, but can't see other users containers, run `docker exec`, or run containers that require privileged access to the host. |
| `Full Control` | The user can view and edit volumes, networks, and images, They can create containers without any restriction, but can't see other users containers. |
When a user only has a default permission assigned, only them and admin
users can see the containers they deploy in the cluster.
## Team permission levels
Teams allow you to define fine-grain permissions to containers that have the
label `com.docker.ucp.access.label` applied to them.
There are four permission levels:
| Team permission level | Description |
|:----------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------|
| `No Access` | The user can't view containers with this label. |
| `View Only` | The user can view but can't create containers with this label. |
| `Restricted Control` | The user can view and create containers with this label. The user can't run `docker exec`, or containers that require privileged access to the host. |
| `Full Control` | The user can view and create containers with this label, without any restriction. |
## Where to go next
* [Create and manage users](create-and-manage-users.md)
* [Create and manage teams](create-and-manage-teams.md)