diff --git a/_data/toc.yaml b/_data/toc.yaml index 55e17e977a..66e00a6473 100644 --- a/_data/toc.yaml +++ b/_data/toc.yaml @@ -1902,6 +1902,64 @@ manuals: - path: /scout/advisory-db-sources/ title: Advisory Database +- sectiontitle: Docker Admin (Early Access) + section: + - path: /admin/ + title: Overview + - sectiontitle: Company administration + section: + - path: /admin/company/ + title: Overview + - path: /admin/company/organizations/ + title: Manage organizations + - path: /admin/company/users/ + title: Manage users + - path: /admin/company/owners/ + title: Manage company owners + - sectiontitle: Settings + section: + - path: /admin/company/settings/sso/ + title: Single Sign-On overview + - path: /admin/company/settings/sso-configuration/ + title: Configure Single Sign-On + - path: /admin/company/settings/sso-management/ + title: Manage Single Sign-On + - path: /admin/company/settings/scim/ + title: SCIM + - path: /admin/company/settings/group-mapping/ + title: Group mapping + - path: /admin/company/settings/sso-faq/ + title: Single Sign-On FAQs + - sectiontitle: Organization administration + section: + - path: /admin/organization/ + title: Overview + - path: /admin/organization/members/ + title: Manage members + - path: /admin/organization/activity-logs/ + title: Activity logs + - path: /admin/organization/image-access/ + title: Image Access Management + - path: /admin/organization/registry-access/ + title: Registry Access Management + - path: /admin/organization/general-settings/ + title: General settings + - sectiontitle: Security settings + section: + - path: /admin/organization/security-settings/sso/ + title: Single Sign-On overview + - path: /admin/organization/security-settings/sso-configuration/ + title: Configure Single Sign-On + - path: /admin/organization/security-settings/sso-management/ + title: Manage Single Sign-On + - path: /admin/organization/security-settings/scim/ + title: SCIM + - path: /admin/organization/security-settings/group-mapping/ + title: Group mapping + - path: /admin/organization/security-settings/sso-faq/ + title: Single Sign-On FAQs + + - sectiontitle: Administration and security section: - path: /docker-hub/admin-overview/ diff --git a/_includes/admin-company-overview.md b/_includes/admin-company-overview.md new file mode 100644 index 0000000000..15923850c4 --- /dev/null +++ b/_includes/admin-company-overview.md @@ -0,0 +1,15 @@ +A company provides a single point of visibility across multiple organizations. This view simplifies the management of Docker organizations and settings. It's available to Docker Business subscribers. + +The following diagram depicts the setup of a company and how it relates to associated organizations. + +{: width="700px" } + +## Key features + +With a company, administrators can: + +- View and manage all nested organizations and configure settings centrally. +- Carefully control access to the company and company settings. +- Have up to ten unique users assigned the company owner role without occupying a purchased seat. +- Configure SSO and SCIM for all nested organizations. +- Enforce SSO for all users in the company. \ No newline at end of file diff --git a/_includes/admin-early-access.md b/_includes/admin-early-access.md new file mode 100644 index 0000000000..bd8f536572 --- /dev/null +++ b/_includes/admin-early-access.md @@ -0,0 +1,5 @@ +> **Early Access** +> +> Docker Admin is an [early access](/release-lifecycle#early-access-ea) product. +> +> Docker is releasing it using an incremental roll-out strategy. It's currently available to some company owners and organization owners that have a Docker Business or Docker Team subscription. You can still manage companies and organizations in Docker Hub. For details about managing companies or organizations in Docker Hub, see [Administration and security](/docker-hub/admin-overview/). \ No newline at end of file diff --git a/_includes/admin-group-mapping.md b/_includes/admin-group-mapping.md new file mode 100644 index 0000000000..f58c8b0b3e --- /dev/null +++ b/_includes/admin-group-mapping.md @@ -0,0 +1,41 @@ +With directory group-to-team provisioning from your IdP, user updates will automatically sync with your Docker organizations and teams. + +To correctly assign your users to Docker teams, you must create groups in your IDP following the naming pattern `organization:team`. For example, if you want to manage provisioning for the team "developers” in Docker, and your organization name is “moby,” you must create a group in your IdP with the name “moby:developers”. + +Once you enable group mappings in your connection, users assigned to that group in your IdP will automatically be added to the team “developers” in Docker. + +>**Tip** +> +>Use the same names for the Docker teams as your group names in the IdP to prevent further configuration. When you sync groups, a group is created if it doesn’t already exist. +{: .tip} + +## How group mapping works + +IdPs share with Docker the main attributes of every authorized user through SSO, such as email address, name, surname, and groups. These attributes are used by Just-In-Time (JIT) Provisioning to create or update the user’s Docker profile and their associations with organizations and teams on Docker Hub. + +Docker uses the email address of the user to identify them on the platform. Every Docker account must have a unique email address at all times. + +After every successful SSO sign-in authentication, the JIT provisioner performs the following actions: + +1. Checks if there's an existing Docker account with the email address of the user that just authenticated. + + a) If no account is found with the same email address, it creates a new Docker account using basic user attributes (email, name, and surname). The JIT provisioner generates a new username for this new account by using the email, name, and random numbers to make sure that all account usernames are unique in the platform. + + b) If an account exists for this email address, it uses this account and updates the full name of the user’s profile if needed. +2. Checks if the IdP shared group mappings while authenticating the user. + + a) If the IdP provided group mappings for the user, the user gets added to the organizations and teams indicated by the group mappings. + + b) If the IdP didn't provide group mappings, it checks if the user is already a member of the organization, or if the SSO connection is for multiple organizations (only at company level) and if the user is a member of any of those organizations. If the user is not a member, it adds the user to the default team and organization configured in the SSO connection. + + + +## Use group mapping + +To take advantage of group mapping, follow the instructions provided by your IdP: + +- [Okta](https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-enable-group-push.htm){: target="_blank" rel="noopener" class="_" } +- [Azure AD](https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes){: target="_blank" rel="noopener" class="_" } +- [OneLogin](https://developers.onelogin.com/scim/create-app){: target="_blank" rel="noopener" class="_" } + +Once complete, a user who signs in to Docker through SSO is automatically added to the organizations and teams mapped in the IdP. \ No newline at end of file diff --git a/_includes/admin-org-audit-log-events.md b/_includes/admin-org-audit-log-events.md new file mode 100644 index 0000000000..5fb3c5e957 --- /dev/null +++ b/_includes/admin-org-audit-log-events.md @@ -0,0 +1,48 @@ +## Event definitions + +Refer to the following section for a list of events and their descriptions: + +### Organization events + +| Event | Description | +|:------------------------------------------------------------------|:------------------------------------------------| +| Team Created | Activities related to the creation of a team | +| Team Updated | Activities related to the modification of a team | +| Team Deleted | Activities related to the deletion of a team | +| Team Member Added | Details of the member added to your team | +| Team Member Removed | Details of the member removed from your team | +| Team Member Invited | Details of the member invited to your team | +| Organization Member Added | Details of the member added to your organization | +| Organization Member Removed | Details about the member removed from your organization | +| Organization Created | Activities related to the creation of a new organization | +| Organization Settings Updated | Details related to the organization setting that was updated | +| Registry Access Management enabled | Activities related to enabling Registry Access Management | +| Registry Access Management disabled | Activities related to disabling Registry Access Management | +| Registry Access Management registry added | Activities related to the addition of a registry | +| Registry Access Management registry removed | Activities related to the removal of a registry | +| Registry Access Management registry updated | Details related to the registry that was updated | +| Single Sign-On domain added | Details of the single sign-on domain added to your organization | +| Single Sign-On domain removed | Details of the single sign-on domain removed from your organization | +| Single Sign-On domain verified | Details of the single sign-on domain verified for your organization | + +### Repository events + +| Event | Description | +|:------------------------------------------------------------------|:------------------------------------------------| +| Repository Created | Activities related to the creation of a new repository | +| Repository Deleted | Activities related to the deletion of a repository | +| Privacy Changed | Details related to the privacy policies that were updated | +| Tag Pushed | Activities related to the tags pushed | +| Tag Deleted | Activities related to the tags deleted | + +### Billing events + +| Event | Description | +|:------------------------------------------------------------------|:------------------------------------------------| +| Plan Upgraded | Occurs when your organization’s billing plan is upgraded to a higher tier plan.| +| Plan Downgraded | Occurs when your organization’s billing plan is downgraded to a lower tier plan. | +| Seat Added | Occurs when a seat is added to your organization’s billing plan. | +| Seat Removed | Occurs when a seat is removed from your organization’s billing plan. | +| Billing Cycle Changed | Occurs when there is a change in the recurring interval that your organization is charged.| +| Plan Downgrade Canceled | Occurs when a scheduled plan downgrade for your organization is canceled.| +| Seat Removal Canceled | Occurs when a scheduled seat removal for an organization’s billing plan is canceled. | \ No newline at end of file diff --git a/_includes/admin-org-overview.md b/_includes/admin-org-overview.md new file mode 100644 index 0000000000..13f7ad2d34 --- /dev/null +++ b/_includes/admin-org-overview.md @@ -0,0 +1,16 @@ +An organization in Docker is a collection of teams and repositories +that can be managed together. A team is a group of Docker members that belong to an organization. +An organization can have multiple teams. + +Docker users become members of an organization +when they are assigned to at least one team in the organization. When you first +create an organization, you have one team, the "owners" team, that has a single member. An organization owner is someone that is part of the +owners team. They can create new teams and add +members to an existing team using their Docker ID or email address and by +selecting a team the user should be part of. An organization owner can also add +additional owners to help them manage users, teams, and repositories in the +organization. + +The following diagram depicts the setup of an organization and how it relates to teams. + +{: width="700px" } \ No newline at end of file diff --git a/_includes/admin-scim.md b/_includes/admin-scim.md new file mode 100644 index 0000000000..28531431f8 --- /dev/null +++ b/_includes/admin-scim.md @@ -0,0 +1,21 @@ +This section is for administrators who want to enable System for Cross-domain Identity Management (SCIM) 2.0 for their business. It is available for Docker Business customers. + +SCIM provides automated user provisioning and de-provisioning for your Docker organization or company through your identity provider (IdP). Once you enable SCIM in Docker Hub and your IdP, any user assigned to the Docker application in the IdP is automatically provisioned in Docker Hub and added to the organization or company. + +Similarly, if a user gets unassigned from the Docker application in the IdP, the user is removed from the organization or company in Docker Hub. SCIM also synchronizes changes made to a user's attributes in the IdP, for instance the user’s first name and last name. + +The following provisioning features are supported: + - Creating new users + - Push user profile updates + - Remove users + - Deactivate users + - Re-activate users + - Group mapping + +The table below lists the supported attributes. Note that your attribute mappings must match for SSO to prevent duplicating your members. + +| Attribute | Description +|:---------------------------------------------------------------|:-------------------------------------------------------------------------------------------| +| username | Unique identifier of the user (email) | +| givenName | User’s first name | +| familyName |User’s surname | \ No newline at end of file diff --git a/_includes/admin-sso-faq.md b/_includes/admin-sso-faq.md new file mode 100644 index 0000000000..35733a80f7 --- /dev/null +++ b/_includes/admin-sso-faq.md @@ -0,0 +1,308 @@ +
+Learn how to manage organizations and seats within your company.
+Explore how to manage users in all organizations.
+Find out more about company owners and how to manage them.
+Discover how to configure SSO for your entire company.
+Set up SCIM to automatically provision and deprovision users in your company.
+Explore how to manage a company in Docker Admin.
+Learn about organization administration in Docker Admin.
+Explore how to manage members.
+Learn how to audit the activities of your members.
+Control which types of images your developers can pull.
+Define which registries your developers can access.
+Configure general information that Docker Hub displays on your organization's landing page.
+Set up Single Sign-On and SCIM for your organization.
+