security: update OATs UI flow (#22197)

## Description
- small update for new OATs scopes, impacts existing UI flow

## Related issues or tickets
- [ENGDOCS-2476](https://docker.atlassian.net/browse/ENGDOCS-2476)

## Reviews
- [ ] Editorial review

[ENGDOCS-2476]:
https://docker.atlassian.net/browse/ENGDOCS-2476?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

---------

Co-authored-by: Craig Osterhout <103533812+craig-osterhout@users.noreply.github.com>
This commit is contained in:
Sarah Sanders 2025-03-11 13:33:24 -04:00 committed by GitHub
parent 7bfeddc570
commit 8aa7128a74
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 35 additions and 27 deletions

View File

@ -15,14 +15,11 @@ params:
> [!WARNING]
>
> Organization access tokens (OATs) are not intended to be used with Docker
> Desktop, and are incompatible.
> Organization access tokens (OATs) are not intended to be used with Docker
> Desktop or Docker Scout, and are incompatible.
>
> OATs are also currently incompatible with the following services:
>
> - Docker Scout
>
> If you use Docker Desktop or one of these services, you must use personal access tokens instead.
> If you use Docker Desktop or Docker Scout, you must use personal
> access tokens instead.
An organization access token (OAT) is like a [personal access token
(PAT)](/security/for-developers/access-tokens/), but an OAT is associated with
@ -37,12 +34,14 @@ OATs provide the following advantages:
if you find any suspicious activity.
- You can limit what each OAT has access to, which limits the impact if an OAT
is compromised.
- All company or organization owners can manage OATs. If one owner leaves the
- All company or organization owners can manage OATs. If one owner leaves the
organization, the remaining owners can still manage the OATs.
- OATs have their own Docker Hub usage limits that don't count towards your
personal account's limits.
If you have existing [service accounts](/docker-hub/service-accounts/), Docker recommends that you replace the service accounts with OATs. OATs offer the following advantages over service accounts:
If you have existing [service accounts](/docker-hub/service-accounts/),
Docker recommends that you replace the service accounts with OATs. OATs offer
the following advantages over service accounts:
- Access permissions are easier to manage with OATs. You can assign access
permissions to OATs, while service accounts require using teams for access
@ -60,13 +59,14 @@ If you have existing [service accounts](/docker-hub/service-accounts/), Docker r
> [!IMPORTANT]
>
> Treat access tokens like a password and keep them secret. Store your tokens
> Treat access tokens like a password and keep them secret. Store your tokens
> securely in a credential manager for example.
Company or organization owners can create up to 10 organization access tokens
(OATs) for organizations with a Team subscription and up to 100 OATs for
organizations with a Business subscription. Expired tokens count towards the
total amount of tokens.
Company or organization owners can create up to:
- 10 OATs for organizations with a Team subscription
- 100 OATs for organizations with a Business subscription
Expired tokens count towards the total amount of tokens.
To create an OAT:
@ -78,23 +78,31 @@ To create an OAT:
4. Select **Generate access token**.
5. Add a label and optional description for your token. Use something that indicates the use case or purpose of the token.
5. Add a label and optional description for your token. Use something that
indicates the use case or purpose of the token.
6. Select the expiration date for the token.
7. Select the repository access for the token.
7. Expand the **Repository** drop-down to set access permission
scopes for your token. To set Repository access scopes:
1. Optional. Select **Read public repositories**.
2. Select **Add repository** and choose a repository from the drop-down.
3. Set the scopes for your repository &mdash; **Image Push** or
**Image Pull**.
4. Add more repositories as needed. You can add up to 50 repositories.
The access permissions are scopes that set restrictions in your repositories.
For example, for Read & Write permissions, an automation pipeline can build
an image and then push it to a repository. However, it can't delete the
repository. You can select one of the following options:
8. Optional. Expand the **Organization** drop-down and select the
**Allow management access to this organization's resources** checkbox. This
setting enables organization management scopes for your token. The following
organization management scopes are available:
- **Member Edit**: Edit members of the organization
- **Member Read**: Read members of the organization
- **Invite Edit**: Invite members to the organization
- **Invite Read**: Read invites to the organization
- **Group Edit**: Edit groups of the organization
- **Group Read**: Read groups of the organization
- **Public repositories (read only)**
- **All repositories**: You can select read access, or read and write access.
- **Select repositories**: You can select up to 50 repositories, and then
select read access, or read and write access for each repository.
8. Select **Generate token** and then copy the token that appears on the screen
9. Select **Generate token**. Copy the token that appears on the screen
and save it. You won't be able to retrieve the token once you exit the
screen.
@ -123,7 +131,7 @@ deactivate, or delete a token as needed.
3. Under **Security and access**, select **Access tokens**.
4. Select the actions menu on the far right of a token row, then select
4. Select the actions menu in the token row, then select
**Deactivate**, **Edit**, or **Delete** to modify the token. For **Inactive**
tokens, you can only select **Delete**.