diff --git a/content/manuals/security/for-admins/access-tokens.md b/content/manuals/security/for-admins/access-tokens.md index 04fcecfc69..2e2d0c93af 100644 --- a/content/manuals/security/for-admins/access-tokens.md +++ b/content/manuals/security/for-admins/access-tokens.md @@ -15,14 +15,11 @@ params: > [!WARNING] > -> Organization access tokens (OATs) are not intended to be used with Docker -> Desktop, and are incompatible. +> Organization access tokens (OATs) are not intended to be used with Docker +> Desktop or Docker Scout, and are incompatible. > -> OATs are also currently incompatible with the following services: -> -> - Docker Scout -> -> If you use Docker Desktop or one of these services, you must use personal access tokens instead. +> If you use Docker Desktop or Docker Scout, you must use personal +> access tokens instead. An organization access token (OAT) is like a [personal access token (PAT)](/security/for-developers/access-tokens/), but an OAT is associated with @@ -37,12 +34,14 @@ OATs provide the following advantages: if you find any suspicious activity. - You can limit what each OAT has access to, which limits the impact if an OAT is compromised. -- All company or organization owners can manage OATs. If one owner leaves the +- All company or organization owners can manage OATs. If one owner leaves the organization, the remaining owners can still manage the OATs. - OATs have their own Docker Hub usage limits that don't count towards your personal account's limits. -If you have existing [service accounts](/docker-hub/service-accounts/), Docker recommends that you replace the service accounts with OATs. OATs offer the following advantages over service accounts: +If you have existing [service accounts](/docker-hub/service-accounts/), +Docker recommends that you replace the service accounts with OATs. OATs offer +the following advantages over service accounts: - Access permissions are easier to manage with OATs. You can assign access permissions to OATs, while service accounts require using teams for access @@ -60,13 +59,14 @@ If you have existing [service accounts](/docker-hub/service-accounts/), Docker r > [!IMPORTANT] > -> Treat access tokens like a password and keep them secret. Store your tokens +> Treat access tokens like a password and keep them secret. Store your tokens > securely in a credential manager for example. -Company or organization owners can create up to 10 organization access tokens -(OATs) for organizations with a Team subscription and up to 100 OATs for -organizations with a Business subscription. Expired tokens count towards the -total amount of tokens. +Company or organization owners can create up to: +- 10 OATs for organizations with a Team subscription +- 100 OATs for organizations with a Business subscription + +Expired tokens count towards the total amount of tokens. To create an OAT: @@ -78,23 +78,31 @@ To create an OAT: 4. Select **Generate access token**. -5. Add a label and optional description for your token. Use something that indicates the use case or purpose of the token. +5. Add a label and optional description for your token. Use something that +indicates the use case or purpose of the token. 6. Select the expiration date for the token. -7. Select the repository access for the token. +7. Expand the **Repository** drop-down to set access permission +scopes for your token. To set Repository access scopes: + 1. Optional. Select **Read public repositories**. + 2. Select **Add repository** and choose a repository from the drop-down. + 3. Set the scopes for your repository — **Image Push** or + **Image Pull**. + 4. Add more repositories as needed. You can add up to 50 repositories. - The access permissions are scopes that set restrictions in your repositories. - For example, for Read & Write permissions, an automation pipeline can build - an image and then push it to a repository. However, it can't delete the - repository. You can select one of the following options: +8. Optional. Expand the **Organization** drop-down and select the +**Allow management access to this organization's resources** checkbox. This +setting enables organization management scopes for your token. The following +organization management scopes are available: + - **Member Edit**: Edit members of the organization + - **Member Read**: Read members of the organization + - **Invite Edit**: Invite members to the organization + - **Invite Read**: Read invites to the organization + - **Group Edit**: Edit groups of the organization + - **Group Read**: Read groups of the organization - - **Public repositories (read only)** - - **All repositories**: You can select read access, or read and write access. - - **Select repositories**: You can select up to 50 repositories, and then - select read access, or read and write access for each repository. - -8. Select **Generate token** and then copy the token that appears on the screen +9. Select **Generate token**. Copy the token that appears on the screen and save it. You won't be able to retrieve the token once you exit the screen. @@ -123,7 +131,7 @@ deactivate, or delete a token as needed. 3. Under **Security and access**, select **Access tokens**. -4. Select the actions menu on the far right of a token row, then select +4. Select the actions menu in the token row, then select **Deactivate**, **Edit**, or **Delete** to modify the token. For **Inactive** tokens, you can only select **Delete**.