mirror of https://github.com/docker/docs.git
75 lines
2.7 KiB
Markdown
75 lines
2.7 KiB
Markdown
---
|
|
title: Grant role-access to cluster resources
|
|
description: Learn how to grant users and teams access to cluster resources with role-based access control.
|
|
keywords: rbac, ucp, grant, role, permission, authentication, authorization, namespace, Kubernetes
|
|
redirect_from:
|
|
- /datacenter/ucp/3.0/guides/authorization/grant-permissions/
|
|
---
|
|
|
|
Docker Enterprise administrators can create _grants_ to control how users and
|
|
organizations access [resource sets](group-resources.md).
|
|
|
|
A grant defines _who_ has _how much_ access to _what_ resources. Each grant is a
|
|
1:1:1 mapping of _subject_, _role_, and _resource set_. For example, you can
|
|
grant the "Prod Team" "Restricted Control" over services in the "/Production"
|
|
collection.
|
|
|
|
A common workflow for creating grants has four steps:
|
|
|
|
- Add and configure **subjects** (users, teams, and service accounts).
|
|
- Define custom **roles** (or use defaults) by adding permitted API operations
|
|
per type of resource.
|
|
- Group cluster **resources** into Swarm collections or Kubernetes namespaces.
|
|
- Create **grants** by combining subject + role + resource set.
|
|
|
|
## Kubernetes grants
|
|
|
|
With Kubernetes orchestration, a grant is made up of *subject*, *role*, and
|
|
*namespace*.
|
|
|
|
> This section assumes that you have created objects for the grant: subject, role,
|
|
> namespace.
|
|
{: .important}
|
|
|
|
To create a Kubernetes grant (role binding) in UCP:
|
|
|
|
1. Click **Grants** under **Access Control**.
|
|
2. Click **Create Role Binding**.
|
|
3. Click **Namespaces** under **Kubernetes**.
|
|
4. Find the desired namespace and click **Select Namespace**.
|
|
5. On the **Roles** tab, select a role.
|
|
6. On the **Subjects** tab, select a user, team, organization, or service
|
|
account to authorize.
|
|
7. Click **Create**.
|
|
|
|
## Swarm grants
|
|
|
|
With Swarm orchestration, a grant is made up of *subject*, *role*, and
|
|
*collection*.
|
|
|
|
> This section assumes that you have created objects to grant: teams/users,
|
|
> roles (built-in or custom), and a collection.
|
|
|
|
{: .with-border}
|
|
{: .with-border}
|
|
|
|
To create a grant in UCP:
|
|
|
|
1. Click **Grants** under **Access Control**.
|
|
2. Click **Swarm**
|
|
3. Click **Create Grant**.
|
|
4. In the **Select Subject Type** section, select **Users** or **Organizations**.
|
|
5. Click **View Children** until you get to the desired collection and **Select**.
|
|
6. On the **Roles** tab, select a role.
|
|
7. On the **Subjects** tab, select a user, team, or organization to authorize.
|
|
8. Click **Create**.
|
|
|
|
> By default, all new users are placed in the `docker-datacenter` organization.
|
|
> To apply permissions to all Docker EE users, create a grant with the
|
|
> `docker-datacenter` org as a subject.
|
|
{: .important}
|
|
|
|
## Where to go next
|
|
|
|
- [Deploy a simple stateless app with RBAC](deploy-stateless-app.md)
|