docs/datacenter/ucp/2.0/guides/user-management/create-and-manage-teams.md

---
description: Learn how to create and manage user permissions, using teams in your
  Docker Universal Control Plane cluster.
keywords: authorize, authentication, users, teams, UCP, Docker
title: Create and manage teams
---

You can extend the user's default permissions by granting them fine-grain
permissions over resources. You do this by adding the user to a team.
A team defines the permissions users have for resources that have the label
`com.docker.ucp.access.label` applied to them.

To create a new team, go to the **UCP web UI**, and navigate to the
**Users & Teams** page.

![](../images/create-and-manage-teams-1.png){: .with-border}

Click the **Create** button to create a new team, and assign it a name.

![](../images/create-and-manage-teams-2.png){: .with-border}

## Add users to a team

You can now add and remove users from the team.
Navigate to the **Members** tab, and click the **Add User to Team** button.
Then choose the list of users that you want to add to the team.

![](../images/create-and-manage-teams-3.png){: .with-border}


## Manage team permissions

To manage the permissions of the team, click the **Permissions** tab.
Here you can specify a list of labels and the permission level users will have
for resources with those labels.

![](../images/create-and-manage-teams-4.png){: .with-border}

In the example above, members of the 'Operations' team have permissions to
create and edit resources that have the labels
`com.docker.ucp.access.label=operations` applied, but can only view resources
that have the `com.docker.ucp.access.label=blog` label.

There are four permission levels available:

| Team permission level | Description                                                                                                                                       |
|:----------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------|
| `No Access`           | The user can't view resources with this label.                                                                                                    |
| `View Only`           | The user can view but can't create resources with this label.                                                                                     |
| `Restricted Control`  | The user can view and create resources with this label. The user can't run `docker exec`, or services that require privileged access to the host. |
| `Full Control`        | The user can view and create resources with this label, without any restriction.                                                                  |

## Where to go next

* [UCP permission levels](permission-levels.md)