Grant permissions to users based on roles
Estimated reading time: 1 minuteIf you’re a UCP administrator, you can create grants to control how users and organizations access swarm resources.
A grant is made up of a subject, a role, and a resource collection. A grant defines who (subject) has how much access (role) to a set of resources (collection). Each grant is a 1:1:1 mapping of subject, role, collection. For example, you can grant the “Prod Team” “Restricted Control” permissions for the “/Production” collection.
The usual workflow for creating grants has four steps.
- Set up your users and teams. For example, you might want three teams, Dev, QA, and Prod.
- Organize swarm resources into separate collections that each team uses.
- Optionally, create custom roles for specific permissions to the Docker API.
- Grant role-based access to collections for your teams.
Create a grant
When you have your users, collections, and roles set up, you can create grants. Administrators create grants on the Manage Grants page.
- Click Create Grant. All of the collections in the system are listed.
- Click Select on the collection you want to grant access to.
- In the left pane, click Roles and select a role from the dropdown list.
- In the left pane, click Subjects. Click All Users to create a grant for a specific user, or click Organizations to create a grant for an organization or a team.
- Select a user, team, or organization and click Create.
By default, all new users are placed in the docker-datacenter
organization.
If you want to apply a grant to all UCP users, create a grant with the
docker-datacenter
org as a subject.