Business Edition - Custom RBAC roles

[huib-portainer]

Is your feature request related to a problem? Please describe.
Currently the RBAC roles are limited to the build in roles: https://docs.portainer.io/admin/users/roles#built-in-roles

This works as follows:

Describe the solution you'd like
Allow administrators to define custom roles.

Adding or editing a custom role:

To add a new role for Docker:

The “All resources in an endpoint” vs “Resources assigned to an individual/team“ determines if the role is for all resources in an environment, or only the ones that are explicitly assigned to a Portainer user.

There is a different tab for Docker, Kubernetes, ACI etc.

The different levels portrayed by the radio buttons are accumulative. So Operate implies both the Read and Operate permissions. And Create includes Read, Operate and Update permissions.

The default selection for the radio buttons is Read.

The quick select “Set all below“ sets all radio buttons below it to what the user selected in the button group.
If a certain group of radio buttons doesn’t have the same level, we pick the one with less access. E.g. if the user sets all to Operator, we’ll select Read for the docker secret.

Kubernetes example:

ACI example:

[samdulam]

How about #5402 for Kubernetes Custom role?
Would provide much more fine grained control especially for Kube Proxy side of things.

[geigervibe]

I upvote this.

Yesterday I had my first contact with the roles in portainer and it took not many minutes, that I was looking for a way to adding own custom roles, because the factory did not satisfy. Because I did not find a way to do that, I was starting googling and found this smart request.

I would add, in the main-roles-page it shoult be possible to add, delete, edit and clone a role. I don't know, if following would make sense, but instead of radio buttons to use checkbox to set up the permissions.

BTW. In my yesterdays test drive with roles I was able to force delete other users image of a stopped container as a standard user. I think that should not have been possible. Actually I would have expected to not even see other users images.

[huib-portainer]

I was able to force delete other users image of a stopped container as a standard user

That will actually be fixed in the 2.12.0 release.
The release notes for that are:

Standard users will no longer be able to remove or export images. Also, Operators, Help Desk, and ready only users will no longer be able to export images.

[BenHippynet]

+1 from me here. I need to give users the ability to star/stop/restart their own container and nothing more.

[geigervibe]

Another upvote from me. I just noticed that a standard user can remove a container but not recreate it, at least the button is missing in users dashboard. From my point of view, that makes no sense at all, it should be the other way around, if there should be a meaningful restriction, then the user may recreate a new container and pull the latest image but not remove the container.

[wil-m]

count with plus 1 vote, please

[bduff-walleye]

Are there any updates on this?

[glauberferreira]

+1

[CM2Walki]

+1 from me here. I need to give users the ability to star[t]/stop/restart their own container and nothing more.

+1. Even a new built-in role that covers exactly this case would be sufficient.

[mcc-mcannizzaro]

+1

[T11111111111]

+1

[awcodify]

This approach is ideal for organizations building a platform team using Portainer, as it allows developers to perform self-service deployments without granting full access to Docker resources.

+1

[VerudoraCZ]

+1

[gselva]

My two cents (and a bit more, looking to license portainer but below is giving me pause).

The standard "operator" role is good, except for the fact that it allows the user console access into container. They can read secrets - this is problematic for production deployments.

A new built-in role that is similar to operator role but without console access to containers would secure portainer deployments.