Grant role-access to cluster resources¶

Docker EE administrators can create grants to control how users and organizations access resource sets.

A grant defines who has how much access to what resources. Each grant is a 1:1:1 mapping of subject, role, and resource set. For example, you can grant the “Prod Team” “Restricted Control” over services in the “/Production” collection.

A common workflow for creating grants has four steps:

• Add and configure subjects (users, teams, and service accounts).
• Define custom roles (or use defaults) by adding permitted API operations per type of resource.
• Group cluster resources into Swarm collections or Kubernetes namespaces.
• Create grants by combining subject + role + resource set.

Swarm grants¶

With Swarm orchestration, a grant is made up of subject, role, and collection.

Note

This section assumes that you have created objects to grant: teams/users, roles (built-in or custom), and a collection.

To create a grant in UCP:

1. Click Grants under Access Control.
2. Click Swarm
3. Click Create Grant.
4. In the Select Subject Type section, select Users or Organizations.
5. Click View Children until you get to the desired collection and Select.
6. On the Roles tab, select a role.
7. On the Subjects tab, select a user, team, or organization to authorize.
8. Click Create.

Important

By default, all new users are placed in the docker-datacenter organization. To apply permissions to all Docker EE users, create a grant with the docker-datacenter organization as a subject.