Organizations and Teams in Docker Cloud

Estimated reading time: 12 minutes

You can create Organizations in Docker Cloud to share repositories, and infrastructure and applications with coworkers and collaborators.

Members of an organization can see only the teams to which they belong, and their membership. Members of the Owners team can see and edit all of the teams and all of the team membership lists. Docker Cloud users outside an organization cannot see the Organizations or teams another user belongs to.

Create an Organization

An Organization in Docker Cloud contains Teams, and each Team contains users. You cannot add users directly to an Organization. Organizations can also have repositories, applications (services and containers), and infrastructure (nodes and node clusters) associated with them. Paid features such as private repositories and extra nodes are paid for using the billing information associated with the Organization.

To create an organization:

  1. Log in to Docker Cloud.
  2. Select Create Organization from the user icon menu at the top right.
  3. In the dialog that appears, enter a name for your organization.
  4. Enter billing information for the organization.

    This will be used for paid features used by the Organization account, including private repositories and additional nodes.

  5. Click Save.

    The Docker Cloud interface switches you to the new organization view. You can return to your individual user account from the menu at the top right corner.

When you create an Organization, your user account is automatically added to the Organization’s Owners team, which allows you to manage the Organization. This team must always have at least one member, and you can add other members to it at any time.

Convert a user to an Organization

Individual user accounts can be converted to organizations if needed. You will no longer be able to log in to the account; email addresses, linked source repositories and collaborators will be removed. Automated builds will be migrated. Account conversion cannot be undone.

You will need another valid Docker ID (not the account you are converting) for the user who will become the first member of the Owners team. All existing automated builds are migrated to this user, and they will be able to configure the newly converted organization’s settings to grant access to other users.

  1. Log in to Docker Cloud using the user account that you want to convert.
  2. Click Settings in the user account menu in the top right corner.
  3. Scroll down and click Convert to organization.
  4. Read through the list of warnings and actions.
  5. Enter the Docker ID of the user who will be the first member of the Owners team.
  6. Click Save and Continue.

The UI refreshes. Log in from the Docker ID you specified as the first Owner, and then continue on to configure the organization as described below.

What’s next?

Once you’ve created an organization:

Configure the Owners team

Each organization has an Owners team which contains the users who manage the organization’s settings. If you created the organization, you are automatically added to the Owners team. You can add new users to the Owners team and then leave the team if you want to transfer ownership. There must always be at least one member of the Owners team.

Owners team members can:

  • create, change, and delete teams
  • set and change team access permissions
  • manage the organization’s billing information
  • configure the organization’s settings (including linked services such as AWS and Github)
  • view, change, create and delete repositories, services, and node clusters associated with the organization

Note: You cannot change the Owners team permission settings. Only add users to the Owners team who you are comfortable granting this level of access.

  1. While logged in to Docker Cloud, use the menu in the top right corner to switch to the organization you want to work on.
  2. Click Teams in the lower left corner.
  3. Click owners.
  4. Click Add user.
  5. Enter the Docker ID of a user to add.
  6. Click Create.
  7. Repeat for each user who you want to add.

To transfer ownership of an organization, add the new owner to the Owners team, then go to your Teams list and click Leave on the Owners team line.

Note: At this time, only members of the Owners team receive email notifications for events (such as builds and container redeploys) in the organization’s resources. The email “notification level” setting for the organization affects only the Owners team.

Create teams

You can create Teams within an Organization to add users and manage access to infrastructure, applications, and repositories.

Every organization contains an Owners team for users who manage the team settings. You should create at least one team separate from the owners team so that you can add members to your organization without giving them this level of access.

  1. While logged in to Docker Cloud, switch to the organization you want to work on from the menu in the upper right corner.
  2. Click Teams in the lower left corner of the navigation bar.
  3. Click Create to create a new team.
  4. Give the new team a name and description, and click Create.
  5. On the screen that appears, click Add User.
  6. Enter the Docker ID of the user and click Create.
  7. Repeat this process for each user you want to add.

Set team permissions

You can give Teams within an organization different levels of access to resources that the organization owns. You can then assign individual users to a Team to grant them that level of access. Team permissions are set by members of the Owners team.

Note: If a user is a member of multiple teams, their access settings are conjunctive (sometimes called inclusive or additive). For example, if a user is a member of Team A that grants them No access to repositories, and they’re also a member of Team B that grants them Read and Write access to repositories, the user has Read and Write access.

To set or edit Team permissions:

  1. From the Team detail view, click Permissions.
  2. Select an access level for Runtime resources. Runtime resources include both infrastructure and applications.
  3. Optionally, grant the team access to one or more repositories in the Repositories section.
    1. Enter the name of the repository.
    2. Select an access level.
    3. Click the plus sign (+) icon. The change is saved immediately.
    4. Repeat this for each repository that the team needs access to.

    Note: An organization can have public repositories which are visible to all users (including those outside the organization). Team members can view public repositories even if you have not given them View permission. You can use team permissions to grant write and admin access to public repositories.

Change team permissions for an individual repository

You can also grant teams access to a repository from the repository’s Permissions page rather than from each team’s permissions settings. You might do this if you create repositories after you have already configured your teams, and want to grant access to several teams at the same time.

If the organization’s repository is private, you must explicitly grant any access that your team members require. If the repository is public, all users are granted read-only access by default.

Members of the organization’s Owners team, and members of any team with admin access to the repository can change the repository’s access permissions.

To grant a team access to an organization’s repository:

  1. Navigate to the organization’s repository.
  2. Click the Permissions tab.
  3. Select the name of the team you want to add from the drop down menu.
  4. Choose the access level the team should have.
  5. Click the plus sign to add the selected team and permission setting.

    Your choice is saved immediately.

  6. Repeat this process for each team to which you want to grant access.

To edit a team’s permission level, select a new setting in the Permission drop down menu.

To remove a team’s access to the repository, click the trashcan icon next to the team’s access permission line.

Note: If the organization’s repository is public, team members without explicit access permissions will still have read-only access to the repository. If the repository is private, removing a team’s access completely prevents the team members from seeing the repository.

Docker Cloud team permission reference

General access levels:

  • No access: no access at all. The resource is not visible to members of this team.
  • Read only: users can view the resource and its configuration, but cannot perform actions on the resource.
  • Read and Write: users can view and change the resource and its configuration.
  • Admin: users can view, and edit the resource and its configuration, and can create or delete new instances of the resource.

Note: Only users who are members of the Owners team can create new repositories.

Permission level Access
Swarms (Beta)  
Admin View swarms, manage swarms, add users
Repositories  
Read Pull
Read/Write Pull, push
Admin All of the above, plus update description, create and delete
Build  
Read View basic build settings and Timeline
Read/write All of the above plus start, retry, or cancel build
Admin All of the above, plus view and change build configuration, change build source, create and delete
Nodes  
Read View
Read/write View, scale, check node health
Admin All of the above plus terminate, upgrade daemon, get certificate, create BYON token, update, deploy, and create
Applications  
Read View, get logs, export stackfile
Read/write All of the above, plus start, stop, redeploy, and scale
Admin All of the above plus, open a terminal window, terminate, update, and create

Machine user accounts in organizations

Your organization might find it useful to have a dedicated account that is used for programmatic or scripted access to your organization’s resources using the Docker Cloud APIs.

Note: While these accounts are sometimes called “robot” accounts or “bots”, these users may not be created using scripts.

To create a “robot” or machine account for your organization:

  1. Create a new Docker ID for the machine user. Verify the email address associated with the user.
  2. If necessary, create a new Team for the machine user, and grant that team access to the required resources.

    This method is recommended because it makes it easier for administrators to understand the machine user’s access, and modify it without affecting other users’ access.

  3. Add the machine user to the new Team.

Modify a team

To modify an existing team, log in to Docker Cloud and switch to your organization, click Teams in the left navigation menu, then click the team you want to modify.

You can manage team membership from the first page that appears when you select the team.

To change the team name or description, click Settings.

To manage team permissions for runtime resources (nodes and applications) and repositories click Permissions.

Manage resources for an Organization

An organization can have its own resources including repositories, nodes and node clusters, containers, services, and service stacks, just as if it was a normal user account.

If you’re a member of the Owners team, you can create these resources when logged in as the Organization, and manage which Teams can view, edit, and create and delete each resource.

  1. Log in to Docker Cloud as a member of the Owners team.

  2. Switch to the Organization account by selecting it from the user icon menu at the top right.

  3. Click Cloud Settings in the left navigation.

    From the Organization’s Cloud settings page, you can link to the organization’s source code repositories, link to infrastructure hosts such as a cloud service providers.

    The steps are the same as when you perform these actions as an individual user.

Create repositories

When a member of the Owners team creates a repository for an organization, they can configure which teams within the organization can access the repository. No access controls are configured by default on repository creation. If the repository is private, this leaves it accessible only to members of the Owners team until other teams are granted access.

Tip: Members of the Owners team can configure this default from the Default privacy section of the organization’s Cloud Settings page.

  1. Log in to Docker Cloud as a member of the Owners team.

  2. Switch to the Organization account by selecting it from the user icon menu at the top right.

  3. Create the repository as usual.

  4. Once the repository has been created, navigate to it and click Permissions.

  5. Grant access to any teams that will require access to the repository.

Manage organization settings

From the Organization’s Cloud Settings page you can also manage the Organization’s Plan and billing account information, notifications, and API keys.

Create organization resources

To create resources for an Organization such as services and node clusters, log in to Docker Cloud and switch to the Organization account. Create the repositories, services, stacks, or node clusters as you would for any other account.

chat icon Feedback? Suggestions? Can't find something in the docs?
Edit this page Request docs changes Get support