Define roles with authorized API operationsEstimated reading time: 2 minutes
A role defines a set of API operations permitted against a resource set. You apply roles to users and teams by creating grants.
You can define custom roles or use the following built-in roles:
||Users have no access to Swarm or Kubernetes resources. Maps to
||Users can view resources but can’t create them.|
||Users can view and edit resources but can’t run a service or container in a way that affects the node where it’s running. Users cannot mount a node directory,
||Users can view nodes (worker and manager) and schedule (not view) workloads on these nodes. By default, all users are granted the
||Users can view and edit all granted resources. They can create containers without any restriction, but can’t see the containers of other users.|
Create a custom role
The Roles page lists all default and custom roles applicable in the organization.
You can give a role a global name, such as “Remove Images”, which might enable the Remove and Force Remove operations for images. You can apply a role with the same name to different resource sets.
- Click Roles under User Management.
- Click Create Role.
- Input the role name on the Details page.
- Click Operations. All available API operations are displayed.
- Select the permitted operations per resource type.
- Click Create.
Some important rules regarding roles:
- Roles are always enabled.
- Roles can’t be edited. To edit a role, you must delete and recreate it.
- Roles used within a grant can be deleted only after first deleting the grant.
- Only administrators can create and delete roles.
Where to go next
- Create and configure users and teams
- Group and isolate cluster resources
- Grant role-access to cluster resources