With Docker Universal Control Plane you get to control who can create and edit resources like services, images, networks, and volumes in your cluster.
By default no one can make changes to your cluster. You can then grant and manage permissions to enforce fine-grained access control. For that:
Start by creating a user and assigning them with a default permission.
Default permissions specify the permission a user has to create and edit resources. You can choose from four permission levels that range from no access to full control over the resources.
Extend the user permissions by adding users to a team.
You can extend the user’s default permissions by adding the user to a team. A team defines the permissions users have for a collection of labels, and thus the resources that have those labels applied to them.
When users create services or networks with no label, those resources are only
visible to them and administrator users.
For a team of users to be able to see and edit the same resources, the
resources needs to have the
com.docker.ucp.access.label label applied.
In the example above, we have two sets of containers. One set has all containers
com.docker.ucp.access.label=crm, the other has all containers
You can now create different teams, and tune the permission level each team has for those containers.
As an example you can create three different teams: