Skip to content

admin: custom roles #23599

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Nov 4, 2025
+338 −66
Merged

admin: custom roles #23599

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
520d41c
add custom roles docs
sarahsanders-docker Sep 16, 2025
008f71f
update Teams
sarahsanders-docker Oct 14, 2025
d8c8d10
fix build issues
sarahsanders-docker Oct 23, 2025
286458f
add WIP note
sarahsanders-docker Nov 3, 2025
e4b1767
feedback
sarahsanders-docker Nov 3, 2025
15239c2
lint
sarahsanders-docker Nov 3, 2025
6cd76ee
lint 2
sarahsanders-docker Nov 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions content/manuals/docker-hub/release-notes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,13 +47,13 @@ known issues for each Docker Hub release.

## 2023-08-28

- Organizations with SSO enabled can assign members to roles, organizations, and teams with [SCIM role mapping](scim.md#set-up-role-mapping).
- Organizations with SSO enabled can assign members to roles, organizations, and teams with [SCIM role mapping](scim.md#set-up-role-mapping).

## 2023-07-26

### New

- Organizations can assign the [editor role](roles-and-permissions.md) to members to grant additional permissions without full administrative access.
- Organizations can assign the [editor role](/manuals/enterprise/security/roles-and-permissions/_index.md) to members to grant additional permissions without full administrative access.

## 2023-05-09

Expand Down
74 changes: 74 additions & 0 deletions content/manuals/enterprise/security/roles-and-permissions/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
---
title: Roles and permissions
linkTitle: Roles and permissions
description: Control access to content, registry, and organization management with Docker's role system
keywords: roles, permissions, custom roles, core roles, access control, organization management, docker hub, admin console, security
tags: [admin]
aliases:
- /admin/organization/roles/
- /security/for-admins/roles-and-permissions/
grid:
- title: "Core roles"
description: Learn about Docker's built-in Member, Editor, and Owner roles with predefined permissions.
icon: "admin_panel_settings"
link: /enterprise/security/roles-and-permissions/core-roles/
- title: "Custom roles"
description: Create tailored permission sets that match your organization's specific needs.
icon: "tune"
link: /enterprise/security/roles-and-permissions/custom-roles/
weight: 40
---

{{< summary-bar feature_name="General admin" >}}

Roles control what users can do in your Docker organization. When you invite users or create teams, you assign them roles that determine their permissions for repositories, teams, and organization settings.

Docker provides two types of roles to meet different organizational needs:

- [Core roles](/manuals/enterprise/security/roles-and-permissions/core-roles.md) with predefined permissions
- [Custom roles](/manuals/enterprise/security/roles-and-permissions/custom-roles.md) that you can tailor to your specific requirements

## Docker roles

### Core roles

Core roles are Docker's built-in roles with predefined permission sets:

- **Member**: Non-administrative role with basic access. Members can view other organization members and pull images from repositories they have access to.
- **Editor**: Partial administrative access. Editors can create, edit, and delete repositories, and manage team permissions for repositories.
- **Owner**: Full administrative access. Owners can manage all organization settings, including repositories, teams, members, billing, and security features.

### Custom roles

Custom roles allow you to create tailored permission sets by selecting specific permissions from categories like user management, team management, billing, and Hub permissions. Use custom roles when Docker's core roles don't fit your needs.

## When to use each role

Use core roles when:

- Docker's predefined permission sets match your organizational structure
- You want simple, straightforward role assignments
- You're getting started with Docker organization management
- Your access control needs are standard and don't require fine-grained permissions

Use custom roles when:

- You need specific permission combinations not available in core roles
- You want to create specialized roles like billing administrators, security auditors, or repository managers
- You need department-specific access control
- You want to implement the principle of least privilege with precise permission grants

## How roles work together

Users and teams can be assigned either a core role or a custom role, but not both. However, roles work in combination with team permissions:

1. **Role permissions**: Applied organization-wide (core or custom role). Custom roles can grant permissions to both organization-wide settings and repository access.
2. **Team permissions**: Additional repository-specific permissions when users are added to teams. This is a separate permission system from role-based permissions.

This layered approach gives you flexibility to provide broad organizational access through roles and specific repository access through team memberships.

## Next steps

Choose the role type that best fits your organization's needs:

{{< grid >}}
125 changes: 61 additions & 64 deletions ...erprise/security/roles-and-permissions.md → ...urity/roles-and-permissions/core-roles.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,54 +1,51 @@
---
title: Roles and permissions
title: Core roles
description: Control access to content, registry, and organization management with roles in your organization.
keywords: members, teams, organization, company, roles, access, docker hub, admin console, security, permissions
aliases:
- /docker-hub/roles-and-permissions/
- /security/for-admins/roles-and-permissions/
weight: 40
- /docker-hub/roles-and-permissions/
- /security/for-admins/roles-and-permissions/
- /enterprise/security/roles-and-permissions/
---

{{< summary-bar feature_name="General admin" >}}

Roles control what users can do in your organization. When you invite users, you assign them a role that determines their permissions for repositories, teams, and organization settings.
Core roles are Docker's built-in roles with predefined permission sets.
This page provides an overview of Docker's core roles and permissions for each role.

This page provides an overview of Docker roles and permissions for each role.
## What are core roles?

## Organization roles
Docker organizations have three core roles:

Docker organizations have three main roles:

- Member: Non-administrative role with basic access. Members can view other organization members and pull images from repositories they have access to.
- Editor: Partial administrative access. Editors can create, edit, and delete repositories. They can also manage team permissions for repositories.
- Owner: Full administrative access. Owners can manage all organization settings, including repositories, teams, members, billing, and security features.

## Permissions by role
- **Member**: Non-administrative role with basic access. Members can view other organization members and pull images from repositories they have access to.
- **Editor**: Partial administrative access. Editors can create, edit, and delete repositories. They can also manage team permissions for repositories.
- **Owner**: Full administrative access. Owners can manage all organization settings, including repositories, teams, members, billing, and security features.

> [!NOTE]
>
> An owner role assigned at the company level has the same access as an owner role assigned at the organization level. For more information, see [Company overview](/admin/company/).
> A company owner has the same organization management permissions as an organization owner, but there are some content and registry permissions that company owners don't have (for example, repository pull/push). For more information, see [Company overview](/admin/company/).

### Content and registry permissions

These permissions apply organization-wide, including all repositories in your organization's namespace.

| Permission | Member | Editor | Owner |
| :---------------------------------------------------- | :----- | :----- | :----------------- |
| Explore images and extensions | ✅ | ✅ | ✅ |
| Star, favorite, vote, and comment on content | ✅ | ✅ | ✅ |
| Pull images | ✅ | ✅ | ✅ |
| Create and publish an extension | ✅ | ✅ | ✅ |
| Become a Verified, Official, or Open Source publisher | ❌ | ❌ | ✅ |
| Edit and delete publisher repository logos | ❌ | ✅ | ✅ |
| Observe content engagement as a publisher | ❌ | ❌ | ✅ |
| Create public and private repositories | ❌ | ✅ | ✅ |
| Edit and delete repositories | ❌ | ✅ | ✅ |
| Manage tags | ❌ | ✅ | ✅ |
| View repository activity | ❌ | ❌ | ✅ |
| Set up Automated builds | ❌ | ❌ | ✅ |
| Edit build settings | ❌ | ❌ | ✅ |
| View teams | ✅ | ✅ | ✅ |
| Assign team permissions to repositories | ❌ | ✅ | ✅ |
| :---------------------------------------------------- | :----- | :----- | :---- |
| Explore images and extensions | ✅ | ✅ | ✅ |
| Star, favorite, vote, and comment on content | ✅ | ✅ | ✅ |
| Pull images | ✅ | ✅ | ✅ |
| Create and publish an extension | ✅ | ✅ | ✅ |
| Become a Verified, Official, or Open Source publisher | ❌ | ❌ | ✅ |
| Edit and delete publisher repository logos | ❌ | ✅ | ✅ |
| Observe content engagement as a publisher | ❌ | ❌ | ✅ |
| Create public and private repositories | ❌ | ✅ | ✅ |
| Edit and delete repositories | ❌ | ✅ | ✅ |
| Manage tags | ❌ | ✅ | ✅ |
| View repository activity | ❌ | ❌ | ✅ |
| Set up Automated builds | ❌ | ❌ | ✅ |
| Edit build settings | ❌ | ❌ | ✅ |
| View teams | ✅ | ✅ | ✅ |
| Assign team permissions to repositories | ❌ | ✅ | ✅ |

When you add members to teams, you can grant additional repository permissions
beyond their organization role:
Expand All @@ -59,45 +56,45 @@ beyond their organization role:
### Organization management permissions

| Permission | Member | Editor | Owner |
| :---------------------------------------------------------------- | :----- | :----- | :----------------- |
| Create teams | ❌ | ❌ | ✅ |
| Manage teams (including delete) | ❌ | ❌ | ✅ |
| Configure the organization's settings (including linked services) | ❌ | ❌ | ✅ |
| Add organizations to a company | ❌ | ❌ | ✅ |
| Invite members | ❌ | ❌ | ✅ |
| Manage members | ❌ | ❌ | ✅ |
| Manage member roles and permissions | ❌ | ❌ | ✅ |
| View member activity | ❌ | ❌ | ✅ |
| Export and reporting | ❌ | ❌ | ✅ |
| Image Access Management | ❌ | ❌ | ✅ |
| Registry Access Management | ❌ | ❌ | ✅ |
| Set up Single Sign-On (SSO) and SCIM | ❌ | ❌ | ✅ \* |
| Require Docker Desktop sign-in | ❌ | ❌ | ✅ \* |
| Manage billing information (for example, billing address) | ❌ | ❌ | ✅ |
| Manage payment methods (for example, credit card or invoice) | ❌ | ❌ | ✅ |
| View billing history | ❌ | ❌ | ✅ |
| Manage subscriptions | ❌ | ❌ | ✅ |
| Manage seats | ❌ | ❌ | ✅ |
| Upgrade and downgrade plans | ❌ | ❌ | ✅ |
| :---------------------------------------------------------------- | :----- | :----- | :---- |
| Create teams | ❌ | ❌ | ✅ |
| Manage teams (including delete) | ❌ | ❌ | ✅ |
| Configure the organization's settings (including linked services) | ❌ | ❌ | ✅ |
| Add organizations to a company | ❌ | ❌ | ✅ |
| Invite members | ❌ | ❌ | ✅ |
| Manage members | ❌ | ❌ | ✅ |
| Manage member roles and permissions | ❌ | ❌ | ✅ |
| View member activity | ❌ | ❌ | ✅ |
| Export and reporting | ❌ | ❌ | ✅ |
| Image Access Management | ❌ | ❌ | ✅ |
| Registry Access Management | ❌ | ❌ | ✅ |
| Set up Single Sign-On (SSO) and SCIM | ❌ | ❌ | ✅ \* |
| Require Docker Desktop sign-in | ❌ | ❌ | ✅ \* |
| Manage billing information (for example, billing address) | ❌ | ❌ | ✅ |
| Manage payment methods (for example, credit card or invoice) | ❌ | ❌ | ✅ |
| View billing history | ❌ | ❌ | ✅ |
| Manage subscriptions | ❌ | ❌ | ✅ |
| Manage seats | ❌ | ❌ | ✅ |
| Upgrade and downgrade plans | ❌ | ❌ | ✅ |

_\* If not part of a company_

### Docker Scout permissions

| Permission | Member | Editor | Owner |
| :---------------------------------------------------- | :----- | :----- | :----------------- |
| View and compare analysis results | ✅ | ✅ | ✅ |
| Upload analysis records | ✅ | ✅ | ✅ |
| Activate and deactivate Docker Scout for a repository | ❌ | ✅ | ✅ |
| Create environments | ❌ | ❌ | ✅ |
| Manage registry integrations | ❌ | ❌ | ✅ |
| :---------------------------------------------------- | :----- | :----- | :---- |
| View and compare analysis results | ✅ | ✅ | ✅ |
| Upload analysis records | ✅ | ✅ | ✅ |
| Activate and deactivate Docker Scout for a repository | ❌ | ✅ | ✅ |
| Create environments | ❌ | ❌ | ✅ |
| Manage registry integrations | ❌ | ❌ | ✅ |

### Docker Build Cloud permissions

| Permission | Member | Editor | Owner |
| ---------------------------- | :----- | :----- | :----------------- |
| Use a cloud builder | ✅ | ✅ | ✅ |
| Create and remove builders | ✅ | ✅ | ✅ |
| Configure builder settings | ✅ | ✅ | ✅ |
| Buy minutes | ❌ | ❌ | ✅ |
| Manage subscription | ❌ | ❌ | ✅ |
| Permission | Member | Editor | Owner |
| -------------------------- | :----- | :----- | :---- |
| Use a cloud builder | ✅ | ✅ | ✅ |
| Create and remove builders | ✅ | ✅ | ✅ |
| Configure builder settings | ✅ | ✅ | ✅ |
| Buy minutes | ❌ | ❌ | ✅ |
| Manage subscription | ❌ | ❌ | ✅ |
Loading