harbor/docs/permissions.md

# Permissions

Users have different abilities depending on the role they in a project.

On public projects all users will be able to see the list of repositories, images, image vulnerabilities, helm charts and helm chart versions, pull images, retag images (need push permission for destination image), download helm charts, download helm chart versions.

System admin have all permissions for the project.

## Project members permissions

The following table depicts the various user permission levels in a project.

| Action                                  | Limited Guest | Guest | Developer | Master | Project Admin |
| --------------------------------------- | ------------- | ----- | --------- | ------ | ------------- |
| See the project configurations          | ✓             | ✓     | ✓         | ✓      | ✓             |
| Edit the project configurations         |               |       |           |        | ✓             |
| See a list of project members           |               | ✓     | ✓         | ✓      | ✓             |
| Create/edit/delete project members      |               |       |           |        | ✓             |
| See a list of project logs              |               | ✓     | ✓         | ✓      | ✓             |
| See a list of project replications      |               |       |           | ✓      | ✓             |
| See a list of project replication jobs  |               |       |           |        | ✓             |
| See a list of project labels            |               |       |           | ✓      | ✓             |
| Create/edit/delete project labels       |               |       |           | ✓      | ✓             |
| See a list of repositories              | ✓             | ✓     | ✓         | ✓      | ✓             |
| Create repositories                     |               |       | ✓         | ✓      | ✓             |
| Edit/delete repositories                |               |       |           | ✓      | ✓             |
| See a list of images                    | ✓             | ✓     | ✓         | ✓      | ✓             |
| Retag image                             |               | ✓     | ✓         | ✓      | ✓             |
| Pull image                              | ✓             | ✓     | ✓         | ✓      | ✓             |
| Push image                              |               |       | ✓         | ✓      | ✓             |
| Scan/delete image                       |               |       |           | ✓      | ✓             |
| Add scanners to Harbor                  |               |       |           |       |               |
| Edit scanners in projects               |               |       |           |         | ✓             |
| See a list of image vulnerabilities     | ✓             | ✓     | ✓         | ✓      | ✓             |
| See image build history                 | ✓             | ✓     | ✓         | ✓      | ✓             |
| Add/Remove labels of image              |               |       | ✓         | ✓      | ✓             |
| See a list of helm charts               | ✓             | ✓     | ✓         | ✓      | ✓             |
| Download helm charts                    | ✓             | ✓     | ✓         | ✓      | ✓             |
| Upload helm charts                      |               |       | ✓         | ✓      | ✓             |
| Delete helm charts                      |               |       |           | ✓      | ✓             |
| See a list of helm chart versions       | ✓             | ✓     | ✓         | ✓      | ✓             |
| Download helm chart versions            | ✓             | ✓     | ✓         | ✓      | ✓             |
| Upload helm chart versions              |               |       | ✓         | ✓      | ✓             |
| Delete helm chart versions              |               |       |           | ✓      | ✓             |
| Add/Remove labels of helm chart version |               |       | ✓         | ✓      | ✓             |
| See a list of project robots            |               |       |           | ✓      | ✓             |
| Create/edit/delete project robots       |               |       |           |        | ✓             |
| See configured CVE whitelist            | ✓             | ✓     | ✓         | ✓      | ✓             |
| Create/edit/remove CVE whitelist        |               |       |           |        | ✓             |
| Enable/disable webhooks                 |               |       | ✓         | ✓      | ✓             |
| Create/delete tag retention rules       |               |       | ✓         | ✓      | ✓             |
| Enable/disable tag retention rules      |               |       | ✓         | ✓      | ✓             |
| Create/delete tag immutability rules       |               |       |          |       | ✓             |
| Enable/disable tag immutability rules      |               |       |          |       | ✓             |
| See project quotas                      | ✓             | ✓     | ✓         | ✓      | ✓             |
| Edit project quotas  *                   |               |       |           |        |               |

&ast; Only the Harbor system administrator can edit project quotas and add new scanners.
Add doc for permissions Signed-off-by: He Weiwei <hweiwei@vmware.com> 2019-02-14 03:23:37 +01:00			`# Permissions`

			`Users have different abilities depending on the role they in a project.`

			`On public projects all users will be able to see the list of repositories, images, image vulnerabilities, helm charts and helm chart versions, pull images, retag images (need push permission for destination image), download helm charts, download helm chart versions.`

			`System admin have all permissions for the project.`

			`## Project members permissions`

			`The following table depicts the various user permission levels in a project.`

feat(role): introduce a limited guest role (#9403) Signed-off-by: He Weiwei <hweiwei@vmware.com> 2019-10-20 08:21:28 +02:00			`\| Action \| Limited Guest \| Guest \| Developer \| Master \| Project Admin \|`
			`\| --------------------------------------- \| ------------- \| ----- \| --------- \| ------ \| ------------- \|`
Update permissions.md 2019-10-30 00:23:12 +01:00			`\| See the project configurations \| ✓ \| ✓ \| ✓ \| ✓ \| ✓ \|`
feat(role): introduce a limited guest role (#9403) Signed-off-by: He Weiwei <hweiwei@vmware.com> 2019-10-20 08:21:28 +02:00			`\| Edit the project configurations \| \| \| \| \| ✓ \|`
			`\| See a list of project members \| \| ✓ \| ✓ \| ✓ \| ✓ \|`
			`\| Create/edit/delete project members \| \| \| \| \| ✓ \|`
			`\| See a list of project logs \| \| ✓ \| ✓ \| ✓ \| ✓ \|`
			`\| See a list of project replications \| \| \| \| ✓ \| ✓ \|`
			`\| See a list of project replication jobs \| \| \| \| \| ✓ \|`
			`\| See a list of project labels \| \| \| \| ✓ \| ✓ \|`
Update permissions.md 2019-10-30 00:23:12 +01:00			`\| Create/edit/delete project labels \| \| \| \| ✓ \| ✓ \|`
feat(role): introduce a limited guest role (#9403) Signed-off-by: He Weiwei <hweiwei@vmware.com> 2019-10-20 08:21:28 +02:00			`\| See a list of repositories \| ✓ \| ✓ \| ✓ \| ✓ \| ✓ \|`
			`\| Create repositories \| \| \| ✓ \| ✓ \| ✓ \|`
			`\| Edit/delete repositories \| \| \| \| ✓ \| ✓ \|`
			`\| See a list of images \| ✓ \| ✓ \| ✓ \| ✓ \| ✓ \|`
			`\| Retag image \| \| ✓ \| ✓ \| ✓ \| ✓ \|`
			`\| Pull image \| ✓ \| ✓ \| ✓ \| ✓ \| ✓ \|`
			`\| Push image \| \| \| ✓ \| ✓ \| ✓ \|`
			`\| Scan/delete image \| \| \| \| ✓ \| ✓ \|`
Doc updates for 1.10 (#10029) * Updated doc to include Limited Guest * Added example for limited guest. * Updated vulnerability scanning docs for 1.10. * Updated GC docs to reflect new position in UI * Updated project quota doc to reflect new position in UI * Added some doc about tag immutability * Fixed index * Formatting * Added new replication endpoints * Added project quota webhook * Review comments from Alex * Clarified Clair requirement for additional scanners * Some formatting and edits in vulnerability section * Updated tag retention doc to reflect new UI * Updated tag immutability to reflect new UI * New screencaps * Updated robot accounts doc for new UI and rewrote * Formatting * Updated webhooks doc for new UI * Formatting * Updated Logs doc for new UI * Formatting * New screencaps * Added tag immutability to permissions document * Corrected immutability permissions * Added explanation for project quotas * Fixed typo * Linked to new compatibility list document * Comments from Alex * Comments from Steven and Wang * Removed mention of the ellipsis in project menu * Reverting some screencaps to remove ellipsis * Reverted log screencaps to remove ellipsis * Minor rewording * Fixed caps * More cap fixing * Added info about self-registration, rewrote db auth doc * Attempting to document .asc key Added that negligible vulnerabilities are ignored, rewrote * Formatting * Added scanner permissions to table * Clarified labelling and replication * Rewrote replication docs * Formatting * Typo * Rearranged content * Updated ASC key docs * formatting * Minor rewording * Rewrote LDAP section * minor edits * Added OIDC groups, rewrote OIDC docs * formatting * Mentioned memberof for OIDC. * Comments from steven * Added info about insecure registries * Added tag immutability example * Removed UAA from install guide * Cleaned up headers * More clean up of headers * Recommended not to use UAA * Added user-generated CLI secret * Adding stray screencap 2019-12-12 18:35:30 +01:00			`\| Add scanners to Harbor \| \| \| \| \| \|`
			`\| Edit scanners in projects \| \| \| \| \| ✓ \|`
feat(role): introduce a limited guest role (#9403) Signed-off-by: He Weiwei <hweiwei@vmware.com> 2019-10-20 08:21:28 +02:00			`\| See a list of image vulnerabilities \| ✓ \| ✓ \| ✓ \| ✓ \| ✓ \|`
			`\| See image build history \| ✓ \| ✓ \| ✓ \| ✓ \| ✓ \|`
			`\| Add/Remove labels of image \| \| \| ✓ \| ✓ \| ✓ \|`
			`\| See a list of helm charts \| ✓ \| ✓ \| ✓ \| ✓ \| ✓ \|`
			`\| Download helm charts \| ✓ \| ✓ \| ✓ \| ✓ \| ✓ \|`
			`\| Upload helm charts \| \| \| ✓ \| ✓ \| ✓ \|`
			`\| Delete helm charts \| \| \| \| ✓ \| ✓ \|`
			`\| See a list of helm chart versions \| ✓ \| ✓ \| ✓ \| ✓ \| ✓ \|`
			`\| Download helm chart versions \| ✓ \| ✓ \| ✓ \| ✓ \| ✓ \|`
			`\| Upload helm chart versions \| \| \| ✓ \| ✓ \| ✓ \|`
			`\| Delete helm chart versions \| \| \| \| ✓ \| ✓ \|`
			`\| Add/Remove labels of helm chart version \| \| \| ✓ \| ✓ \| ✓ \|`
			`\| See a list of project robots \| \| \| \| ✓ \| ✓ \|`
			`\| Create/edit/delete project robots \| \| \| \| \| ✓ \|`
			`\| See configured CVE whitelist \| ✓ \| ✓ \| ✓ \| ✓ \| ✓ \|`
			`\| Create/edit/remove CVE whitelist \| \| \| \| \| ✓ \|`
			`\| Enable/disable webhooks \| \| \| ✓ \| ✓ \| ✓ \|`
			`\| Create/delete tag retention rules \| \| \| ✓ \| ✓ \| ✓ \|`
			`\| Enable/disable tag retention rules \| \| \| ✓ \| ✓ \| ✓ \|`
Doc updates for 1.10 (#10029) * Updated doc to include Limited Guest * Added example for limited guest. * Updated vulnerability scanning docs for 1.10. * Updated GC docs to reflect new position in UI * Updated project quota doc to reflect new position in UI * Added some doc about tag immutability * Fixed index * Formatting * Added new replication endpoints * Added project quota webhook * Review comments from Alex * Clarified Clair requirement for additional scanners * Some formatting and edits in vulnerability section * Updated tag retention doc to reflect new UI * Updated tag immutability to reflect new UI * New screencaps * Updated robot accounts doc for new UI and rewrote * Formatting * Updated webhooks doc for new UI * Formatting * Updated Logs doc for new UI * Formatting * New screencaps * Added tag immutability to permissions document * Corrected immutability permissions * Added explanation for project quotas * Fixed typo * Linked to new compatibility list document * Comments from Alex * Comments from Steven and Wang * Removed mention of the ellipsis in project menu * Reverting some screencaps to remove ellipsis * Reverted log screencaps to remove ellipsis * Minor rewording * Fixed caps * More cap fixing * Added info about self-registration, rewrote db auth doc * Attempting to document .asc key Added that negligible vulnerabilities are ignored, rewrote * Formatting * Added scanner permissions to table * Clarified labelling and replication * Rewrote replication docs * Formatting * Typo * Rearranged content * Updated ASC key docs * formatting * Minor rewording * Rewrote LDAP section * minor edits * Added OIDC groups, rewrote OIDC docs * formatting * Mentioned memberof for OIDC. * Comments from steven * Added info about insecure registries * Added tag immutability example * Removed UAA from install guide * Cleaned up headers * More clean up of headers * Recommended not to use UAA * Added user-generated CLI secret * Adding stray screencap 2019-12-12 18:35:30 +01:00			`\| Create/delete tag immutability rules \| \| \| \| \| ✓ \|`
			`\| Enable/disable tag immutability rules \| \| \| \| \| ✓ \|`
feat(role): introduce a limited guest role (#9403) Signed-off-by: He Weiwei <hweiwei@vmware.com> 2019-10-20 08:21:28 +02:00			`\| See project quotas \| ✓ \| ✓ \| ✓ \| ✓ \| ✓ \|`
Doc updates for 1.10 (#10029) * Updated doc to include Limited Guest * Added example for limited guest. * Updated vulnerability scanning docs for 1.10. * Updated GC docs to reflect new position in UI * Updated project quota doc to reflect new position in UI * Added some doc about tag immutability * Fixed index * Formatting * Added new replication endpoints * Added project quota webhook * Review comments from Alex * Clarified Clair requirement for additional scanners * Some formatting and edits in vulnerability section * Updated tag retention doc to reflect new UI * Updated tag immutability to reflect new UI * New screencaps * Updated robot accounts doc for new UI and rewrote * Formatting * Updated webhooks doc for new UI * Formatting * Updated Logs doc for new UI * Formatting * New screencaps * Added tag immutability to permissions document * Corrected immutability permissions * Added explanation for project quotas * Fixed typo * Linked to new compatibility list document * Comments from Alex * Comments from Steven and Wang * Removed mention of the ellipsis in project menu * Reverting some screencaps to remove ellipsis * Reverted log screencaps to remove ellipsis * Minor rewording * Fixed caps * More cap fixing * Added info about self-registration, rewrote db auth doc * Attempting to document .asc key Added that negligible vulnerabilities are ignored, rewrote * Formatting * Added scanner permissions to table * Clarified labelling and replication * Rewrote replication docs * Formatting * Typo * Rearranged content * Updated ASC key docs * formatting * Minor rewording * Rewrote LDAP section * minor edits * Added OIDC groups, rewrote OIDC docs * formatting * Mentioned memberof for OIDC. * Comments from steven * Added info about insecure registries * Added tag immutability example * Removed UAA from install guide * Cleaned up headers * More clean up of headers * Recommended not to use UAA * Added user-generated CLI secret * Adding stray screencap 2019-12-12 18:35:30 +01:00			`\| Edit project quotas * \| \| \| \| \| \|`
added permissions for 1.9 features Signed-off-by: xaleeks <xalex@vmware.com> 2019-09-17 16:55:24 +02:00
Doc updates for 1.10 (#10029) * Updated doc to include Limited Guest * Added example for limited guest. * Updated vulnerability scanning docs for 1.10. * Updated GC docs to reflect new position in UI * Updated project quota doc to reflect new position in UI * Added some doc about tag immutability * Fixed index * Formatting * Added new replication endpoints * Added project quota webhook * Review comments from Alex * Clarified Clair requirement for additional scanners * Some formatting and edits in vulnerability section * Updated tag retention doc to reflect new UI * Updated tag immutability to reflect new UI * New screencaps * Updated robot accounts doc for new UI and rewrote * Formatting * Updated webhooks doc for new UI * Formatting * Updated Logs doc for new UI * Formatting * New screencaps * Added tag immutability to permissions document * Corrected immutability permissions * Added explanation for project quotas * Fixed typo * Linked to new compatibility list document * Comments from Alex * Comments from Steven and Wang * Removed mention of the ellipsis in project menu * Reverting some screencaps to remove ellipsis * Reverted log screencaps to remove ellipsis * Minor rewording * Fixed caps * More cap fixing * Added info about self-registration, rewrote db auth doc * Attempting to document .asc key Added that negligible vulnerabilities are ignored, rewrote * Formatting * Added scanner permissions to table * Clarified labelling and replication * Rewrote replication docs * Formatting * Typo * Rearranged content * Updated ASC key docs * formatting * Minor rewording * Rewrote LDAP section * minor edits * Added OIDC groups, rewrote OIDC docs * formatting * Mentioned memberof for OIDC. * Comments from steven * Added info about insecure registries * Added tag immutability example * Removed UAA from install guide * Cleaned up headers * More clean up of headers * Recommended not to use UAA * Added user-generated CLI secret * Adding stray screencap 2019-12-12 18:35:30 +01:00			`&ast; Only the Harbor system administrator can edit project quotas and add new scanners.`