Organizations and Teams in Docker Cloud
Estimated reading time: 12 minutesYou can create Organizations in Docker Cloud to share repositories, and infrastructure and applications with coworkers and collaborators.
Members of an organization can see only the teams to which they belong, and
their membership. Members of the Owners
team can see and edit
all of the teams and all of the team membership lists. Docker Cloud users
outside an organization cannot see the Organizations or teams another user
belongs to.
Create an Organization
An Organization in Docker Cloud contains Teams, and each Team contains users. You cannot add users directly to an Organization. Organizations can also have repositories, applications (services and containers), and infrastructure (nodes and node clusters) associated with them. Paid features such as private repositories and extra nodes are paid for using the billing information associated with the Organization.
To create an organization:
- Log in to Docker Cloud.
- Select Create Organization from the user icon menu at the top right.
- In the dialog that appears, enter a name for your organization.
-
Enter billing information for the organization.
This will be used for paid features used by the Organization account, including private repositories and additional nodes.
-
Click Save.
The Docker Cloud interface switches you to the new organization view. You can return to your individual user account from the menu at the top right corner.
When you create an Organization, your user account is automatically added to the
Organization’s Owners
team, which allows you to manage the Organization. This
team must always have at least one member, and you can add other members to it
at any time.
Convert a user to an Organization
Individual user accounts can be converted to organizations if needed. You will no longer be able to log in to the account; email addresses, linked source repositories and collaborators will be removed. Automated builds will be migrated. Account conversion cannot be undone.
You will need another valid Docker ID (not the account you are converting) for
the user who will become the first member of the Owners
team. All existing
automated builds are migrated to this user, and they will be able to configure
the newly converted organization’s settings to grant access to other users.
- Log in to Docker Cloud using the user account that you want to convert.
- Click Settings in the user account menu in the top right corner.
- Scroll down and click
Convert to organization
. - Read through the list of warnings and actions.
- Enter the Docker ID of the user who will be the first member of the Owners team.
- Click Save and Continue.
The UI refreshes. Log in from the Docker ID you specified as the first Owner, and then continue on to configure the organization as described below.
What’s next?
Once you’ve created an organization:
- Add users to the Owners team to help you manage the organization
- Create teams
- Set team permissions
- Set up linked providers, and manage resources for the organization
Configure the Owners team
Each organization has an Owners
team which contains the users who manage the
organization’s settings. If you created the organization, you are automatically
added to the Owners
team. You can add new users to the Owners
team and then
leave the team if you want to transfer ownership. There must always be at least
one member of the Owners
team.
Owners team members can:
- create, change, and delete teams
- set and change team access permissions
- manage the organization’s billing information
- configure the organization’s settings (including linked services such as AWS and Github)
- view, change, create and delete repositories, services, and node clusters associated with the organization
Note: You cannot change the Owners team permission settings. Only add users to the Owners team who you are comfortable granting this level of access.
- While logged in to Docker Cloud, use the menu in the top right corner to switch to the organization you want to work on.
- Click Teams in the lower left corner.
- Click owners.
- Click Add user.
- Enter the Docker ID of a user to add.
- Click Create.
- Repeat for each user who you want to add.
To transfer ownership of an organization, add the new owner to the Owners
team, then go to your Teams list and click Leave on the Owners
team line.
Note: At this time, only members of the
Owners
team receive email notifications for events (such as builds and container redeploys) in the organization’s resources. The email “notification level” setting for the organization affects only theOwners
team.
Create teams
You can create Teams within an Organization to add users and manage access to infrastructure, applications, and repositories.
Every organization contains an Owners
team for users who manage the team
settings. You should create at least one team separate from the owners team so
that you can add members to your organization without giving them this level of
access.
- While logged in to Docker Cloud, switch to the organization you want to work on from the menu in the upper right corner.
- Click Teams in the lower left corner of the navigation bar.
- Click Create to create a new team.
- Give the new team a name and description, and click Create.
- On the screen that appears, click Add User.
- Enter the Docker ID of the user and click Create.
- Repeat this process for each user you want to add.
Set team permissions
You can give Teams within an organization different levels of access to
resources that the organization owns. You can then assign individual users to a
Team to grant them that level of access. Team permissions are set by members of
the Owners
team.
Note: If a user is a member of multiple teams, their access settings are conjunctive (sometimes called inclusive or additive). For example, if a user is a member of Team A that grants them
No access
to repositories, and they’re also a member of Team B that grants themRead and Write
access to repositories, the user hasRead and Write
access.
To set or edit Team permissions:
- From the Team detail view, click Permissions.
- Select an access level for
Runtime
resources. Runtime resources include both infrastructure and applications. - Optionally, grant the team access to one or more repositories in the Repositories section.
- Enter the name of the repository.
- Select an access level.
- Click the plus sign (
+
) icon. The change is saved immediately. - Repeat this for each repository that the team needs access to.
Note: An organization can have public repositories which are visible to all users (including those outside the organization). Team members can view public repositories even if you have not given them
View
permission. You can use team permissions to grant write and admin access to public repositories.
Change team permissions for an individual repository
You can also grant teams access to a repository from the repository’s Permissions page rather than from each team’s permissions settings. You might do this if you create repositories after you have already configured your teams, and want to grant access to several teams at the same time.
If the organization’s repository is private, you must explicitly grant any access that your team members require. If the repository is public, all users are granted read-only access by default.
Members of the organization’s Owners
team, and members of any team with admin
access to the repository can change the repository’s access permissions.
To grant a team access to an organization’s repository:
- Navigate to the organization’s repository.
- Click the Permissions tab.
- Select the name of the team you want to add from the drop down menu.
- Choose the access level the team should have.
-
Click the plus sign to add the selected team and permission setting.
Your choice is saved immediately.
- Repeat this process for each team to which you want to grant access.
To edit a team’s permission level, select a new setting in the Permission drop down menu.
To remove a team’s access to the repository, click the trashcan icon next to the team’s access permission line.
Note: If the organization’s repository is public, team members without explicit access permissions will still have read-only access to the repository. If the repository is private, removing a team’s access completely prevents the team members from seeing the repository.
Docker Cloud team permission reference
General access levels:
- No access: no access at all. The resource is not visible to members of this team.
- Read only: users can view the resource and its configuration, but cannot perform actions on the resource.
- Read and Write: users can view and change the resource and its configuration.
- Admin: users can view, and edit the resource and its configuration, and can create or delete new instances of the resource.
Note: Only users who are members of the
Owners
team can create new repositories.
Permission level | Access |
---|---|
Swarms (Beta) | |
Admin | View swarms, manage swarms, add users |
Repositories | |
Read | Pull |
Read/Write | Pull, push |
Admin | All of the above, plus update description, create and delete |
Build | |
Read | View basic build settings and Timeline |
Read/write | All of the above plus start, retry, or cancel build |
Admin | All of the above, plus view and change build configuration, change build source, create and delete |
Nodes | |
Read | View |
Read/write | View, scale, check node health |
Admin | All of the above plus terminate, upgrade daemon, get certificate, create BYON token, update, deploy, and create |
Applications | |
Read | View, get logs, export stackfile |
Read/write | All of the above, plus start, stop, redeploy, and scale |
Admin | All of the above plus, open a terminal window, terminate, update, and create |
Machine user accounts in organizations
Your organization might find it useful to have a dedicated account that is used for programmatic or scripted access to your organization’s resources using the Docker Cloud APIs.
Note: While these accounts are sometimes called “robot” accounts or “bots”, these users may not be created using scripts.
To create a “robot” or machine account for your organization:
- Create a new Docker ID for the machine user. Verify the email address associated with the user.
-
If necessary, create a new Team for the machine user, and grant that team access to the required resources.
This method is recommended because it makes it easier for administrators to understand the machine user’s access, and modify it without affecting other users’ access.
- Add the machine user to the new Team.
Modify a team
To modify an existing team, log in to Docker Cloud and switch to your organization, click Teams in the left navigation menu, then click the team you want to modify.
You can manage team membership from the first page that appears when you select the team.
To change the team name or description, click Settings.
To manage team permissions for runtime resources (nodes and applications) and repositories click Permissions.
Manage resources for an Organization
An organization can have its own resources including repositories, nodes and node clusters, containers, services, and service stacks, just as if it was a normal user account.
If you’re a member of the Owners
team, you can create these resources when
logged in as the Organization, and manage which Teams can view, edit, and create
and delete each resource.
Link a service provider to an Organization
-
Log in to Docker Cloud as a member of the
Owners
team. -
Switch to the Organization account by selecting it from the user icon menu at the top right.
-
Click Cloud Settings in the left navigation.
From the Organization’s Cloud settings page, you can link to the organization’s source code repositories, link to infrastructure hosts such as a cloud service providers.
The steps are the same as when you perform these actions as an individual user.
Create repositories
When a member of the Owners
team creates a repository for an organization,
they can configure which teams within the organization can access the
repository. No access controls are configured by default on repository creation.
If the repository is private, this leaves it accessible only to members of the
Owners
team until other teams are granted access.
Tip: Members of the
Owners
team can configure this default from the Default privacy section of the organization’s Cloud Settings page.
-
Log in to Docker Cloud as a member of the
Owners
team. -
Switch to the Organization account by selecting it from the user icon menu at the top right.
-
Create the repository as usual.
-
Once the repository has been created, navigate to it and click Permissions.
-
Grant access to any teams that will require access to the repository.
Manage organization settings
From the Organization’s Cloud Settings page you can also manage the Organization’s Plan and billing account information, notifications, and API keys.
Create organization resources
To create resources for an Organization such as services and node clusters, log in to Docker Cloud and switch to the Organization account. Create the repositories, services, stacks, or node clusters as you would for any other account.
organizations, teams, Docker Cloud, resources, permissions