Managing permissions

ENTERPRISE

PREVIEW

About permissions

The permissions of DC/OS Enterprise allow you to control access by resource and sometimes by operation (create, read, update, delete). The number of permissions enforced increases as you move from disabled to permissive and from permissive to strict security modes. permissive security mode provides finer-grained controls and strict security mode provides the finest-grained controls. See the following table for details.

Permission category Enforcer Enforced in
Superuser All All security modes
Admin Router Admin Router All security modes
Secret Store service Secret Store service All security modes
User service Native Marathon and Metronome permissive and strict security modes
Mesos master and agent Mesos master and agent strict security mode

Permissions can be applied to users and groups using either the DC/OS web interface or the IAM API.

In addition to complete reference information about all of the possible permissions, this section contains step-by-step instructions for common use cases.

Quickstart

ENTERPRISE

Learn how to grant users and groups permission to access one or more tabs in the DC/OS web interface using either the DC/OS web interface or the IAM API. …Read More

Controlling user access to services

ENTERPRISE

Learn how to achieve fine-grained control over a user's access to services using either the DC/OS web interface or the API.…Read More

Controlling user access to jobs

ENTERPRISE

Learn how to achieve fine-grained control over a user's access to jobs using either the DC/OS web interface or the API.…Read More

Superuser permission

ENTERPRISE

This topic discusses the superuser permission, which is available in all security modes and gives a user full rights all across the DC/OS cluster. …Read More

Admin Router permissions

ENTERPRISE

This topic details the permissions that the Admin Router enforces. Admin Router enforces these permissions in all security modes. …Read More

Secret Store service permissions

ENTERPRISE

This topic details the permissions enforced by the Secret Store service, which control the ability of users to create, read, update, and delete secrets using either the Secrets API or DC/OS Enterprise CLI. The Secret Store enforces these in all security modes. …Read More

User service permissions

ENTERPRISE

This topic details the permissions enforced by the Marathon and Metronome services, which control access to user services and jobs. These permissions are only enforced in permissive and strict security modes. …Read More

Mesos master and agent permissions

ENTERPRISE

This topic details the permissions enforced by the Mesos master and Mesos agent. They enforce these permissions only in strict security mode. …Read More

Assigning permissions

ENTERPRISE

This topic describes how to assign a permission using either the DC/OS web interface or the IAM API. …Read More