}}

About permissions

The permissions of Enterprise DC/OS allow you to control access by resource and sometimes by operation (create, read, update, delete). The number of permissions enforced increases as you move from disabled to permissive and from permissive to strict security modes. permissive security mode provides finer-grained controls and strict security mode provides the finest-grained controls. See the following table for details.

Permission category Enforcer Enforced in
Superuser All All security modes
Admin Router Admin Router All security modes
Secret Store service Secret Store service All security modes
User service Native Marathon and Metronome permissive and strict security modes
Mesos master and agent Mesos master and agent strict security mode

Permissions can be applied to users and groups using either the DC/OS web interface or the IAM API.

In addition to complete reference information about all of the possible permissions, this section contains step-by-step instructions for common use cases.

Quickstart

Learn how to grant users and groups permission to access one or more tabs in the DC/OS web interface using either the DC/OS web interface or the IAM API.

Superuser permission

This topic discusses the superuser permission, which is available in all security modes and gives a user full rights all across the DC/OS cluster.

Admin Router permissions

This topic details the permissions that the Admin Router enforces. Admin Router enforces these permissions in all security modes.

Secret Store service permissions

This topic details the permissions enforced by the Secret Store service, which control the ability of users to create, read, update, and delete secrets using either the Secrets API...

User service permissions

This topic details the permissions enforced by the Marathon and Metronome services, which control access to user services and jobs. These permissions are only enforced in permissiv...

Assigning permissions

This topic describes how to assign a permission using either the DC/OS web interface or the IAM API.