The user that created a project and the super admin of the instance can add users to projects to enable them to perform different actions.
It is possible to pull images from a public repository without being a project member. But a membership grants users other rights depending on the role they are assigned.
Below is the overview of all project permissions by five types of roles:
| Action | Limited Guest | Guest | Developer | Master | Project Admin | System Administrator |
|---|---|---|---|---|---|---|
| See the project configurations | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Edit the project configurations | ✓ | ✓ | ||||
| See a list of project members | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Create/edit/delete project members | ✓ | ✓ | ||||
| See a list of project logs | ✓ | ✓ | ✓ | ✓ | ✓ | |
| See a list of project replications | ✓ | ✓ | ✓ | |||
| See a list of project replication jobs | ✓ | ✓ | ||||
| See a list of project labels | ✓ | ✓ | ✓ | |||
| Create/edit/delete project labels | ✓ | ✓ | ✓ | |||
| See a list of repositories | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Create repositories | ✓ | ✓ | ✓ | ✓ | ||
| Edit/delete repositories | ✓ | ✓ | ✓ | |||
| See a list of images | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Retag image | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Pull image | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Push image | ✓ | ✓ | ✓ | ✓ | ||
| Scan/delete image | ✓ | ✓ | ✓ | |||
| Add scanners to Harbor | ✓ | |||||
| Edit scanners in projects | ✓ | ✓ | ||||
| See a list of image vulnerabilities | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| See image build history | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Add/Remove labels of image | ✓ | ✓ | ✓ | ✓ | ||
| See a list of helm charts | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Download helm charts | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Upload helm charts | ✓ | ✓ | ✓ | ✓ | ||
| Delete helm charts | ✓ | ✓ | ✓ | |||
| See a list of helm chart versions | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Download helm chart versions | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Upload helm chart versions | ✓ | ✓ | ✓ | ✓ | ||
| Delete helm chart versions | ✓ | ✓ | ✓ | |||
| Add/Remove labels of helm chart version | ✓ | ✓ | ✓ | ✓ | ||
| See a list of project robots | ✓ | ✓ | ✓ | |||
| Create/edit/delete project robots | ✓ | ✓ | ||||
| See configured CVE whitelist | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Create/edit/remove CVE whitelist | ✓ | ✓ | ||||
| Enable/disable webhooks | ✓ | ✓ | ✓ | ✓ | ||
| Create/delete tag retention rules | ✓ | ✓ | ✓ | ✓ | ||
| Enable/disable tag retention rules | ✓ | ✓ | ✓ | ✓ | ||
| Create/delete tag immutability rules | ✓ | ✓ | ✓ | |||
| Enable/disable tag immutability rules | ✓ | ✓ | ✓ | |||
| See project quotas | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Edit project quotas | ✓ |
The matrix applies to the users that are registered in the instance.
Unregistered anonymous users can access public projects in the read-only mode and pull any images from such projects and for both types of projects.
By default, any new project has no users except the project admin that created it. Super admins can access projects that they are not members of.
To enable your collaborators to work on the project, you need to add them. There are two methods for doing this. An important prerequisite is that they must be users of the same instance. If they are not, refer to this article to add users to the instance.
Regardless of the method you want to use for adding project members:
If you want to add single users, use + User button. Start typing in the name and a dropdown with a few suggestions will appear.
By default, every new user is granted the project admin role, thus, acquiring the same rights as the project creator has. Remember to change this, if you want to restrict the permissions level.
This method is available for instances using LDAP/AD authentication. Read about configuring this method of authentication here.
Another important Prerequisite is that you must enable the memberof feature on the LDAP/AD server. It is explained in the same guide mentioned above, as well as in this external technical note.
Eventually, you need to create user groups on your LADP/AD server since, with this authentication method, the super admins cannot manage users inside the Container Registry interface.
The corresponding permissions will be granted to all users in this group.
The corresponding permissions will be granted to all users in this group.
To delete one or a few users, click on the tickbox next to the user entry, then go to Actions and select Remove.
To change the project role for one or a few users, check the tickboxes next to their names, click Actions, and select a new role.
