RBAC & Roles
dockmesh ships with full role-based access control — not as a paid add-on, but as part of the single binary. Define custom roles, assign them to users or SSO groups, and scope permissions by host, stack, or environment.
Built-in roles
Section titled “Built-in roles”Three roles exist out of the box and cannot be deleted:
| Role | Purpose |
|---|---|
| Admin | Full access. Can manage users, roles, hosts, and settings. |
| Operator | Deploy and manage stacks; no user/role admin. |
| Viewer | Read-only. Sees stacks, containers, metrics, logs. No actions. |
Everyone gets a role on first login (default: Viewer). Admins can change this per user.
Custom roles
Section titled “Custom roles”Settings → Roles → New role opens a permission matrix. Every action in dockmesh maps to a permission name like stacks.deploy or hosts.add. Toggle what the role can do:
| Category | Example permissions |
|---|---|
| Stacks | view, create, deploy, scale, migrate, delete, edit_compose |
| Containers | view, logs, exec, restart, kill |
| Hosts | view, add, drain, remove |
| Backups | view, create_job, restore, delete |
| Users | view, invite, update, delete, assign_role |
| Settings | view, update |
Scopes
Section titled “Scopes”Every role can be scoped to a subset of the fleet:
- All hosts — applies everywhere
- Hosts with tag — e.g. role only applies to hosts tagged
staging - Specific hosts — explicit list
A user can hold multiple roles, each with its own scope. A user who is Operator on staging hosts and Viewer on prod hosts can deploy to staging but can only read prod.
Team isolation
Section titled “Team isolation”Pair custom roles with host tags to give each team their own sandbox:
- Tag staging hosts with
team-frontend,team-backend, etc. - Create a role
Team-Frontend-Operatorwithstacks.*scoped totag=team-frontend - Assign the role to the SSO group
frontend-engineers
Engineers in that group now see and manage only their team’s stacks.
Audit log
Section titled “Audit log”Every action in dockmesh is written to a tamper-proof audit log. Entries chain together with SHA-256 hashes — altering any row breaks the chain and the UI flags the corruption.
Entries include: timestamp, actor (user + IP + session), action, target (stack/host/user), result (success/failure), and a JSON payload of the before/after state for mutating actions.
Export CSV for compliance or pipe to your SIEM via webhook.
See also
Section titled “See also”- SSO / OIDC — map SSO groups to dockmesh roles
- Two-Factor Auth — require TOTP for admin users