Users
By default (in database-managed user mode) users need to be created by the administrator. To allow someone to create an account on their own, you need to enable Allow Self-Registration, which is unchecked by default.
The library project is the default and belongs to the administrator
To use authentication via SSO such as Okta, Keycloak, and others, no users can exist in the database. In this case, you don't create user accounts in Harbor. Self-registration (as shown above), user deletion, and password reset will also not be possible.
If any user has been created, delete it so the options below appear.
Consult the documentation for more information.
Managing Usersβ
- Images must be in some project.
- In projects we apply quotas and rules, such as maximum image size, maximum number of tags, etc.
- Users exist independently of projects, just like any registration.
- They can be invited to participate in a project created by another user or create their own project to manage their images.
- The project owner or maintainer user can define roles for other project member users.
- It is not possible to granularize permissions. Permissions are according to roles.
- A project can be public or private.
A project member can have the following roles: Limited Guest, Guest, Developer, Maintainer, and Project Admin.
| Action | Limited Guest | Guest | Developer | Maintainer | Project Admin |
|---|---|---|---|---|---|
| View project settings | β | β | β | β | β |
| Edit project settings | β | ||||
| View project members list | β | β | β | β | |
| Create/edit/delete project members | β | ||||
| View project logs list | β | β | β | β | |
| View project replications list | β | β | |||
| View project replication jobs list | β | ||||
| View project tags list | β | β | |||
| Create/edit/delete project labels | β | β | |||
| View repositories list | β | β | β | β | β |
| Create repositories | β | β | β | ||
| Edit/delete repositories | β | β | |||
| View images list | β | β | β | β | β |
| Retag image | β | β | β | β | |
| Pull image | β | β | β | β | β |
| Push image | β | β | β | ||
| Scan/delete image | β | β | |||
| Edit scanners in projects | β | ||||
| View image vulnerabilities list | β | β | β | β | β |
| Create project vulnerabilities list | β | β | β | ||
| Read project vulnerabilities list | β | β | β | ||
| Export project vulnerabilities list | β | β | β | ||
| View image build history | β | β | β | β | β |
| Add/remove image tags | β | β | β | ||
| View helm charts list | β | β | β | β | β |
| Download helm charts | β | β | β | β | β |
| Upload helm charts | β | β | β | ||
| Delete helm charts | β | β | |||
| View helm chart versions list | β | β | β | β | β |
| Download helm chart versions | β | β | β | β | β |
| Upload helm chart versions | β | β | β | ||
| Delete helm chart versions | β | β | |||
| Add/remove helm chart version tags | β | β | β | ||
| View project robots list | β | β | |||
| Create/edit/delete project robots | β | ||||
| View configured CVE allowlist | β | β | β | β | β |
| Create/edit/remove CVE allowlist | β | ||||
| View webhook events | β | β | |||
| Add new webhook events | β | ||||
| Enable/disable webhooks | β | ||||
| Create/delete tag retention rules | β | β | β | ||
| Enable/disable tag retention rules | β | β | β | ||
| Create/delete tag immutability rules | β | β | |||
| Enable/disable tag immutability rules | β | β | |||
| View project quotas | β | β | β | β | β |
| Delete the project | β |
The project administrator can use scanners already configured in Harbor for the project, but cannot add them to Harbor.
Harbor administrator responsibilities include:
- Adding scanners.
- Defining quotas for projects.
- Granting administrator permission to another user. Members are for projects, users are system-wide. A user can be a member of a project.
- Defining vulnerability scan policies for all projects.
- Creating, modifying, and deleting users and projects.
An anonymous user is a user who is not logged into the system and can only have read-only access to public projects.
An automation account is used to create a system user to be used by another system.