feat(UAC): change default ownership to admininstrators (#2137)

* #960 feat(UAC): change ownership to admins for externally created ressources * feat(UAC): change ownership to admins for externally created resources Deprecated AdministratorsOnly js and go backend * #960 feat(UAC): remove AdministratorsOnly property and minor GUI fixes Update swagger definition changing AdministratorsOnly to Public * #960 feat(UAC): fix create resource with access control data * #960 feat(UAC): authorization of non-admin users for restricted operations On stacks, containers networks, services , tasks and volumes. * #960 feat(UAC): database migration to version 14 The administrator resources are deleted and Public resources are now managed by admins * #960 feat(UAC): small fixes from PR #2137 * #960 feat(UAC): improve the readability of the source code * feat(UAC) fix displayed ownership for Swarm related resources (#960)
2018-08-19 00:57:28 -05:00 · 2018-08-19 00:57:28 -05:00 · e1e263d8c8
parent 31c2a6d9e7
commit e1e263d8c8
30 changed files with 206 additions and 179 deletions
--- a/api/bolt/migrator/migrate_dbversion13.go
+++ b/api/bolt/migrator/migrate_dbversion13.go
@ -0,0 +1,19 @@
 package migrator
 func (m *Migrator) updateResourceControlsToDBVersion14() error {
 	resourceControls, err := m.resourceControlService.ResourceControls()
 	if err != nil {
 		return err
 	}
 	for _, resourceControl := range resourceControls {
 		if resourceControl.AdministratorsOnly == true {
 			err = m.resourceControlService.DeleteResourceControl(resourceControl.ID)
 			if err != nil {
 				return err
 			}
 		}
 	}
 	return nil
 }
--- a/api/bolt/migrator/migrator.go
+++ b/api/bolt/migrator/migrator.go
@ -178,5 +178,13 @@ func (m *Migrator) Migrate() error {
 		}
 	}
 	// 1.19.2-dev
 	if m.currentDBVersion < 14 {
 		err := m.updateResourceControlsToDBVersion14()
 		if err != nil {
 			return err
 		}
 	}
 	return m.versionService.StoreDBVersion(portainer.DBVersion)
 }
--- a/api/http/handler/resourcecontrols/resourcecontrol_create.go
+++ b/api/http/handler/resourcecontrols/resourcecontrol_create.go
@ -14,7 +14,7 @@ import (
 type resourceControlCreatePayload struct {
 	ResourceID     string
 	Type           string
-	AdministratorsOnly bool
+	Public         bool
 	Users          []int
 	Teams          []int
 	SubResourceIDs []string
@ -29,8 +29,8 @@ func (payload *resourceControlCreatePayload) Validate(r *http.Request) error {
 		return portainer.Error("Invalid type")
 	}
-	if len(payload.Users) == 0 && len(payload.Teams) == 0 && !payload.AdministratorsOnly {
+	if len(payload.Users) == 0 && len(payload.Teams) == 0 && !payload.Public {
-		return portainer.Error("Invalid resource control declaration. Must specify Users, Teams or AdministratorOnly")
+		return portainer.Error("Invalid resource control declaration. Must specify Users, Teams or Public")
 	}
 	return nil
 }
@ -93,7 +93,7 @@ func (handler *Handler) resourceControlCreate(w http.ResponseWriter, r *http.Req
 		ResourceID:     payload.ResourceID,
 		SubResourceIDs: payload.SubResourceIDs,
 		Type:           resourceControlType,
-		AdministratorsOnly: payload.AdministratorsOnly,
+		Public:         payload.Public,
 		UserAccesses:   userAccesses,
 		TeamAccesses:   teamAccesses,
 	}
--- a/api/http/handler/resourcecontrols/resourcecontrol_update.go
+++ b/api/http/handler/resourcecontrols/resourcecontrol_update.go
@ -11,14 +11,14 @@ import (
 )
 type resourceControlUpdatePayload struct {
-	AdministratorsOnly bool
+	Public bool
 	Users  []int
 	Teams  []int
 }
 func (payload *resourceControlUpdatePayload) Validate(r *http.Request) error {
-	if len(payload.Users) == 0 && len(payload.Teams) == 0 && !payload.AdministratorsOnly {
+	if len(payload.Users) == 0 && len(payload.Teams) == 0 && !payload.Public {
-		return portainer.Error("Invalid resource control declaration. Must specify Users, Teams or AdministratorOnly")
+		return portainer.Error("Invalid resource control declaration. Must specify Users, Teams or Public")
 	}
 	return nil
 }
@ -52,7 +52,7 @@ func (handler *Handler) resourceControlUpdate(w http.ResponseWriter, r *http.Req
 		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to update the resource control", portainer.ErrResourceAccessDenied}
 	}
-	resourceControl.AdministratorsOnly = payload.AdministratorsOnly
+	resourceControl.Public = payload.Public
 	var userAccesses = make([]portainer.UserResourceAccess, 0)
 	for _, v := range payload.Users {
--- a/api/http/handler/stacks/stack_delete.go
+++ b/api/http/handler/stacks/stack_delete.go
@ -48,8 +48,8 @@ func (handler *Handler) stackDelete(w http.ResponseWriter, r *http.Request) *htt
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
 	}
-	if resourceControl != nil {
+	if !securityContext.IsAdmin {
-		if !securityContext.IsAdmin && !proxy.CanAccessStack(stack, resourceControl, securityContext.UserID, securityContext.UserMemberships) {
+		if !proxy.CanAccessStack(stack, resourceControl, securityContext.UserID, securityContext.UserMemberships) {
 			return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", portainer.ErrResourceAccessDenied}
 		}
 	}
--- a/api/http/handler/stacks/stack_file.go
+++ b/api/http/handler/stacks/stack_file.go
@ -41,6 +41,10 @@ func (handler *Handler) stackFile(w http.ResponseWriter, r *http.Request) *httpe
 	}
 	extendedStack := proxy.ExtendedStack{*stack, portainer.ResourceControl{}}
 	if !securityContext.IsAdmin && resourceControl == nil {
 		return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", portainer.ErrResourceAccessDenied}
 	}
 	if resourceControl != nil {
 		if securityContext.IsAdmin || proxy.CanAccessStack(stack, resourceControl, securityContext.UserID, securityContext.UserMemberships) {
 			extendedStack.ResourceControl = *resourceControl
--- a/api/http/handler/stacks/stack_inspect.go
+++ b/api/http/handler/stacks/stack_inspect.go
@ -36,6 +36,10 @@ func (handler *Handler) stackInspect(w http.ResponseWriter, r *http.Request) *ht
 	}
 	extendedStack := proxy.ExtendedStack{*stack, portainer.ResourceControl{}}
 	if !securityContext.IsAdmin && resourceControl == nil {
 		return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", portainer.ErrResourceAccessDenied}
 	}
 	if resourceControl != nil {
 		if securityContext.IsAdmin || proxy.CanAccessStack(stack, resourceControl, securityContext.UserID, securityContext.UserMemberships) {
 			extendedStack.ResourceControl = *resourceControl
--- a/api/http/handler/stacks/stack_migrate.go
+++ b/api/http/handler/stacks/stack_migrate.go
@ -53,8 +53,8 @@ func (handler *Handler) stackMigrate(w http.ResponseWriter, r *http.Request) *ht
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
 	}
-	if resourceControl != nil {
+	if !securityContext.IsAdmin {
-		if !securityContext.IsAdmin && !proxy.CanAccessStack(stack, resourceControl, securityContext.UserID, securityContext.UserMemberships) {
+		if !proxy.CanAccessStack(stack, resourceControl, securityContext.UserID, securityContext.UserMemberships) {
 			return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", portainer.ErrResourceAccessDenied}
 		}
 	}
--- a/api/http/handler/stacks/stack_update.go
+++ b/api/http/handler/stacks/stack_update.go
@ -62,8 +62,8 @@ func (handler *Handler) stackUpdate(w http.ResponseWriter, r *http.Request) *htt
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
 	}
-	if resourceControl != nil {
+	if !securityContext.IsAdmin {
-		if !securityContext.IsAdmin && !proxy.CanAccessStack(stack, resourceControl, securityContext.UserID, securityContext.UserMemberships) {
+		if !proxy.CanAccessStack(stack, resourceControl, securityContext.UserID, securityContext.UserMemberships) {
 			return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", portainer.ErrResourceAccessDenied}
 		}
 	}
--- a/api/http/proxy/access_control.go
+++ b/api/http/proxy/access_control.go
@ -1,6 +1,8 @@
 package proxy
-import "github.com/portainer/portainer"
+import (
 	"github.com/portainer/portainer"
 )
 type (
 	// ExtendedStack represents a stack combined with its associated access control
@ -15,7 +17,7 @@ type (
 // It will retrieve an identifier from the labels object. If an identifier exists, it will check for
 // an existing resource control associated to it.
 // Returns a decorated object and authorized access (true) when a resource control is found and the user can access the resource.
-// Returns the original object and authorized access (true) when no resource control is found.
+// Returns the original object and denied access (false) when no resource control is found.
 // Returns the original object and denied access (false) when a resource control is found and the user cannot access the resource.
 func applyResourceAccessControlFromLabel(labelsObject, resourceObject map[string]interface{}, labelIdentifier string,
 	context *restrictedOperationContext) (map[string]interface{}, bool) {
@ -24,32 +26,31 @@ func applyResourceAccessControlFromLabel(labelsObject, resourceObject map[string
 		resourceIdentifier := labelsObject[labelIdentifier].(string)
 		return applyResourceAccessControl(resourceObject, resourceIdentifier, context)
 	}
-	return resourceObject, true
+	return resourceObject, false
 }
 // applyResourceAccessControl returns an optionally decorated object as the first return value and the
 // access level for the user (granted or denied) as the second return value.
 // Returns a decorated object and authorized access (true) when a resource control is found to the specified resource
 // identifier and the user can access the resource.
-// Returns the original object and authorized access (true) when no resource control is found for the specified
+// Returns the original object and authorized access (false) when no resource control is found for the specified
 // resource identifier.
 // Returns the original object and denied access (false) when a resource control is associated to the resource
 // and the user cannot access the resource.
 func applyResourceAccessControl(resourceObject map[string]interface{}, resourceIdentifier string,
 	context *restrictedOperationContext) (map[string]interface{}, bool) {
 	authorizedAccess := true
 	resourceControl := getResourceControlByResourceID(resourceIdentifier, context.resourceControls)
-	if resourceControl != nil {
+	if resourceControl == nil {
-		if context.isAdmin || canUserAccessResource(context.userID, context.userTeamIDs, resourceControl) {
+		return resourceObject, context.isAdmin
 			resourceObject = decorateObject(resourceObject, resourceControl)
 		} else {
 			authorizedAccess = false
 		}
 	}
-	return resourceObject, authorizedAccess
+	if context.isAdmin || resourceControl.Public || canUserAccessResource(context.userID, context.userTeamIDs, resourceControl) {
 		resourceObject = decorateObject(resourceObject, resourceControl)
 		return resourceObject, true
 	}
 	return resourceObject, false
 }
 // decorateResourceWithAccessControlFromLabel will retrieve an identifier from the labels object. If an identifier exists,
@ -94,7 +95,7 @@ func canUserAccessResource(userID portainer.UserID, userTeamIDs []portainer.Team
 		}
 	}
-	return false
+	return resourceControl.Public
 }
 func decorateObject(object map[string]interface{}, resourceControl *portainer.ResourceControl) map[string]interface{} {
@ -123,6 +124,10 @@ func getResourceControlByResourceID(resourceID string, resourceControls []portai
 // CanAccessStack checks if a user can access a stack
 func CanAccessStack(stack *portainer.Stack, resourceControl *portainer.ResourceControl, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
 	if resourceControl == nil {
 		return false
 	}
 	userTeamIDs := make([]portainer.TeamID, 0)
 	for _, membership := range memberships {
 		userTeamIDs = append(userTeamIDs, membership.TeamID)
@ -132,7 +137,7 @@ func CanAccessStack(stack *portainer.Stack, resourceControl *portainer.ResourceC
 		return true
 	}
-	return false
+	return resourceControl.Public
 }
 // FilterStacks filters stacks based on user role and resource controls.
@ -149,9 +154,9 @@ func FilterStacks(stacks []portainer.Stack, resourceControls []portainer.Resourc
 	for _, stack := range stacks {
 		extendedStack := ExtendedStack{stack, portainer.ResourceControl{}}
 		resourceControl := getResourceControlByResourceID(stack.Name, resourceControls)
-		if resourceControl == nil {
+		if resourceControl == nil && isAdmin {
 			filteredStacks = append(filteredStacks, extendedStack)
-		} else if resourceControl != nil && (isAdmin || canUserAccessResource(userID, userTeamIDs, resourceControl)) {
+		} else if resourceControl != nil && (isAdmin || resourceControl.Public || canUserAccessResource(userID, userTeamIDs, resourceControl)) {
 			extendedStack.ResourceControl = *resourceControl
 			filteredStacks = append(filteredStacks, extendedStack)
 		}
--- a/api/http/proxy/containers.go
+++ b/api/http/proxy/containers.go
@ -62,27 +62,27 @@ func containerInspectOperation(response *http.Response, executor *operationExecu
 	containerID := responseObject[containerIdentifier].(string)
 	responseObject, access := applyResourceAccessControl(responseObject, containerID, executor.operationContext)
-	if !access {
+	if access {
-		return rewriteAccessDeniedResponse(response)
+		return rewriteResponse(response, responseObject, http.StatusOK)
 	}
 	containerLabels := extractContainerLabelsFromContainerInspectObject(responseObject)
 	responseObject, access = applyResourceAccessControlFromLabel(containerLabels, responseObject, containerLabelForServiceIdentifier, executor.operationContext)
-	if !access {
+	if access {
-		return rewriteAccessDeniedResponse(response)
+		return rewriteResponse(response, responseObject, http.StatusOK)
 	}
 	responseObject, access = applyResourceAccessControlFromLabel(containerLabels, responseObject, containerLabelForSwarmStackIdentifier, executor.operationContext)
-	if !access {
+	if access {
-		return rewriteAccessDeniedResponse(response)
+		return rewriteResponse(response, responseObject, http.StatusOK)
 	}
 	responseObject, access = applyResourceAccessControlFromLabel(containerLabels, responseObject, containerLabelForComposeStackIdentifier, executor.operationContext)
-	if !access {
+	if access {
-		return rewriteAccessDeniedResponse(response)
+		return rewriteResponse(response, responseObject, http.StatusOK)
 	}
-	return rewriteResponse(response, responseObject, http.StatusOK)
+	return rewriteAccessDeniedResponse(response)
 }
 // extractContainerLabelsFromContainerInspectObject retrieve the Labels of the container if present.
@ -148,20 +148,21 @@ func filterContainerList(containerData []interface{}, context *restrictedOperati
 		containerID := containerObject[containerIdentifier].(string)
 		containerObject, access := applyResourceAccessControl(containerObject, containerID, context)
-		if access {
+		if !access {
 			containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
 			containerObject, access = applyResourceAccessControlFromLabel(containerLabels, containerObject, containerLabelForComposeStackIdentifier, context)
-			if access {
+			if !access {
 				containerObject, access = applyResourceAccessControlFromLabel(containerLabels, containerObject, containerLabelForServiceIdentifier, context)
-				if access {
+				if !access {
 					containerObject, access = applyResourceAccessControlFromLabel(containerLabels, containerObject, containerLabelForSwarmStackIdentifier, context)
 				}
 			}
 		}
 		if access {
 			filteredContainerData = append(filteredContainerData, containerObject)
 		}
 	}
 			}
 		}
 	}
 	return filteredContainerData, nil
 }
--- a/api/http/proxy/networks.go
+++ b/api/http/proxy/networks.go
@ -53,17 +53,17 @@ func networkInspectOperation(response *http.Response, executor *operationExecuto
 	networkID := responseObject[networkIdentifier].(string)
 	responseObject, access := applyResourceAccessControl(responseObject, networkID, executor.operationContext)
-	if !access {
+	if access {
-		return rewriteAccessDeniedResponse(response)
+		return rewriteResponse(response, responseObject, http.StatusOK)
 	}
 	networkLabels := extractNetworkLabelsFromNetworkInspectObject(responseObject)
 	responseObject, access = applyResourceAccessControlFromLabel(networkLabels, responseObject, networkLabelForStackIdentifier, executor.operationContext)
-	if !access {
+	if access {
-		return rewriteAccessDeniedResponse(response)
+		return rewriteResponse(response, responseObject, http.StatusOK)
 	}
-	return rewriteResponse(response, responseObject, http.StatusOK)
+	return rewriteAccessDeniedResponse(response)
 }
 // extractNetworkLabelsFromNetworkInspectObject retrieve the Labels of the network if present.
@ -121,14 +121,15 @@ func filterNetworkList(networkData []interface{}, context *restrictedOperationCo
 		networkID := networkObject[networkIdentifier].(string)
 		networkObject, access := applyResourceAccessControl(networkObject, networkID, context)
-		if access {
+		if !access {
 			networkLabels := extractNetworkLabelsFromNetworkListObject(networkObject)
 			networkObject, access = applyResourceAccessControlFromLabel(networkLabels, networkObject, networkLabelForStackIdentifier, context)
 		}
 		if access {
 			filteredNetworkData = append(filteredNetworkData, networkObject)
 		}
 	}
 	}
 	return filteredNetworkData, nil
 }
--- a/api/http/proxy/services.go
+++ b/api/http/proxy/services.go
@ -53,17 +53,17 @@ func serviceInspectOperation(response *http.Response, executor *operationExecuto
 	serviceID := responseObject[serviceIdentifier].(string)
 	responseObject, access := applyResourceAccessControl(responseObject, serviceID, executor.operationContext)
-	if !access {
+	if access {
-		return rewriteAccessDeniedResponse(response)
+		return rewriteResponse(response, responseObject, http.StatusOK)
 	}
 	serviceLabels := extractServiceLabelsFromServiceInspectObject(responseObject)
 	responseObject, access = applyResourceAccessControlFromLabel(serviceLabels, responseObject, serviceLabelForStackIdentifier, executor.operationContext)
-	if !access {
+	if access {
-		return rewriteAccessDeniedResponse(response)
+		return rewriteResponse(response, responseObject, http.StatusOK)
 	}
-	return rewriteResponse(response, responseObject, http.StatusOK)
+	return rewriteAccessDeniedResponse(response)
 }
 // extractServiceLabelsFromServiceInspectObject retrieve the Labels of the service if present.
@ -129,14 +129,15 @@ func filterServiceList(serviceData []interface{}, context *restrictedOperationCo
 		serviceID := serviceObject[serviceIdentifier].(string)
 		serviceObject, access := applyResourceAccessControl(serviceObject, serviceID, context)
-		if access {
+		if !access {
 			serviceLabels := extractServiceLabelsFromServiceListObject(serviceObject)
 			serviceObject, access = applyResourceAccessControlFromLabel(serviceLabels, serviceObject, serviceLabelForStackIdentifier, context)
 		}
 		if access {
 			filteredServiceData = append(filteredServiceData, serviceObject)
 		}
 	}
 	}
 	return filteredServiceData, nil
 }
--- a/api/http/proxy/tasks.go
+++ b/api/http/proxy/tasks.go
@ -65,14 +65,15 @@ func filterTaskList(taskData []interface{}, context *restrictedOperationContext)
 		serviceID := taskObject[taskServiceIdentifier].(string)
 		taskObject, access := applyResourceAccessControl(taskObject, serviceID, context)
-		if access {
+		if !access {
 			taskLabels := extractTaskLabelsFromTaskListObject(taskObject)
 			taskObject, access = applyResourceAccessControlFromLabel(taskLabels, taskObject, taskLabelForStackIdentifier, context)
 		}
 		if access {
 			filteredTaskData = append(filteredTaskData, taskObject)
 		}
 	}
 	}
 	return filteredTaskData, nil
 }
--- a/api/http/proxy/volumes.go
+++ b/api/http/proxy/volumes.go
@ -62,17 +62,17 @@ func volumeInspectOperation(response *http.Response, executor *operationExecutor
 	volumeID := responseObject[volumeIdentifier].(string)
 	responseObject, access := applyResourceAccessControl(responseObject, volumeID, executor.operationContext)
-	if !access {
+	if access {
-		return rewriteAccessDeniedResponse(response)
+		return rewriteResponse(response, responseObject, http.StatusOK)
 	}
 	volumeLabels := extractVolumeLabelsFromVolumeInspectObject(responseObject)
 	responseObject, access = applyResourceAccessControlFromLabel(volumeLabels, responseObject, volumeLabelForStackIdentifier, executor.operationContext)
-	if !access {
+	if access {
-		return rewriteAccessDeniedResponse(response)
+		return rewriteResponse(response, responseObject, http.StatusOK)
 	}
-	return rewriteResponse(response, responseObject, http.StatusOK)
+	return rewriteAccessDeniedResponse(response)
 }
 // extractVolumeLabelsFromVolumeInspectObject retrieve the Labels of the volume if present.
@ -130,14 +130,15 @@ func filterVolumeList(volumeData []interface{}, context *restrictedOperationCont
 		volumeID := volumeObject[volumeIdentifier].(string)
 		volumeObject, access := applyResourceAccessControl(volumeObject, volumeID, context)
-		if access {
+		if !access {
 			volumeLabels := extractVolumeLabelsFromVolumeListObject(volumeObject)
 			volumeObject, access = applyResourceAccessControlFromLabel(volumeLabels, volumeObject, volumeLabelForStackIdentifier, context)
 		}
 		if access {
 			filteredVolumeData = append(filteredVolumeData, volumeObject)
 		}
 	}
 	}
 	return filteredVolumeData, nil
 }
--- a/api/http/security/authorization.go
+++ b/api/http/security/authorization.go
@ -1,21 +1,19 @@
 package security
-import "github.com/portainer/portainer"
+import (
 	"github.com/portainer/portainer"
 )
 // AuthorizedResourceControlDeletion ensure that the user can delete a resource control object.
 // A non-administrator user cannot delete a resource control where:
-// * the AdministratorsOnly flag is set
+// * the Public flag is false
 // * he is not one of the users in the user accesses
 // * he is not a member of any team within the team accesses
 func AuthorizedResourceControlDeletion(resourceControl *portainer.ResourceControl, context *RestrictedRequestContext) bool {
-	if context.IsAdmin {
+	if context.IsAdmin || resourceControl.Public {
 		return true
 	}
 	if resourceControl.AdministratorsOnly {
 		return false
 	}
 	userAccessesCount := len(resourceControl.UserAccesses)
 	teamAccessesCount := len(resourceControl.TeamAccesses)
@ -42,39 +40,25 @@ func AuthorizedResourceControlDeletion(resourceControl *portainer.ResourceContro
 // AuthorizedResourceControlAccess checks whether the user can alter an existing resource control.
 func AuthorizedResourceControlAccess(resourceControl *portainer.ResourceControl, context *RestrictedRequestContext) bool {
-	if context.IsAdmin {
+	if context.IsAdmin || resourceControl.Public {
 		return true
 	}
 	if resourceControl.AdministratorsOnly {
 		return false
 	}
 	authorizedTeamAccess := false
 	for _, access := range resourceControl.TeamAccesses {
 		for _, membership := range context.UserMemberships {
 			if membership.TeamID == access.TeamID {
-				authorizedTeamAccess = true
+				return true
 				break
 			}
 		}
 	}
 	if !authorizedTeamAccess {
 		return false
 	}
 	authorizedUserAccess := false
 	for _, access := range resourceControl.UserAccesses {
 		if context.UserID == access.UserID {
-			authorizedUserAccess = true
+			return true
 			break
 		}
 	}
 	if !authorizedUserAccess {
 		return false
 	}
-	return true
+	return false
 }
 // AuthorizedResourceControlUpdate ensure that the user can update a resource control object.
@ -92,20 +76,16 @@ func AuthorizedResourceControlUpdate(resourceControl *portainer.ResourceControl,
 // AuthorizedResourceControlCreation ensure that the user can create a resource control object.
 // A non-administrator user cannot create a resource control where:
-// * the AdministratorsOnly flag is set
+// * the Public flag is set false
 // * he wants to create a resource control without any user/team accesses
 // * he wants to add more than one user in the user accesses
 // * he wants tp add a user in the user accesses that is not corresponding to its id
 // * he wants to add a team he is not a member of
 func AuthorizedResourceControlCreation(resourceControl *portainer.ResourceControl, context *RestrictedRequestContext) bool {
-	if context.IsAdmin {
+	if context.IsAdmin || resourceControl.Public {
 		return true
 	}
 	if resourceControl.AdministratorsOnly {
 		return false
 	}
 	userAccessesCount := len(resourceControl.UserAccesses)
 	teamAccessesCount := len(resourceControl.TeamAccesses)
@ -126,19 +106,15 @@ func AuthorizedResourceControlCreation(resourceControl *portainer.ResourceContro
 	if teamAccessesCount > 0 {
 		for _, access := range resourceControl.TeamAccesses {
 			isMember := false
 			for _, membership := range context.UserMemberships {
 				if membership.TeamID == access.TeamID {
-					isMember = true
+					return true
 				}
 			}
 			if !isMember {
 				return false
 			}
 		}
 	}
-	return true
+	return false
 }
 // AuthorizedTeamManagement ensure that access to the management of the specified team is granted.
--- a/api/portainer.go
+++ b/api/portainer.go
@ -278,14 +278,17 @@ type (
 		ResourceID     string               `json:"ResourceId"`
 		SubResourceIDs []string             `json:"SubResourceIds"`
 		Type           ResourceControlType  `json:"Type"`
 		AdministratorsOnly bool                 `json:"AdministratorsOnly"`
 		UserAccesses   []UserResourceAccess `json:"UserAccesses"`
 		TeamAccesses   []TeamResourceAccess `json:"TeamAccesses"`
 		Public         bool                 `json:"Public"`
 		// Deprecated fields
 		// Deprecated in DBVersion == 2
 		OwnerID     UserID              `json:"OwnerId,omitempty"`
 		AccessLevel ResourceAccessLevel `json:"AccessLevel,omitempty"`
 		// Deprecated in DBVersion == 14
 		AdministratorsOnly bool `json:"AdministratorsOnly,omitempty"`
 	}
 	// ResourceControlType represents the type of resource associated to the resource control (volume, container, service...).
@ -613,7 +616,7 @@ const (
 	// APIVersion is the version number of the Portainer API.
 	APIVersion = "1.19.2-dev"
 	// DBVersion is the version number of the Portainer database.
-	DBVersion = 13
+	DBVersion = 14
 	// PortainerAgentHeader represents the name of the header available in any agent response
 	PortainerAgentHeader = "Portainer-Agent"
 	// PortainerAgentTargetHeader represent the name of the header containing the target node name.
--- a/api/swagger.yaml
+++ b/api/swagger.yaml
@ -3268,11 +3268,10 @@ definitions:
        example: "container"
        description: "Type of Docker resource. Valid values are: container, volume\
          \ service, secret, config or stack"
-      AdministratorsOnly:
+      Public:
        type: "boolean"
        example: true
-        description: "Restrict access to the associated resource to administrators\
+        description: "Permit access to the associated resource to any user"
          \ only"
      Users:
        type: "array"
        description: "List of user identifiers with access to the associated resource"
@ -3491,11 +3490,10 @@ definitions:
        example: "container"
        description: "Type of Docker resource. Valid values are: container, volume\
          \ service, secret, config or stack"
-      AdministratorsOnly:
+      Public:
        type: "boolean"
        example: true
-        description: "Restrict access to the associated resource to administrators\
+        description: "Permit access to the associated resource to any user"
          \ only"
      Users:
        type: "array"
        description: "List of user identifiers with access to the associated resource"
@ -3520,11 +3518,10 @@ definitions:
  ResourceControlUpdateRequest:
    type: "object"
    properties:
-      AdministratorsOnly:
+      Public:
        type: "boolean"
        example: false
-        description: "Restrict access to the associated resource to administrators\
+        description: "Permit access to the associated resource to any user"
          \ only"
      Users:
        type: "array"
        description: "List of user identifiers with access to the associated resource"
--- a/app/docker/components/datatables/configs-datatable/configsDatatable.html
+++ b/app/docker/components/datatables/configs-datatable/configsDatatable.html
@ -63,7 +63,7 @@
              <td ng-if="$ctrl.showOwnershipColumn">
                <span>
                  <i ng-class="item.ResourceControl.Ownership | ownershipicon" aria-hidden="true"></i>
-                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'public' }}
+                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'administrators' }}
                </span>
              </td>
            </tr>
--- a/app/docker/components/datatables/containers-datatable/containersDatatable.html
+++ b/app/docker/components/datatables/containers-datatable/containersDatatable.html
@ -244,7 +244,7 @@
              <td ng-if="$ctrl.showOwnershipColumn" ng-show="$ctrl.columnVisibility.columns.ownership.display">
                <span>
                  <i ng-class="item.ResourceControl.Ownership | ownershipicon" aria-hidden="true"></i>
-                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'public' }}
+                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'administrators' }}
                </span>
              </td>
            </tr>
--- a/app/docker/components/datatables/networks-datatable/networksDatatable.html
+++ b/app/docker/components/datatables/networks-datatable/networksDatatable.html
@ -111,7 +111,7 @@
              <td ng-if="$ctrl.showOwnershipColumn">
                <span>
                  <i ng-class="item.ResourceControl.Ownership | ownershipicon" aria-hidden="true"></i>
-                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'public' }}
+                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'administrators' }}
                </span>
              </td>
            </tr>
--- a/app/docker/components/datatables/secrets-datatable/secretsDatatable.html
+++ b/app/docker/components/datatables/secrets-datatable/secretsDatatable.html
@ -63,7 +63,7 @@
              <td ng-if="$ctrl.showOwnershipColumn">
                <span>
                  <i ng-class="item.ResourceControl.Ownership | ownershipicon" aria-hidden="true"></i>
-                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'public' }}
+                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'administrators' }}
                </span>
              </td>
            </tr>
--- a/app/docker/components/datatables/services-datatable/servicesDatatable.html
+++ b/app/docker/components/datatables/services-datatable/servicesDatatable.html
@ -118,7 +118,7 @@
              <td ng-if="$ctrl.showOwnershipColumn">
                <span>
                  <i ng-class="item.ResourceControl.Ownership | ownershipicon" aria-hidden="true"></i>
-                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'public' }}
+                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'administrators' }}
                </span>
              </td>
            </tr>
--- a/app/docker/components/datatables/volumes-datatable/volumesDatatable.html
+++ b/app/docker/components/datatables/volumes-datatable/volumesDatatable.html
@ -115,7 +115,7 @@
              <td ng-if="$ctrl.showOwnershipColumn">
                <span>
                  <i ng-class="item.ResourceControl.Ownership | ownershipicon" aria-hidden="true"></i>
-                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'public' }}
+                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'administrators' }}
                </span>
              </td>
            </tr>
--- a/app/docker/views/containers/edit/containerController.js
+++ b/app/docker/views/containers/edit/containerController.js
@ -285,7 +285,7 @@ function ($q, $scope, $state, $transition$, $filter, Commit, ContainerHelper, Co
      var teams = resourceControl.TeamAccesses.map(function(t) {
        return t.TeamId;
      });
-      return ResourceControlService.createResourceControl(resourceControl.AdministratorsOnly, users, teams, containerIdentifier, 'container', []);
+      return ResourceControlService.createResourceControl(resourceControl.Public, users, teams, containerIdentifier, 'container', []);
    }
    function notifyAndChangeView() {
--- a/app/portainer/components/accessControlPanel/porAccessControlPanel.html
+++ b/app/portainer/components/accessControlPanel/porAccessControlPanel.html
@ -11,12 +11,12 @@
              <td>
                <i ng-class="$ctrl.resourceControl.Ownership | ownershipicon" aria-hidden="true" style="margin-right: 2px;"></i>
                <span ng-if="!$ctrl.resourceControl">
-                  public
+                  administrators
-                  <portainer-tooltip message="This resource can be managed by any user with access to this endpoint." position="bottom" style="margin-left: -3px;"></portainer-tooltip>
+                  <portainer-tooltip message="This resource can only be managed by administrators." position="bottom" style="margin-left: -3px;"></portainer-tooltip>
                </span>
                <span ng-if="$ctrl.resourceControl">
                  {{ $ctrl.resourceControl.Ownership }}
-                  <portainer-tooltip ng-if="$ctrl.resourceControl.Ownership === 'administrators'" message="This resource can only be managed by administrators." position="bottom" style="margin-left: -3px;"></portainer-tooltip>
+                  <portainer-tooltip ng-if="$ctrl.resourceControl.Ownership === 'public'" message="This resource can be managed by any user with access to this endpoint." position="bottom" style="margin-left: -3px;"></portainer-tooltip>
                  <portainer-tooltip ng-if="$ctrl.resourceControl.Ownership === 'private'" message="Management of this resource is restricted to a single user." position="bottom" style="margin-left: -3px;"></portainer-tooltip>
                  <portainer-tooltip ng-if="$ctrl.resourceControl.Ownership === 'restricted'" message="This resource can be managed by a restricted set of users and/or teams." position="bottom" style="margin-left: -3px;"></portainer-tooltip>
                </span>
--- a/app/portainer/components/accessControlPanel/porAccessControlPanelController.js
+++ b/app/portainer/components/accessControlPanel/porAccessControlPanelController.js
@ -12,7 +12,7 @@ function ($q, $state, UserService, TeamService, ResourceControlService, Notifica
  };
  ctrl.formValues = {
-    Ownership: 'public',
+    Ownership: 'administrators',
    Ownership_Users: [],
    Ownership_Teams: []
  };
@ -60,13 +60,14 @@ function ($q, $state, UserService, TeamService, ResourceControlService, Notifica
    angular.forEach(ctrl.formValues.Ownership_Teams, function(team) {
      teamIds.push(team.Id);
    });
-    var administratorsOnly = ctrl.formValues.Ownership === 'administrators' ? true : false;
+
    var publicOnly = ctrl.formValues.Ownership === 'public' ? true : false;
    return {
      ownership: ctrl.formValues.Ownership,
-      authorizedUserIds: administratorsOnly ? [] : userIds,
+      authorizedUserIds: publicOnly ? [] : userIds,
-      authorizedTeamIds: administratorsOnly ? [] : teamIds,
+      authorizedTeamIds: publicOnly ? [] : teamIds,
-      administratorsOnly: administratorsOnly
+      publicOnly: publicOnly
    };
  }
@ -96,12 +97,13 @@ function ($q, $state, UserService, TeamService, ResourceControlService, Notifica
      if (resourceControl) {
        ctrl.formValues.Ownership = resourceControl.Ownership === 'private' ? 'restricted' : resourceControl.Ownership;
      } else {
-        ctrl.formValues.Ownership = 'public';
+        ctrl.formValues.Ownership = 'administrators';
      }
    } else {
-      ctrl.formValues.Ownership = 'public';
+      ctrl.formValues.Ownership = 'administrators';
    }
    ResourceControlService.retrieveOwnershipDetails(resourceControl)
    .then(function success(data) {
      ctrl.authorizedUsers = data.authorizedUsers;
--- a/app/portainer/components/datatables/stacks-datatable/stacksDatatable.html
+++ b/app/portainer/components/datatables/stacks-datatable/stacksDatatable.html
@ -70,7 +70,7 @@
              <td ng-if="$ctrl.showOwnershipColumn">
                <span>
                  <i ng-class="item.ResourceControl.Ownership | ownershipicon" aria-hidden="true"></i>
-                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'public' }}
+                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'administrators' }}
                </span>
              </td>
            </tr>
--- a/app/portainer/models/resourceControl.js
+++ b/app/portainer/models/resourceControl.js
@ -4,16 +4,18 @@ function ResourceControlViewModel(data) {
  this.ResourceId = data.ResourceId;
  this.UserAccesses = data.UserAccesses;
  this.TeamAccesses = data.TeamAccesses;
-  this.AdministratorsOnly = data.AdministratorsOnly;
+  this.Public = data.Public;
  this.Ownership = determineOwnership(this);
 }
 function determineOwnership(resourceControl) {
-  if (resourceControl.AdministratorsOnly) {
+  if (resourceControl.Public) {
-    return 'administrators';
+    return 'public';
  } else if (resourceControl.UserAccesses.length === 1 && resourceControl.TeamAccesses.length === 0) {
    return 'private';
  } else if (resourceControl.UserAccesses.length > 1 || resourceControl.TeamAccesses.length > 0) {
    return 'restricted';
  } else {
    return 'administrators';
  }
 }
--- a/app/portainer/services/api/resourceControlService.js
+++ b/app/portainer/services/api/resourceControlService.js
@ -3,10 +3,10 @@ angular.module('portainer.app')
  'use strict';
  var service = {};
-  service.createResourceControl = function(administratorsOnly, userIDs, teamIDs, resourceID, type, subResourceIDs) {
+  service.createResourceControl = function(publicOnly, userIDs, teamIDs, resourceID, type, subResourceIDs) {
    var payload = {
      Type: type,
-      AdministratorsOnly: administratorsOnly,
+      Public: publicOnly,
      ResourceID: resourceID,
      Users: userIDs,
      Teams: teamIDs,
@ -19,9 +19,9 @@ angular.module('portainer.app')
    return ResourceControl.remove({id: rcID}).$promise;
  };
-  service.updateResourceControl = function(admin, userIDs, teamIDs, resourceControlId) {
+  service.updateResourceControl = function(publicOnly, userIDs, teamIDs, resourceControlId) {
    var payload = {
-      AdministratorsOnly: admin,
+      Public: publicOnly,
      Users: userIDs,
      Teams: teamIDs
    };
@ -30,15 +30,15 @@ angular.module('portainer.app')
  service.applyResourceControl = function(resourceControlType, resourceIdentifier, userId, accessControlData, subResources) {
    if (!accessControlData.AccessControlEnabled) {
-      return;
+      accessControlData.Ownership = 'public';
    }
    var authorizedUserIds = [];
    var authorizedTeamIds = [];
-    var administratorsOnly = false;
+    var publicOnly = false;
    switch (accessControlData.Ownership) {
-      case 'administrators':
+      case 'public':
-        administratorsOnly = true;
+        publicOnly = true;
        break;
      case 'private':
        authorizedUserIds.push(userId);
@ -51,21 +51,23 @@ angular.module('portainer.app')
          authorizedTeamIds.push(team.Id);
        });
        break;
      default:
        return;  
      }
-    return service.createResourceControl(administratorsOnly, authorizedUserIds,
+    return service.createResourceControl(publicOnly, authorizedUserIds,
      authorizedTeamIds, resourceIdentifier, resourceControlType, subResources);
  };
  service.applyResourceControlChange = function(resourceControlType, resourceId, resourceControl, ownershipParameters) {    
    if (resourceControl) {
-      if (ownershipParameters.ownership === 'public') {
+      if (ownershipParameters.ownership === 'administrators') {
        return service.deleteResourceControl(resourceControl.Id);
      } else {
-        return service.updateResourceControl(ownershipParameters.administratorsOnly, ownershipParameters.authorizedUserIds,
+        return service.updateResourceControl(ownershipParameters.publicOnly, ownershipParameters.authorizedUserIds,
          ownershipParameters.authorizedTeamIds, resourceControl.Id);
      }
    } else {
-        return service.createResourceControl(ownershipParameters.administratorsOnly, ownershipParameters.authorizedUserIds,
+        return service.createResourceControl(ownershipParameters.publicOnly, ownershipParameters.authorizedUserIds,
          ownershipParameters.authorizedTeamIds, resourceId, resourceControlType);
    }
  };