In “vanilla Docker” there’s no such thing. Don’t let users who you don’t trust with root access use Docker. Protect Docker access like you protect root access because it IS root access. You can require sudo to use docker commands, you don’t have to put a user in the docker group.

However, there is authz plugins for granular permissions which you might want to take a look at.