Build an image from a Dockerfile with following content, tag it with whatever fits your DTR and push it.
FROM busybox@sha256:97473e34e311e6c1b3f61f2a721d038d1e5eef17d98d1353a513007cf46ca6bd LABEL com.docker.ucp.access.label=admins-only
Log in as an admin, go to Images and pull the image. Verify that it shows in the list. Log out.
Log in as a non-admin user which is not member of any team granting any access to the ‘admins-only’ label, but with at least “restricted” access to another label, e.g. ‘ucp-viewers’.
Verify that the user cannot see the image in the Images list.
Go to Containers, click Deploy Container, paste in the image name, type ‘ucp-viewers’ in the access labels field and you’re able to deploy a container based on the image which you could not see in the list.