Skip to main content

Privileges

Privileges define the actions a user may perform within the Nexus Repository. They grant access to resources, ensuring that users have the appropriate permissions based on their roles.

Understanding Privileges

Nexus Repository includes privileges for three primary purposes:

  1. Access to the content inside repositories

    This includes tasks such as searching or browsing repositories, downloading artifacts from a repository, and adding or deleting artifacts.

  2. Management of repositories

    This includes tasks such as creating and removing repositories

  3. Access to functionality in the repository manager

    This includes tasks such as viewing elements in the user interface, managing access controls, running tasks, and general administration.

Review Privilege Types to learn more.

Assigning Privileges

In Nexus Repository, privileges are group together as a role. Roles are designed to accomplish a specific use case when accessing the repository. Typically, a user or a group of users may be assigned one or more role depending on their requirements. Service accounts may also have their own roles with limited access and minimize risk.

See Roles to learn more.

Combining Privileges

Privileges grant access but do not restrict access. Privileges provided by one role cannot be limited by another.

For example, a user with the "read" privilege can view and download artifacts from any repository, but they cannot modify or delete artifacts.

nexus:repository-view:maven2:maven-central:read

When also granted full access using the wild card '*', they gain additional privileges and are not limited by the privilege only providing read access as demonstrated below.

nexus:repository-view:maven2:maven-central:read
nexus:repository-view:maven2:maven-central:*

Privileges on Group Repositories

Group Repositories associate a mix of proxy and hosted repositories under a single endpoint. Privileges to a group repository provide access to the content of the repositories within the group as if they were a single repository. Privileges on a group repository do not provide permissions to access the members of the group directly.

For example, in the scenario where a user has read and browse privileges on a group repository but does not have the same permissions on a hosted repository within the group. The user may access content from the hosted repository when querying the group repository endpoint, however, they may not access the content of the hosted repository directly.

Custom Privileges

Nexus Repository provides default privileges to manage functionality in the repository manager. Some privileges such as access to specific repositories and repository formats are only available until those repositories are created.

Custom privileges are made using content selectors to target specific namespaces within a repository and provide more granular access controls to that content.

See Content Selectors for details.

Privilege Administration Menu

Privileges are located under the Security tab of the Administration menu. Users need the nx-privilege privilege to access this view. Use the Filter input box to find a specific privilege. As you type in the filter the list of privileges is updated to match your criteria.

  • Name

    The unique identifiers for the privilege.

    Custom privileges may consist of letters, digits, underscores(_), hyphens(-), and period(.) though a privilege name cannot start with an underscore or period. Use a short prefix to namespace your custom privileges to group them when searching and sorting.

  • Description

    The human readable details to explain the scope of the privilege. The default privileges are self documented.

  • Type

    The method used to group similar privileges with shared properties. See the Privilege Types section below for the complete list.

  • Permission

    Privilege permissions are represented by a colon-separated list with no spaces; the segments denote the level of specificity of the privilege from more general to more specific going from left to right.

    The segmenting-algorithm uses Apache Shiro wildcard permissions.

Creating a Privilege

User access may be completely managed using the default privileges. Cu

Select the Create Privilege button to view a list of privilege types. After selecting a type, fill in the required fields and save the privilege. When creating privileges based on content selectors, the selector must be created first.

Manage Selector Permissions

As part of your security setup, you can create user permissions to manage the filters you built in the Create Selector form. You do this by creating a privilege that controls operations for components matching that selector. The privilege may span multiple repositories.

  1. To create a new content selector privilege, select Privileges in the Security section of the Administration panel.

  2. Select the Create Privilege button.

  3. Locate and select Repository Content Selector from the list of options in Select Privilege Type.

  4. You will see a form that displays the following:

    1. Name: Create a name for the content selector privilege.

    2. Description: Add a brief description for the privilege.

    3. Content Selector: Use this dropdown to select from a list of selectors you created.

    4. Repository: Use this dropdown to select from either a range of all repository contents, all repository contents of an individual format, or repositories created by you.

    5. Actions: Grant browse, read, edit, delete, create, update, or * (applies all other actions to the privilege)for user access control.

  5. Save the new privilege by selecting Create privilege.

Privilege Actions

Privilege actions are the basic operations that can be performed on content in a repository. These include access to see the content, search through metadata, or modify the content. Actions may be assigned one at a time or in groups. You must assign at least one action when creating a privilege.

The privilege types have different actions ability to them. The following actions are the most commonly used with a repository:

  • * (asterisk)

    This action is a wildcard grouping the available actions.

  • add

    Action to add content to a repository.

  • browse

    Action to view the contents of repositories in the user interface or a search. You may not download or open the content with the browse action.

  • create

    Action to make a new 'item' in the repository manager configuration. Typically associated with the application privilege type. Note that this action does not provide the permissions to see the created items after creating them.

  • delete

    Action to remove repository manager configurations, repository contents, and scripts.

  • edit

    Action to modify repository content and change repository settings.

  • read

    Action to download content from a repository. Note that this does not allow the user to browse the repository content.

    This action is used to view application elements from the user interface and access content from the APIs.

  • update

    Action to update repository manager configurations through the user interface and APIs.

Privilege Types

  • Application

    Built-in privileges that control access to features in the user interface. See the user interface for a complete list of features.

    Actions: create, read, update, delete

    nexus:{feature-name}:{actions}
  • Repository Admin

    Control the administration of configuration for specific repositories or repository formats.

    Actions: browse, read, edit, add, delete

    nexus:repository-admin:{format}:{repository}:{actions}
  • Repository Content Selector

    Repository Content Selector privileges provide fine-grained control over access to content within a repository by way of a content selector.

    Actions: browse, read, edit, add, delete

    nexus:repository-content-selector:{selector}:{format}:{repository}:{actions}
  • Repository View

    Repository View privileges control general access to all content contained within specific repositories or repository formats.

    Actions: browse, read, edit, add, delete

    nexus:repository-view:{format}:{repository}:{actions}
  • Script

    Script privileges control access to using the Groovy Script-related REST APIs as documented in REST and Integration API. These privileges do not control general REST API access.

    Actions: browse, read, edit, add, delete, run

    nexus:script:{script-name}:{actions}
  • Wildcard

    Wildcard privileges allow one to build a privilege string using a free-form series of segments. All other privilege types are more specific segment forms of a wildcard privilege. There is only one wildcard privilege included by default named nx-all that provides access to all functionality.

    nexus:*

Default Application Privileges

Below are the list of default application privileges as of Nexus Repository release 3.76

Name

Description

Permission

nx-analytics-all

All permissions for Analytics

nexus:analytics:*

nx-apikey-all

All permissions for APIKey

nexus:apikey:*

nx-atlas-all

All permissions for Support Tools

nexus:atlas:*

nx-blobstores-all

All permissions for Blobstores

nexus:blobstores:*

nx-blobstores-create

Create permission for Blobstores

nexus:blobstores:create,read

nx-blobstores-delete

Delete permission for Blobstores

nexus:blobstores:delete,read

nx-blobstores-read

Read permission for Blobstores

nexus:blobstores:read

nx-blobstores-update

Update permission for Blobstores

nexus:blobstores:update,read

nx-bundles-all

All permissions for Bundles

nexus:bundles:*

nx-bundles-read

Read permission for Bundles

nexus:bundles:read

nx-capabilities-all

All permissions for Capabilities

nexus:capabilities:*

nx-capabilities-create

Create permission for Capabilities

nexus:capabilities:create,read

nx-capabilities-delete

Delete permission for Capabilities

nexus:capabilities:delete,read

nx-capabilities-read

Read permission for Capabilities

nexus:capabilities:read

nx-capabilities-update

Update permission for Capabilities

nexus:capabilities:update,read

nx-component-upload

Upload component permission

nexus:component:create

nx-crowd-all

All permissions for Crowd

nexus:crowd:*

nx-crowd-read

Read permission for Crowd

nexus:crowd:*

nx-crowd-update

Update permission for Crowd

nexus:crowd:*

nx-datastores-all

All permissions for Datastores

nexus:datastores:*

nx-datastores-create

Create permission for Datastores

nexus:datastores:create,read

nx-datastores-delete

Delete permission for Datastores

nexus:datastores:delete,read

nx-datastores-read

Read permission for Datastores

nexus:datastores:read

nx-datastores-update

Update permission for Datastores

nexus:datastores:update,read

nx-healthcheck-alerts-read

Read permission for Healthcheck alerts

nexus:healthcheckalerts:read

nx-healthcheck-alerts-update

Update permission for Healthcheck alerts

nexus:healthcheckalerts:update

nx-healthcheck-detail-read

Read permission for Healthcheck detail

nexus:healthcheckdetail:read

nx-healthcheck-read

Read permission for Healthcheck

nexus:healthcheck:read

nx-healthcheck-summary-read

Read permission for Healthcheck Summary

nexus:healthchecksummary:read

nx-healthcheck-update

Update permission for Healthcheck

nexus:healthcheck:update

nx-iq-violation-summary-read

Read permission for Audit and Quarantine summary

nexus:iq-violation-summary:read

nx-ldap-all

All permissions for Ldap

nexus:ldap:*

nx-ldap-create

Create permission for Ldap

nexus:ldap:create,read

nx-ldap-delete

Delete permission for Ldap

nexus:ldap:delete,read

nx-ldap-read

Read permission for Ldap

nexus:ldap:read

nx-ldap-update

Update permission for Ldap

nexus:ldap:update,read

nx-licensing-all

All permissions for Licensing

nexus:licensing:*

nx-licensing-create

Create permission for Licensing

nexus:licensing:create,read

nx-licensing-read

Read permission for Licensing

nexus:licensing:read

nx-licensing-uninstall

Uninstall permission for Licensing

nexus:licensing:delete

nx-logging-all

All permissions for Logging

nexus:logging:*

nx-logging-mark

Mark permission for Logging

nexus:logging:create

nx-logging-read

Read permission for Logging

nexus:logging:read

nx-logging-update

Update permission for Logging

nexus:logging:update,read

nx-metrics-all

All permissions for Metrics

nexus:metrics:*

nx-metrics-read

Read permssions for Metrics

nexus:metrics:read

nx-privileges-all

All permissions for Privileges

nexus:privileges:*

nx-privileges-create

Create permission for Privileges

nexus:privileges:create,read

nx-privileges-delete

Delete permission for Privileges

nexus:privileges:delete,read

nx-privileges-read

Read permission for Privileges

nexus:privileges:read

nx-privileges-update

Update permission for Privileges

nexus:privileges:update,read

nx-ro-admin

Read Only for Nexus Admin

nexus:*:read,update

nx-ro-admin-all

read only of all admin info

nexus:*:read

nx-ro-sys-info

Read Only System Information

nexus:atlas:*

nx-roles-all

All permissions for Roles

nexus:roles:*

nx-roles-create

Create permission for Roles

nexus:roles:create,read

nx-roles-delete

Delete permission for Roles

nexus:roles:delete,read

nx-roles-read

Read permission for Roles

nexus:roles:read

nx-roles-update

Update permission for Roles

nexus:roles:update,read

nx-search-read

Read permission for Search

nexus:search:read

nx-selectors-all

All permissions for Selectors

nexus:selectors:*

nx-selectors-create

Create permission for Selectors

nexus:selectors:create,read

nx-selectors-delete

Delete permission for Selectors

nexus:selectors:delete,read

nx-selectors-read

Read permission for Selectors

nexus:selectors:read

nx-selectors-update

Update permission for Selectors

nexus:selectors:update,read

nx-settings-all

All permissions for Settings

nexus:settings:*

nx-settings-read

Read permission for Settings

nexus:settings:read

nx-settings-update

Update permission for Settings

nexus:settings:update,read

nx-ssl-truststore-all

All permissions for Ssl-truststore

nexus:ssl-truststore:*

nx-ssl-truststore-create

Create permission for Ssl-truststore

nexus:ssl-truststore:create,read

nx-ssl-truststore-delete

Delete permission for Ssl-truststore

nexus:ssl-truststore:delete,read

nx-ssl-truststore-read

Read permission for Ssl-truststore

nexus:ssl-truststore:read

nx-ssl-truststore-update

Update permission for Ssl-truststore

nexus:ssl-truststore:update,read

nx-tags-all

All permissions for Tags

nexus:tags:*

nx-tags-associate

Associate permission for Tags

nexus:tags:associate,read

nx-tags-create

Create permission for Tags

nexus:tags:create,read

nx-tags-delete

Delete permission for Tags

nexus:tags:delete,read

nx-tags-disassociate

Disassociate permission for Tags

nexus:tags:disassociate,read

nx-tags-read

Read permission for Tags

nexus:tags:read

nx-tags-update

Update permission for Tags

nexus:tags:update,read

nx-tasks-all

All permissions for Tasks

nexus:tasks:*

nx-tasks-create

Create permission for Tasks

nexus:tasks:create,read

nx-tasks-delete

Delete permission for Tasks

nexus:tasks:delete,read

nx-tasks-read

Read permission for Tasks

nexus:tasks:read

nx-tasks-run

Run permission for Scheduled Tasks

nexus:tasks:start,stop

nx-tasks-update

Update permission for Tasks

nexus:tasks:update,read

nx-users-all

All permissions for Users

nexus:users:*

nx-users-create

Create permission for Users

nexus:users:create,read

nx-users-delete

Delete permission for Users

nexus:users:delete,read

nx-users-read

Read permission for Users

nexus:users:read

nx-users-update

Update permission for Users

nexus:users:update,read

nx-userschangepw

Change password permission

nexus:userschangepw:create,read

nx-usertoken-current

All permissions for Current User Token

nexus:usertoken-current:create,read,delete

nx-usertoken-settings

Update permission for User Token settings

nexus:usertoken-settings:update,read

nx-usertoken-user

Reset permission for User Token

nexus:usertoken-user:delete,read

nx-usertoken-users

Reset permission for all User Tokens

nexus:usertoken-users:delete

nx-wonderland-all

All permissions for Wonderland

nexus:wonderland:*