Skip to main content

Users

Nexus Repository determines users who may access the server through various security realms and identity providers. These realms contain the collection of users, who may or may not be assigned to a group.

Users may be configured to the local realm of Nexus Repository; however, the best practice is to manage and associate users through an externally managed security realm to reduce repository management workloads. Using realms simplifies the onboarding and offboarding of users to authorized external systems.

Default Users

Nexus Repository includes two users in the local realm by default. These are the admin and anonymous users.

Admin User

The admin user in Sonatype Nexus Repository is a default user that has full administrative privileges. This user is typically used for the following scenarios:

  1. Initial Setup and Configuration: After the initial startup of Nexus Repository, the admin user is used to configure the system, including setting up repositories, defining roles and privileges, and configuring integrations.

    The initial password for the admin user is found in an admin.password file in the data directory after the server has been first started.

    See reset the admin password when access to the Administrator account has been lost.

  2. Managing Access Control: The admin user can manage role-based access control (RBAC) to give fine-grained control over user rights, such as access to the Nexus Repository user interface, read access to components and repositories, access to configuration, and the ability to publish or upload files to a repository.

  3. Recovery and Troubleshooting: In case of issues or errors, the admin user can be used to access system logs, generate support zips, and perform other troubleshooting tasks.

Use the admin account sparingly and only for tasks that require full administrative privileges. For regular tasks, we recommend using an account with fewer privileges to minimize security risks.

We recommend keeping access to the admin user secure to use as a fallback account when encountering errors with external authorization systems.

Anonymous User

Not an actual user with login credentials or contact information. This user gives access and privileges to anyone not authenticated with the server. The anonymous user grants read-only privileges for most repositories so it is recommended to disable the access when not required.

Even when required, the best practice is to modify the default anonymous role (nx-anonymous) to limit access to only the content necessary.

See the documentation on Anonymous Access and the anonymous role for details.

Manage Users

The Users view is accessed through the Security section of the Administration menu. The nx-users or nx-all privileges are required to access this view.

The security source of Local is selected by default to show users configured in the local realm. Switch this value to other realms to browse the available users. Some realms, such as SAML, are not searchable from this page; however, users who have authenticated at least once are cached in this view.

The table display lists users with the following fields:

User ID, First Name, Last Name, Email, and Status
5410873.png

Creating Local Users and User Settings

Users may be added to the local realm by selecting the Create user button. Similarly, user settings may be modified by selecting their name from the table from the Users View.

For external users, such as LDAP or SAML, once you have your external realm setup you can edit their permissions here. Simply select the realm from the Source dropdown and search for the username in the filter.

To create, edit, and delete users, the privilege nx-roles-read is also needed to view the users' roles. Fields defined by the remote system are not editable.

The following properties are available and required for a user:

  • ID

    The unique identifier is used as the username for authentication.

  • Password

    When creating a new account the initial password is set; however, administrators will not be able to access the password once the account has been created. They may change the password using the Change password button.

    This option is not available for external realms.

  • First name, Last name

    Name of the person.

  • Email

    Contact details used from notifications when an email server is configured.

  • Status

    Sets the user as Active or Disabled. Disabled users cannot authenticate.

  • Roles

    Permissions to use the server are assigned as roles to a user. The list of available roles is listed while the granted roles are assigned to the user. A user may have more than one role but will require at least one to create the account.

    See the Default Role to automatically assign permissions to authenticated users.

5410874.png