Skip to main content

Access Control

Nexus Repository uses a role-based access control (RBAC) model to provide access to specific functionality for authenticating users.

Role-Based Access Control

Role-Based Access Control (RBAC) is a method of restricting system access to authorized users. It's a core component of many security strategies, especially when it comes to managing access in organizations with numerous users and varying levels of responsibility.

In Nexus Repository, RBAC is implemented using the following object model:

  • Privileges

    Nexus Repistory comes with a default set of permissions or privileges for every feature and function. These cover the use cases for most implementations. Custom privileges may be made to a group of privileges together or to limit to a specific location in a repository.

    Privileges are assigned to Roles.

  • Content Selectors

    Content Selectors are a path or namespace to a specific location in a repository. They are used as targets for creating custom privileges to grant edit access to that location. These are often used to limit which teams may upload their binaries to their project's namespace.

    Content Selectors are used for custom Privileges.

  • Roles

    Roles are a way to group related permissions so they can be easily assigned to users. Think of it as a job title or a set of responsibilities within a system or organization. Roles may be assigned to specific users however they most often represent a group of users. A user may have any number of roles assigned to them.

    Roles are assigned to Users or User Groups.

  • Users

    Users are either individuals or systems that interact with the Nexus Repository application through the web user interface or the REST API. Most users connect to Nexus Repository through their package management system during development.

    Users or User Groups are assigned one or many Roles.

  • Default Role

    The default role provides a collection of privileges for all users who can authenticate using one of the configured security Realms. At a minimum, these privileges should include permissions granted to the anonymous user.

    The Default Role is assigned to any Authenticated User.

  • Anonymous Role

    The anonymous role is a unique set of privileges assigned to unauthenticated or anonymous users. By default, this role provides open access to read, search, and browse all repositories. As one of the system roles, it cannot be edited.

    We recommend avoiding this role unless required. When anonymous access is allowed, create a custom role with restricted access to assign to anonymous users.

Principle of Least Privilege

When designing your RBAC model we recommend using the Principle of Least Privilege.

The Principle of Least Privilege (PoLP) is a core security concept that dictates that users, processes, and programs should only be granted the minimum necessary access rights they need to perform their designated tasks. These are typically the essential permissions required for a user or entity to complete their job function. Avoid assigning excessive or unnecessary privileges.

By restricting access, you limit the potential damage that can occur from errors, malware, or malicious actors. If a compromised account has limited access, the impact of a breach is significantly reduced.

How to implement a least privilege model:

  1. Identify User Roles

    Define the different roles within your organization and the specific Nexus Repository tasks associated with each role involved with your software development lifecycle.

    We recommend aligning to the external roles that already exist in your identify provider to reduce how much your administrators need to manage users inside of Nexus Repository.

  2. Assign Minimal Permissions

    Grant only the permissions required for each role to perform its tasks. This includes who should have access to read and write to specific namespaces in your repositories.

    Access to repositories is granted, not revoked. Access allowed by one privilege cannot be taken away by another.

  3. Regularly Audit Access

    Continuously monitor and update permissions as roles and responsibilities change.  

Default Roles

The default configuration ships with the administrator role and optional anonymous access to browse and read all repositories.

  • Administrator Role

    The default administrator role provides privilege to all aspects of the Nexus Repository system and uses the username admin. The initial password is found in an admin.password file in the $data-dir directory after startup.

  • Anonymous User Role

    You should not use the default anonymous role if you need to create protected repositories.