Privileges

Privileges define the actions a user may perform within the Nexus Repository. They grant access to resources, ensuring that users have the appropriate permissions based on their roles.

Understanding Privileges

Nexus Repository includes privileges for three primary purposes:

Access to the content inside repositories
This includes tasks such as searching or browsing repositories, downloading artifacts from a repository, and adding or deleting artifacts.
Management of repositories
This includes tasks such as creating and removing repositories
Access to functionality in the repository manager
This includes tasks such as viewing elements in the user interface, managing access controls, running tasks, and general administration.

Review Privilege Types to learn more.

Restricting Downloads Before Release 3.76.0

Nexus Repository release 3.57.0 introduced a change that requires the nx-repository-view read privilege when searching for content in repositories. This privilege includes access to download components which in some use cases is not desirable. As of release 3.76.0, this functionality has been restored to no longer require read permission when searching.

Use the nx-search-read and nx-repository-view-*-*-browse privileges for the use case of viewing content via search or browse, while not providing access to download it.

Assigning Privileges

In Nexus Repository, privileges are group together as a role. Roles are designed to accomplish a specific use case when accessing the repository. Typically, a user or a group of users may be assigned one or more role depending on their requirements. Service accounts may also have their own roles with limited access and minimize risk.

See Roles to learn more.

Combining Privileges

Privileges grant access but do not restrict access. Privileges provided by one role cannot be limited by another.

For example, a user with the "read" privilege can view and download artifacts from any repository, but they cannot modify or delete artifacts.

nexus:repository-view:maven2:maven-central:read

When also granted full access using the wild card '*', they gain additional privileges and are not limited by the privilege only providing read access as demonstrated below.

nexus:repository-view:maven2:maven-central:read
nexus:repository-view:maven2:maven-central:*

Privileges on Group Repositories

Group Repositories associate a mix of proxy and hosted repositories under a single endpoint. Privileges to a group repository provide access to the content of the repositories within the group as if they were a single repository. Privileges on a group repository do not provide permissions to access the members of the group directly.

For example, in the scenario where a user has read and browse privileges on a group repository but does not have the same permissions on a hosted repository within the group. The user may access content from the hosted repository when querying the group repository endpoint, however, they may not access the content of the hosted repository directly.

Custom Privileges

Nexus Repository provides default privileges to manage functionality in the repository manager. Some privileges such as access to specific repositories and repository formats are only available until those repositories are created.

Custom privileges are made using content selectors to target specific namespaces within a repository and provide more granular access controls to that content.

See Content Selectors for details.

Privileges View

Privileges are located under the Security tab in the Settings menu. Users need the nx-privilege privilege to access this view. Use the Filter input box to find a specific privilege. As you type in the filter the list of privileges is updated to match your criteria.

Name
The unique identifiers for the privilege.
Custom privileges may consist of letters, digits, underscores(_), hyphens(-), and period(.) though a privilege name cannot start with an underscore or period. Use a short prefix to namespace your custom privileges to group them when searching and sorting.
Description
The human readable details to explain the scope of the privilege. The default privileges are self documented.
Type
The method used to group similar privileges with shared properties. See the Privilege Types section below for the complete list.
Permission
Privilege permissions are represented by a colon-separated list with no spaces; the segments denote the level of specificity of the privilege from more general to more specific going from left to right.
The segmenting-algorithm uses Apache Shiro wildcard permissions.

Creating a Privilege

User access may be completely managed using the default privileges. Cu

Select the Create Privilege button to view a list of privilege types. After selecting a type, fill in the required fields and save the privilege. When creating privileges based on content selectors, the selector must be created first.

Manage Selector Permissions

As part of your security setup, you can create user permissions to manage the filters you built in the Create Selector form. You do this by creating a privilege that controls operations for components matching that selector. The privilege may span multiple repositories.

To create a new content selector privilege, select Privileges in the Security section of the Settings menu.
Select the Create Privilege button.
Locate and select Repository Content Selector from the list of options in Select Privilege Type.
You will see a form that displays the following:
1. Name: Create a name for the content selector privilege.
2. Description: Add a brief description for the privilege.
3. Content Selector: Use this dropdown to select from a list of selectors you created.
4. Repository: Use this dropdown to select from either a range of all repository contents, all repository contents of an individual format, or repositories created by you.
5. Actions: Grant browse, read, edit, delete, create, update, or * (applies all other actions to the privilege)for user access control.
Save the new privilege by selecting Create privilege.

Privilege Actions

Privilege actions are the basic operations that can be performed on content in a repository. These include access to see the content, search through metadata, or modify the content. Actions may be assigned one at a time or in groups. You must assign at least one action when creating a privilege.

The privilege types have different actions ability to them. The following actions are the most commonly used with a repository:

* (asterisk)
This action is a wildcard grouping the available actions.
add
Action to add content to a repository.
browse
Action to view the contents of repositories in the user interface or a search. You may not download or open the content with the browse action.
create
Action to make a new 'item' in the repository manager configuration. Typically associated with the application privilege type. Note that this action does not provide the permissions to see the created items after creating them.
delete
Action to remove repository manager configurations, repository contents, and scripts.
edit
Action to modify repository content and change repository settings.
read
Action to download content from a repository. Note that this does not allow the user to browse the repository content.
This action is used to view application elements from the user interface and access content from the APIs.
update
Action to update repository manager configurations through the user interface and APIs.

Privilege Types

Application
Built-in privileges that control access to features in the user interface. See the user interface for a complete list of features.
Actions: create, read, update, delete
```
nexus:{feature-name}:{actions}
```
Repository Admin
Control the administration of configuration for specific repositories or repository formats.
Actions: browse, read, edit, add, delete
```
nexus:repository-admin:{format}:{repository}:{actions}
```
Repository Content Selector
Repository Content Selector privileges provide fine-grained control over access to content within a repository by way of a content selector.
Actions: browse, read, edit, add, delete
```
nexus:repository-content-selector:{selector}:{format}:{repository}:{actions}
```
Repository View
Repository View privileges control general access to all content contained within specific repositories or repository formats.
Actions: browse, read, edit, add, delete
```
nexus:repository-view:{format}:{repository}:{actions}
```
Script
Script privileges control access to using the Groovy Script-related REST APIs. These privileges do not control general REST API access.
Actions: browse, read, edit, add, delete, run
```
nexus:script:{script-name}:{actions}
```
Wildcard
Wildcard privileges allow one to build a privilege string using a free-form series of segments. All other privilege types are more specific segment forms of a wildcard privilege. There is only one wildcard privilege included by default named nx-all that provides access to all functionality.
```
nexus:*
```

Default Application Privileges

Below are the list of default application privileges as of Nexus Repository release 3.76

Name	Description	Permission
nx-analytics-all	All permissions for Analytics	nexus:analytics:*
nx-apikey-all	All permissions for APIKey	nexus:apikey:*
nx-atlas-all	All permissions for Support Tools	nexus:atlas:*
nx-blobstores-all	All permissions for Blobstores	nexus:blobstores:*
nx-blobstores-create	Create permission for Blobstores	nexus:blobstores:create,read
nx-blobstores-delete	Delete permission for Blobstores	nexus:blobstores:delete,read
nx-blobstores-read	Read permission for Blobstores	nexus:blobstores:read
nx-blobstores-update	Update permission for Blobstores	nexus:blobstores:update,read
nx-bundles-all	All permissions for Bundles	nexus:bundles:*
nx-bundles-read	Read permission for Bundles	nexus:bundles:read
nx-capabilities-all	All permissions for Capabilities	nexus:capabilities:*
nx-capabilities-create	Create permission for Capabilities	nexus:capabilities:create,read
nx-capabilities-delete	Delete permission for Capabilities	nexus:capabilities:delete,read
nx-capabilities-read	Read permission for Capabilities	nexus:capabilities:read
nx-capabilities-update	Update permission for Capabilities	nexus:capabilities:update,read
nx-component-upload	Upload component permission	nexus:component:create
nx-crowd-all	All permissions for Crowd	nexus:crowd:*
nx-crowd-read	Read permission for Crowd	nexus:crowd:*
nx-crowd-update	Update permission for Crowd	nexus:crowd:*
nx-datastores-all	All permissions for Datastores	nexus:datastores:*
nx-datastores-create	Create permission for Datastores	nexus:datastores:create,read
nx-datastores-delete	Delete permission for Datastores	nexus:datastores:delete,read
nx-datastores-read	Read permission for Datastores	nexus:datastores:read
nx-datastores-update	Update permission for Datastores	nexus:datastores:update,read
nx-healthcheck-alerts-read	Read permission for Healthcheck alerts	nexus:healthcheckalerts:read
nx-healthcheck-alerts-update	Update permission for Healthcheck alerts	nexus:healthcheckalerts:update
nx-healthcheck-detail-read	Read permission for Healthcheck detail	nexus:healthcheckdetail:read
nx-healthcheck-read	Read permission for Healthcheck	nexus:healthcheck:read
nx-healthcheck-summary-read	Read permission for Healthcheck Summary	nexus:healthchecksummary:read
nx-healthcheck-update	Update permission for Healthcheck	nexus:healthcheck:update
nx-iq-violation-summary-read	Read permission for Audit and Quarantine summary	nexus:iq-violation-summary:read
nx-ldap-all	All permissions for Ldap	nexus:ldap:*
nx-ldap-create	Create permission for Ldap	nexus:ldap:create,read
nx-ldap-delete	Delete permission for Ldap	nexus:ldap:delete,read
nx-ldap-read	Read permission for Ldap	nexus:ldap:read
nx-ldap-update	Update permission for Ldap	nexus:ldap:update,read
nx-licensing-all	All permissions for Licensing	nexus:licensing:*
nx-licensing-create	Create permission for Licensing	nexus:licensing:create,read
nx-licensing-read	Read permission for Licensing	nexus:licensing:read
nx-licensing-uninstall	Uninstall permission for Licensing	nexus:licensing:delete
nx-logging-all	All permissions for Logging	nexus:logging:*
nx-logging-mark	Mark permission for Logging	nexus:logging:create
nx-logging-read	Read permission for Logging	nexus:logging:read
nx-logging-update	Update permission for Logging	nexus:logging:update,read
nx-metrics-all	All permissions for Metrics	nexus:metrics:*
nx-metrics-read	Read permssions for Metrics	nexus:metrics:read
nx-privileges-all	All permissions for Privileges	nexus:privileges:*
nx-privileges-create	Create permission for Privileges	nexus:privileges:create,read
nx-privileges-delete	Delete permission for Privileges	nexus:privileges:delete,read
nx-privileges-read	Read permission for Privileges	nexus:privileges:read
nx-privileges-update	Update permission for Privileges	nexus:privileges:update,read
nx-ro-sys-info	Read Only System Information	nexus:atlas:*
nx-roles-all	All permissions for Roles	nexus:roles:*
nx-roles-create	Create permission for Roles	nexus:roles:create,read
nx-roles-delete	Delete permission for Roles	nexus:roles:delete,read
nx-roles-read	Read permission for Roles	nexus:roles:read
nx-roles-update	Update permission for Roles	nexus:roles:update,read
nx-search-read	Read permission for Search	nexus:search:read
nx-selectors-all	All permissions for Selectors	nexus:selectors:*
nx-selectors-create	Create permission for Selectors	nexus:selectors:create,read
nx-selectors-delete	Delete permission for Selectors	nexus:selectors:delete,read
nx-selectors-read	Read permission for Selectors	nexus:selectors:read
nx-selectors-update	Update permission for Selectors	nexus:selectors:update,read
nx-settings-all	All permissions for Settings	nexus:settings:*
nx-settings-read	Read permission for Settings	nexus:settings:read
nx-settings-update	Update permission for Settings	nexus:settings:update,read
nx-ssl-truststore-all	All permissions for Ssl-truststore	nexus:ssl-truststore:*
nx-ssl-truststore-create	Create permission for Ssl-truststore	nexus:ssl-truststore:create,read
nx-ssl-truststore-delete	Delete permission for Ssl-truststore	nexus:ssl-truststore:delete,read
nx-ssl-truststore-read	Read permission for Ssl-truststore	nexus:ssl-truststore:read
nx-ssl-truststore-update	Update permission for Ssl-truststore	nexus:ssl-truststore:update,read
nx-tags-all	All permissions for Tags	nexus:tags:*
nx-tags-associate	Associate permission for Tags	nexus:tags:associate,read
nx-tags-create	Create permission for Tags	nexus:tags:create,read
nx-tags-delete	Delete permission for Tags	nexus:tags:delete,read
nx-tags-disassociate	Disassociate permission for Tags	nexus:tags:disassociate,read
nx-tags-read	Read permission for Tags	nexus:tags:read
nx-tags-update	Update permission for Tags	nexus:tags:update,read
nx-tasks-all	All permissions for Tasks	nexus:tasks:*
nx-tasks-create	Create permission for Tasks	nexus:tasks:create,read
nx-tasks-delete	Delete permission for Tasks	nexus:tasks:delete,read
nx-tasks-read	Read permission for Tasks	nexus:tasks:read
nx-tasks-run	Run permission for Scheduled Tasks	nexus:tasks:start,stop
nx-tasks-update	Update permission for Tasks	nexus:tasks:update,read
nx-users-all	All permissions for Users	nexus:users:*
nx-users-create	Create permission for Users	nexus:users:create,read
nx-users-delete	Delete permission for Users	nexus:users:delete,read
nx-users-read	Read permission for Users	nexus:users:read
nx-users-update	Update permission for Users	nexus:users:update,read
nx-userschangepw	Change password permission	nexus:userschangepw:create,read
nx-usertoken-current	All permissions for Current User Token	nexus:usertoken-current:create,read,delete
nx-usertoken-settings	Update permission for User Token settings	nexus:usertoken-settings:update,read
nx-usertoken-user	Reset permission for User Token	nexus:usertoken-user:delete,read
nx-usertoken-users	Reset permission for all User Tokens	nexus:usertoken-users:delete
nx-wonderland-all	All permissions for Wonderland	nexus:wonderland:*