Roles
Available in Nexus Repository OSS and Nexus Repository Pro
Roles aggregate privileges into a related context and can, in turn, be grouped to create more complex roles.
The repository manager ships with a predefined admin as well as an anonymous role. These can be inspected in the Roles feature view accessible via the Roles item in the Security section of the Administration main menu. A simple example is shown in Figure: “Viewing the List of Defined Roles”. The list displays the Name and Description of the role as well as the Source, which displays whether the role is internal (Nexus) or a mapping to an external source like LDAP. In order to access these functions, a user must have nx-roles or nx-all privileges.
To create a new role, click on the Create role button, select Nexus Role and fill out the Role creation feature view.
About security
To use functions of creating, editing and deleting roles, a user without the nx-all privilege also will need nx-privilege-read. This is because the roles page lists privileges on it.
When creating a new role, you will need to supply a Role ID and a Name and optionally a Description. Roles are comprised of other roles and individual privileges. To assign a role or privilege to a role, drag and drop the desired privileges from the Available list to the Given list under the Privileges header. You can use the Filter input to narrow down the list of displayed privileges and the arrow buttons to add or remove privileges.
The same functionality is available under the Roles header to select among the Available roles and add them to the list of Contained roles.
Finally press the Create Role button to get the role created.
An existing role can be inspected and edited by clicking on the row in the list. This role-specific view allows you to delete the role with the Delete role button. The built-in roles are managed by the repository manager and cannot be edited or deleted. The Settings section displays the same section as the creation view..
Mapping External Groups to Nexus Roles
In addition to creating an internal role, the Create role button allows you to create an External role mapping to an external authorization system configured in the repository manager such as LDAP. This is something you would do, if you want to grant every member of an externally managed group (such as an LDAP group) a number of privileges and roles in the repository manager.
For example, assume that you have a group in LDAP named scm
and you want to make sure that everyone in the scm
group has administrative privileges.
Select External Role Mapping and LDAP to see a list of roles managed by that external realm in a dialog. Pick the desired scm group and confirm by pressing Create mapping.
For faster access or if you cannot see your group name, you can also type in a portion or the whole name of the group and it will limit the dropdown to the selected text.
Once the external role has been selected, creates a linked role. You can then assign other roles and privileges to this new externally mapped role like you would do for any other role.
Any user that is part of the scm group in LDAP, receives all the privileges defined in the created role allowing you to adapt your generic role in LDAP to the repository manager-specific use cases you want these users to be allowed to perform.