JFrog

    Cloud customer?
    Start for Free>
    Upgrade in MyJFrog >
    What's New in Cloud >






    Skip to end of metadata
    Go to start of metadata

    Overview

    The JFrog Platform provides a flexible permissions model that gives administrators fine-grained control over how users and groups access the different resources- repositories, builds, Release Bundles, Edge node destinations, and Pipeline Sources.Permissions are managed from acentral location, where you cancontrol how users or groups can view and perform activities.

    By defining Permission Targets, you can set the physical resources, for example, repositories, and a select users or groups with a corresponding set of permissions defining how they can access the specified repositories. A classic example would be if you have two engineering teams using either Go or Docker repositories. You can create a Permission Target for each group (i.e. for each engineering team), in which you grant access to the relevant resources with the appropriate permissions.

    The JFrog Platform supports these main permission categories:

    • CRUD Permissions:A set of predefined CRUD permissions that can be applied to each of the resources including: Read, Deploy/Cache, Delete/Overwrite, Annotate, and Manage.

    • Product-based Permissions:A set of product-specific permissions that are available if the product is installed on your system.
      For example, if you have installed:

      • JFrog Xray:The Manage Xray Metadata permissions is supported.
      • JFrog Distribution: The Distribute permission is supported.
      • JFrog Pipelines:The Trigger Pipeline permission is supported.

    • Role-based Permissions:A global permission and is set on the User or Group level. Manage Policies and Manage Watches are the only role-based permissions in the Platform and are available when installing JFrog Xray.

    For a detailed list of permissions, seePermission Types by Resources.

    WebUI Changes implemented in Artifactory 7.38.x and above

    Identity and Access is now called User Management. All the relevant text and images on this page have been updated to reflect this change.

    Page Contents

    Creating and Managing Permissions

    Permissions are additive and must be explicitly granted. If a checkbox is not set for a user, then that user does not have the corresponding permission.

    Permissions are centrally managed in the Administration module underUser Management|Permissions.

    The workflow for creating permission targets is:

    1. Select resources

    2. Assign users or groups

    3. Assign permissions

    From theAdministrationmodule, navigate toUser Management| PermissionsandclickNew Permission.

    Step 1 Selecting Resources

    Type a unique meaningful name for the permission target that will easily help you manage and detect the required permission. For example:RnD_India,Project X,DevOps_US.

    Click+plus sign to assign resources to to the permission target.

    Repositories

    The Repository permission targets define what a user has access to view in the repository resource.

    Click+ Add Repositoriesand select the repositories to which thisPermission Targetwill apply.

    The following methods are supported forrepositories in your Permission Target.

    • Selecting Repositoriesfrom a list of existing repositories.

    • Filter by Repository Type:You can selectAny Local RepositoryorAny Remote RepositoryorAny Distribution Repository.Selecting either of these options will add all the existing and future repositories including in the selected type to this permission target. For example, selectingAny Local Repository,将所有现有的本地存储库to the Permission Target and future local repositories.

    • Include and Exclude Patterns:包括和排除模式是英航sed on "Ant-like" expressions, allowing you to restrict (i.e. whitelist / blacklist) the access for users or groups only to specific paths in the selected repositories.The include and exclude patterns are limited to 1024 characters.
      For example, you can create a permission target that allows user "Builder" and group "Deployers" to read from and deploy artifacts to thelibs-releasesrepository. You can thenadd "org/apache/**" as an include pattern to the aforementioned permission target causing users in this permission target to only have access to paths under "org/apache/**" in thelibs-releasesrepository.

    Builds

    The build permission targets define what a user has access to view in the Builds resource.

    Click+ Add Buildsand select the builds to which this Permission Target will apply.

    The following methods are supported for including builds in your Permission Target.

    • Any Build:You can selectAny Buildtoadd all the existing and future build including to this permission target.

    • By Name:You can select existing builds from the Available Builds list. Selecting a build means that future builds runs for this build will be included in the permission target.

    • Include and Exclude Patterns (By Patterns):Based on "Ant-like" expressions, allowing you to specify any number of Include or Exclude Patterns in the corresponding entry field. Patterns arelimited to 1024 characters. When providing the Read permission to the selected builds (i.e. patterns), the user will see those builds in the Builds page and also have access to the relevant build in theartifactory-buildrepository. Toadd all builds that start with 'apache'(regardless if they already exist in Artifactory), use the following include pattern: "apache**/**". Granting the 'Read and Deploy' permission for this build pattern, provides users with access to all builds that start with 'apache”,并允许他们上传sta build-info文件rt with the term 'apache' in the build name.

    Theartifactory-build-inforepository is not included in the repositories permissions since it is automatically part of the build permissions. i.e. after assigning a permission on Builds section, the user will get the corresponding permission to the relevant builds under the repository. Adding a build provides the specified users/groups in this permission target, access to the corresponding path in the artifactory-build-info repository.

    Release Bundles

    Requires an Enterprise+ license.

    You can assign permissions to manage the Release Bundles resource. Release Bundles are part of the Distribution process and are the entities that group together the contents that are part of your release, providing the bill of materials for your software releases. For example, you can group together the different build artifacts, such as Docker images, that make up your software release that can then be pushed to your point of sale devices. The Release Bundle is secure and immutable, ensuring that no manipulation can be made by unauthorized users. For more information, seeRelease Bundles.

    Click+ Add Release Bundlesand select the Release Bundles to which this Permission Target will apply.

    The following methods are supported for including Release Bundles in your Permission Target.

    • Any Release Bundle:You can selectAny Release Bundletoadd all the existing and future Release Bundles including to this permission target.

    • By Name:You can selecting existing Release Bundles from the Available Release Bundles list. Selecting a Release Bundle means that all versions of the Release Bundles will be included in the permission target.

    • Include and Exclude Patterns (By Pattern):Based on "Ant-like" expressions, allowing you to specify any number of Include or Exclude Patterns in the corresponding entry field.Patterns are limited to 1024 characters.When providing the Read permission to the selected Release Bundles (i.e. patterns), the user will see those Release Bundles in the Distribution page in the UI.For example, to add all Release Bundles that start with 'apache' (whether or not they exist in Artifactory), add the following include pattern: 'apache**/**. Granting the Read and Deploy permission for this Release Bundle pattern, for example, will provide users access to all Release Bundles that start with 'apache' and allow them to create Release Bundles containing 'apache'.

    • Change the Default Release Bundle Source Repository:Scroll down to theAdvancedsection in the Add Release Bundles page, remove therelease-bundlescheck box and select another Release Bundles Source repository.

    Destinations

    Requires an Enterprise+ license.

    What is an JFrog Artifactory Edge node?

    JFrog Artifactory Edge (an "Edge node") is an edition of JFrog Artifactory whose available features have been customized to serve the primary purpose of distributing software to a runtime such as a datacenter, a point-of-sale or even a mobile device. All packages hosted in an Edge node areRelease Bundlewhich is a secure and immutable collection of software packages that make up a release to be provisioned.

    A destination is a target Artifactory Edge to which you can distribute release bundles.Administrators can assign users and groups permissionsto specific destinations and actions such as create, delete and distribute Release Bundles.Available only if at least one Release Bundle was created.

    Click+ Add Destinationsand select the Destinations to which this Permission Target will apply.

    The following methods are supported for including Destinations (Edge Nodes) in your Permission Target.

    • Any Destination:You can selectAny Destinationtoadd all the existing and future Destination Edge Nodes including to this permission target.

    • By Name:You can select existing Edge nodes (i.e. Destinations) from the Available Destinations list.

    • By Pattern:

      • JPDName Pattern:A JPD is theJFrog Deployment Unit.Based on "Ant-like" expressions, allowing you to specify any number of patterns in the corresponding entry field with each patternlimited to 1024 characters. For example, providing a user with the Distribute permission to the selected Destinations (i.e. according to JPD Name Patterns), allows the user to distribute to Edge nodes that correspond with the pattern.To distribute to all destinations (i.e. Edge nodes) that start with 'DevCenter1', use the following pattern: "DevCenter**".
      • Country Codes:Select one or more countries from the available list. All existing and future Destinations that are located in the selected countries in JPD will be part of the Permission Target.
      • City Name Pattern:Based on "Ant-like" expressions, you can specify any number of patterns in the corresponding entry field(limited to 1024 characters). When providing the Distribute permission to the selected Destinations (i.e. according to City Name Patterns), the user will be able to distribute to Edge nodes that meet the pattern.For example, to distribute to all destinations (i.e. Edge nodes) that are located in London, add the following pattern: "London**".

    Pipeline Sources

    Requires an Enterprise+ license.

    A pipeline source is a Git repository containing pipeline definition files. Administrators can assign users and groups permissionsto specific pipeline sources. For more, seeManaging Pipeline Sources.

    Click+ Add Pipeline Sourcesand select the Pipeline Sources to which this Permission Target will apply.

    The following methods are supported for including Destinations (Edge Nodes) in your Permission Target.

    • Any Pipeline Source:You can selectAny Pipeline Sourceto添加所有现有的和未来的Pipeline Sources including to this permission target.

    • By Name:You can select existing Pipeline Sources from the available Pipeline Sources list.

    • Include and Exclude Patterns (By Patterns):Based on "Ant-like" expressions, allowing you to specify any number of Include or Exclude Patterns in the corresponding entry field. Patterns are limited to 1024 characters. To include (or exclude) all pipeline sources that start with 'paulg', use the following include pattern: "paulg**/**".

    You can now proceed to assign users or groups to the resources you have included in the Permission Target.

    Step 2 Selecting Users or Groups and Assigning Permissions

    每一个resource has a set of dedicated permissions.Using the corresponding tabs, you can set the permissions granted to a user or a group based on each of the resource types. Double-click the user or group you want to modify, and then check the permissions you wish to grant.Only permissions associated with an installed service are displayed in the list.At least one user or group has to be selected to create a permission. Since an admin is privileged has all permissions, you cannot add a user or group with admin privileges to a Permission Target.

    The following example displays applying permissions to users.The identical workflow applies when assigning permissions to groups.

    In theCreate Permissionpage, click theUserstab.

    Click theSelected Users +icon in the left panel to add users.

    Select the users in theSelect Usersdialog and clickOK.

    Assign the permissions to the users according to the resource type.

    You can assign the following permissions by resource type:

    Global Permissions

    To grant the following permissions, go toAdministrationmodule in theUser Management|Users / Groups, select a user or a group and select the relevant permissions.

    Permission Description
    Manage Resources

    Manage Resources including create, edit, and delete permissions on any resource type including Pipeline resources (Integration, Source, and Node Pools).

    Manage Resources is a Role

    Manage Resources in a Role and is set on the User or Group level.
    Manage Policies

    Manage, delete and modify Xray policies.

    Manage Watch is a Role

    Manage Policies is a role and is set on the User or Group level.


    Xray scanning requires Artifactory Pro X, Enterprise with Xray, or an Enterprise+ license.
    Manage Watches

    Add, edit and delete Watches on repositories.

    Manage Watch is a Role

    Manage Watches is a role and is set on the User or Group level.


    Xray scanning requires Artifactory Pro X, Enterprise with Xray, or an Enterprise+ license.
    Manage Reports

    Create and generate Xray reports

    Manage Reports in a Role

    Manage Watches is a role and is set on the User or Group level.

    Xray scanning requires Artifactory Pro X, Enterprise with Xray, or an Enterprise+ license.

    Repository Permissions

    Permission Description
    Read

    Download artifacts and read the metadata.

    Read Permissions on Remote Repositories

    For remote repositories, the Read permission only allows downloading from the remote cache (i.e. artifacts that were already downloaded from the upstream and exist in Artifactory’s remote cache). This permission will not allow downloading new artifacts that do not exist in the Artifactory remote cache. For this, you will need to grant the Deploy/Cache permission.
    Annotate
    		 Annotate artifacts and folders with metadata and properties.
    Deploy/ Cache

    Deploy artifacts & deploys to remote repository caches.

    Deploy/ Cache Permissions on Remote Repositories

    In remote repositories, the Deploy/ Cache Permission allows caching artifacts from the upstream (for example, Docker Hub, npmjs.com) to the remote repository cache in Artifactory.
    删除/ Overwrite

    删除or overwrites artifacts.

    Preventing Overwriting Deployments

    You can prevent a user or group from overwriting a deployed release or unique snapshot by not granting the Delete permission. Non-unique Maven snapshots can always be overwritten (provided the Deploy permission is granted).
    Manage Xray Data

    Trigger Xray scans on artifacts in repositories. Users can create and delete custom issues and licenses.

    Xray scanning requires Artifactory Pro X, Enterprise with Xray, or an Enterprise+ license.
    Manage

    Allows changing the permission settings for other users on this permission target. Note that it does not permit adding/removing resources to the permission target.
    Perform admin-related tasks in the Artifact browser such as managing 'Followers' or restoring artifacts from the trash can.

    Permission Target Managers

    By assigning the Manage permission to a user, you may designate them as the "Permission Target Manager". These users may assign and modify permissions granted to other users and groups for this Permission Target.

    The user who is currently logged into the JFrog Platform can only make changes to the permissions ofother users. The option to edit their own permissions is disabled in the UI not for security reasons, but to protect users from taking irrevocable actions that may inadvertently lock them out of the system.

    Build Permissions

    Permission Description
    Read
    		 View and download build info artifacts from theartifactory-build-infodefault repository and reads the corresponding build in the Builds page.
    Annotate
    		 Annotate build-info artifacts and folders with metadata and properties.
    Deploy
    		 Allows uploading and promoting build info artifacts
    删除
    		 删除build-info artifacts
    Manage Xray Data

    Trigger Xray scans on builds. Create and delete custom issues and licenses.

    Manage Watch is a Role

    Manage Xray Data is a role and is set on the User or Group level.


    Xray scanning requires Artifactory Pro X, Enterprise with Xray, or an Enterprise+ license.
    Manage

    Allowschanging build-info permission settings for other users in this permission target.It does not permit adding/removing resources to the permission target.

    Permission Target Managers

    By assigning the Manage permission to a user, you may designate them as the "Permission Target Manager". These users may assign and modify permissions granted to other users and groups for this Permission Target.

    Release Bundles Permissions

    Permission Description
    Read
    		 View and download Release Bundle artifacts from the relevant Release Bundle repository and read the corresponding Release Bundles in the Distribution page
    Annotate
    		 Annotate Release Bundle artifacts and folder with metadata and properties
    Create
    		 Create Release Bundles
    删除
    		 删除Release Bundles
    Distribute
    		 Distribute Release Bundles
    Manage Xray Data

    Trigger Xray scans on Release Bundles. Create and delete custom issues and license.

    Manage Watch is a Role

    Manage Xray Data is a role and is set on the User or Group level.


    Xray scanning requires Artifactory Pro X, Enterprise with Xray, or an Enterprise+ license.
    Manage

    Allows changingRelease Bundlepermission settings for other users in this permission target. It does not permit adding/removing resources to the permission target.

    Permission Target Managers

    By assigning the Manage permission to a user, you may designate them as the "Permission Target Manager". These users may assign and modify permissions granted to other users and groups for this Permission Target.

    Destination permissions

    Permission Description
    Distribute

    Requires an Enterprise+ license.

    Distribute Release Bundles according to their destination permissions
    删除

    删除Release Bundles from the selected destinations
    Manage

    Add and delete users who can distribute release bundles on assigned destinations

    Permission Target Managers

    By assigning the Manage permission to a user, you may designate them as the "Permission Target Manager". These users may assign and modify permissions granted to other users and groups for this Permission Target.

    Pipeline Permissions

    Permission Description
    Read
    		 View the available pipeline sources
    Trigger

    Manually trigger execution of steps
    Manage
    		 Create and edit pipeline sources


    Viewing Effective Permissions

    You can view the effective permissions on each of the resources for users, groups and Permission Targetsin the theEffective Permissionstab under the Artifacts, Builds and Distribution pages.

    Copyright © 2023 JFrog Ltd.