51

I'm using Nexus Repository Manager 3.1.0-04, and I want to create a user to just have deployment permissions. What are the minimal set of privileges required for that?

Right now I created a role nx-deploy with the following privileges:

  • nx-repository-admin---read
  • nx-repository-admin---browse
  • nx-repository-admin---delete
  • nx-repository-admin---edit
  • nx-repository-admin---add

Then I created a user deployment with the role nx-deploy. I can deploy artifacts now, however, I believe I am giving too much privileges? The admin part is not what I want the deployment user to be, so that part has me a bit nervous.

Needless to say, there are just too many privileges to choose from under the security section.

030
  • 10,842
  • 12
  • 78
  • 123
Jane Wayne
  • 8,205
  • 17
  • 75
  • 120

4 Answers4

88

The general rule is nx-repository-admin privileges are for administering the repositories and their details; nx-repository-view privileges are for use of the repositories once set up. Assign the latter.

To tweak repository privileges of your Deployment user(s) you should use the nx-repository-view-*-*-* as the assigned privilege, instead of nx-repository-admin. So, remove all the privileges you addressed in your question, and replace the ‘Given’ field with nx-repository-view-*-*-*. Since the privilege is denoted with asterisks, your Deployment users can perform all the above actions (i.e. browse, read, edit, add, and delete).

See the screenshot for reference:

Configuring the nx-deploy Privilege for the Deployment Role

You can read more about Privileges in the Security chapter: https://help.sonatype.com/repomanager3/security/privileges

Dulani Wallace
  • 898
  • 8
  • 6
  • 17
    The minimal set of privileges I had to set to deploy an artifact consist of: `nx-repository-view-*-*-{edit,read,add,browse}`. I'm using Nexus Repository Manager OSS 3.2.1-01 – Alberto Mar 30 '17 at 14:21
  • 4
    Side notes: [1] The `nx-repository-view-*-*-*` privilege allows user to upload artifacts, but does NOT show UPLOAD option on the Nexus UI [2] For deployment user, consider adding `browse`, `read`, `edit`, `add` privileges separately and preferably, do NOT add the `delete` privilege. – Arghya C May 22 '18 at 09:14
  • 5
    in Nexus 3.14 to be able to upload components (upload button) your deployment user should have the nx-component-upload privilege beside the nx-repository-view-\*-\*-\* , see documentation here https://help.sonatype.com/repomanager3/user-interface/uploading-components – Pierluigi Vernetto Nov 16 '18 at 16:01
  • In version 3.18.0-01 privileges read and edit are enough (just like Ben mentioned in the not accepted answer) to deploy via CI/CD (Maven) provided by GitLab. – y434y Dec 28 '21 at 13:48
10

If you need minimal privileges to just deploy artifacts, nx-repository-view-*-*-edit is enough.

nx-repository-admin is used for administration and configuration

Repository Admin

These are privileges related to the administration and configuration of a specific repository

and edit is enough to modify repository content

edit

This action allows privileges to modify associated scripts, repository content, and repository administration.

BTW, you need nx-component-upload to upload components in web UI.

https://help.sonatype.com/repomanager3/user-interface/uploading-components

Community
  • 1
  • 1
Tim
  • 475
  • 3
  • 15
  • Your post does not include any explanation, instead there is only an *is enough, I think*. That makes it a comment... You can still add information about why your line of code solves the problem. Your post will be removed if some others flag it as a comment, too. – deHaar Mar 08 '19 at 08:23
5

Successful deployment by maven 3 with Nexus 3.8.0 the following rights are required

nx-repository-view-*-*-edit
nx-repository-view-*-*-read
Ben Asmussen
  • 964
  • 11
  • 15
1
nx-repository-view-maven2-maven-snapshots-edit
nx-repository-view-maven2-maven-snapshots-read

"maven2"is recipe,"maven-snapshots" is your repository name.

eaglezsx
  • 11
  • 2