Currently, Nexus understands 4 different types of privileges, I will explain those below.

Application

Application privileges are tied to an HTTP method against a rest resources, for example, the "Scheduled Tasks - (read)" privilege, will give you access to GET the /schedules resource.

  • There are many different Application privileges, and you can see them all in the Nexus UI in the Privileges screen.
  • Application privileges are the core of the security system, as without them, no nexus access is allowed
  • Typically you will see 4 nearly identical privileges, with only the method (create,read,update,delete) differentiating them
  • These privileges are read-only and will always be available.  (unless the rest resource is removed, then of course its privileges would also be removed)

Repository Target

Repository Target privileges link a repository and a repository target, giving a user access to content inside of a repository.  This type of privilege is applied only after getting access to a resource via an Application privilege

  • Repository Target privileges can be assigned to a single repository, a single group or all repositories
  • Using a group, or all repositories allows the privilege to be more dynamic, as your configurations change
  • Content access inside the repository (or group) is defined by the regular expressions in the repository target associated with the privilege
  • These are the only type of privileges that are user maintainable.  By default we have a few generic privileges (for simplicity’s sake), but users can create these privileges any way they see fit

Staging Profile

Staging Profile privileges allow certain actions against certain profiles.  If you wanted only certain users to be able to see profileA for example.  Staging Profile privileges have 5 different types: read, stage, finish, promote, drop, notify

  • Read privilege allows the user to see the Profile via rest resources, or the UI.  Is also required to perform any actions on the profile (update/delete/etc)
  • Stage privilege allows the user to deploy artifacts to the staging url and into this profile.
  • Finish privilege allows the user to finish a staging repository that is done being deployed to
  • Drop privilege allows the user to drop a staged repository (moved into trash)
  • Promote privilege allows the user to promote a staged repository to a release repository
  • Notify privilege allows the user to receive emails when a staging repository is finished
  • By default there is a "Staging Profiles: Administrator" privilege, that gives access to every action for every profile (excluding notifications)
  • Also by default, there are 6 other "all profile" privileges, one for each action that applies to all profiles
  • When a Staging Profile is added, 6 new privileges for that profile willl be automatically created (1 for each action)
  • When a Staging Profile is removed, those privileges will be removed (and all roles containing these privileges will be updated)