Overview
You can manage access to repositories by defining users, assigning them to groups and setting up roles and permissions which can be applied to both users and groups.
From December 2021, JFrog Cloud users (only) can also join through an invite, and to then log in using Personal OAuth such as Google or GitHub.
WebUI Changes implemented in Artifactory 7.38.x and above
Identity and Access is now called User Management. All the relevant text and images on this page have been updated to reflect this change.
Managing Users
To manage the users who can access resources in your system, in the Administration module, select User Management | Users.
Passwords are stored as hashes or encrypted hashes.
The Status column shows you the current SCIM status of the user: Enabled, Disabled, or Locked.
The Email column shows you the email of the user, including if the user was added via invite from the admin (Cloud users only).
Note
From Artifactory release 7.46.3, the tables in the Users UI feature the following updates:
Enable sorting users in tables by additional columns
Enable partial search by name/email in tables
 |
User Types
Administrator Users
An administrator user is to the system as a "root" is to UNIX systems. Administrators are not subject to any security restrictions, and we therefore recommend to create a minimum number of administrators in your system.
You can control which Permission Target Managers have access to thereby assigning responsibility for a specific repository path. For details please refer to Managing Permissions.
The Default Admin Account
The default user name and password for the built-in administrator user are: admin / password.
You should change the password after first log in. If you forget the admin account password, you can recover it. Please refer to Recreating the Default Admin User.
The Anonymous User
The platform supports the concept of anonymous users and installs with a pre-defined anonymous user to which you can assign Permissions just like for any other user.
Anonymous access can be controlled under the General Security Settings. Set Allow Anonymous Access to activate the anonymous user. The anonymous user must be activated before you can fine tune its permissions.
When anonymous access is activated, anonymous requests can download cached artifacts and populate caches, regardless of other permissions defined.
From Artifactory version 7.37.9, you can set all Anonymous users to be routed to the login page by enabling the Set the Login page as the start page on the Anonymous User page.
 |
Important Information on Anonymous Users
When allowing anonymous access, you will need to take into account the following considerations:
When you allow non-logged-in users access to your system, you could, potentially, be giving unauthorized access to users to any existing local, remote or virtual repositories, and, to future repositories.
In addition, enabling anonymous access may expose any sensitive data that may be saved in these repositories to non-logged-in users.
Creating and Editing Users
Only administrators can create users
To create users you must be an administrator.
Create a new user by clicking + New user at the top of the Users table.
This displays the Add new user dialog.
In the Add new user (or Edit user) dialog you can set the User Name, Email Address and Password for the user as well as the following parameters:
Role/ Option | Description |
|---|---|
Roles | |
Administer Platform | When enabled, this user is an administrator with all the ensuing privileges. For more details please refer to Administrator Users. |
Manage Resources | When enabled, this user can manage resources including create, edit, and delete permissions on any resource type including Pipeline resources (Integration, Source, and Node Pools). |
Manage Policies | When enabled, this user can set Xray security and compliance policies. |
Read Policies | When enabled, this user can only view Policies. |
Manage Watches | When enabled, this user can add, edit, and delete Xray Watches. |
Manage Reports | When enabled, this user can create, generate, and manage Xray Reports. |
Options | |
Can Update Profile | When enabled, this user can update their profile details (except for the password. Only an administrator can update the password). There may be cases in which you want to leave this unset to prevent users from updating their profile. For example, a departmental user with a single password shared between all department members. |
Disable UI Access | When enabled, this user can only access the system through the REST API. |
Disable Internal Password | When enabled, disables the fallback mechanism for using an internal password when external authentication (such as LDAP) is enabled. |
Adding New Users via Invite (Cloud Subscriptions only)
From December 2021, for Cloud users only, JFrog Platform enables administrators to add new users via an email invite, which enables the new user to create an account using a username and password, or by logging in using Personal OAuth SSO.
Note
To use this feature, the Personal OAuth SSO functionality must be enabled under the Authentication Providers section in the Administration tab. For more information, see Enabling and Disabling Personal OAuth SSO.
In the Add new user window, select the Invite a User tab.
Enter an email address.
Specify the roles that you wish to enable for this user.
Specify which options to apply to the user.
Click Send Invitation to send the invite.
The Users list is updated with the new user that was invited. The invited user will appear with the email status "Invited".
To resend the invite to the same user, hover on the email icon to the right of the user name and click Resend Invite. Note that if the user tries to use the older token in the first invite, they will not be able to join.
Note
Only one invitation can be send per a specific email - there is no limit for sending invites to different emails.
Note that if the user that was sent the invite cannot find the email or needs to receive a reminder, you an resend the invite by simply hovering with your mouse over the user in the Users list, and selecting Resend invitation.
Recreating the Default Admin User
If you are unable to obtain administrator access, you will need to recreate a default administrator user in order to be able to manage users of your system. This can be done using the Access bootstrap.creds:
Create a file called
bootstrap.credsunderJFROG_HOME/artifactory/var/etc/accessArtifactory HA version under 6.8.0
For Artifactory versions below 7.17.2: If you are running an Artifactory HA cluster, make sure to do the changes on the primary node. After the last step, perform a rolling restart to the cluster (restart each node starting from the primary node).
Populate the file with the following content:
<admin user name>@*=<your new password>
Note: You can create the file with multiple lines to create multiple Administrators, for example:
admin1@*=password1 admin2@*=password2
Make sure the file has relevant permissions:
$ chmod 600 bootstrap.creds $ chown artifactory:artifactory bootstrap.creds
Or alternatively,
$ chmod 600 bootstrap.creds $ chown 1030:1030 bootstrap.creds
Note
The permission assigned must be exactly 600. Neither a more permissive, nor a more restrictive permission setting will work
Restart the Access service by restarting the corresponding Artifactory instance
Disabling Remember Me at Login
The login screen includes a Remember Me checkbox. If the user sets this checkbox when logging in, the system will store a cookie in the browser for a period of 7 days allowing the user to be logged in automatically when starting up the system.
Once the cookie expires, the user will have to log in again.
An administrator can disable this feature and force all users to enter their credentials at every login. To do so simply add the following property to $JFROG_HOME/artifactory/var/etc/artifactory.system.properties and restart the system:
artifactory.security.disableRememberMe=true
Managing Groups
A group represents a role in the system and is assigned a set of permissions.
Creating and Editing Groups
A group represents a role and is used with RBAC (Role-Based Access Control) rules.
To manage groups, in the Administration module select User Management | Groups.
Create a new group by clicking + New Group at the top of the groups table.
Assign a unique name to each group with an optional description.
You can also assign an external group ID to the new group, which will then be used to configure the corresponding group in Azure AD.
For the new group, specify the roles assigned to that group: Administer Platform, Manage Resources.
You can also choose whether to automatically join new user to the group by selecting the checkbox.
Assigning Users to Groups
There are two ways to manage users' assignment to groups:
Setting permissions
In both cases, you can assign corresponding permissions to the user or group respectively on the same screen. For more details please refer to Managing Permissions
Setting Groups for a User
You can assign and remove a user from groups when the user is created or by editing user's details later.
In the Administration module, under User Management | Users, from the list of users, select the user you wish to assign to or remove from the group.
In the Related Groups section of the form, you can set which groups the user should be assigned to.
Setting Users for a Group
You can assign and remove a user from a group by editing the group's details.
In the Administration module, under User Management | Groups, from the list of groups, select the group you wish to modify.
In the Users section of the form, you can set which users should be assigned to the group.
Automatically Assigning Users to a Group
When creating (or editing) a group you can set Automatically Join New Users to this Group.
When this parameter is set, any new users defined in the system are automatically assigned to this group.
This is particularly useful if users are defined automatically and you want them to be assigned to certain groups. For example, when using external authentication such as LDAP, users are automatically created on successful login and you can use this parameter to assign these users to particular groups by default.
Assigning Admin Privileges to a Group
If Admin Privileges is set, any users added to this group will automatically be assigned with admin privileges in the system.
For reasons of security when Admin Privileges is set, Automatically Join New Users to this Group is disabled so that new users are not automatically provided with admin privileges.