Permissions

JFrog Platform Administration Documentation
Content Type
Administration / Platform

The JFrog Platform features a flexible permissions model that allows administrators to exercise fine-grained control over user and group access to various resources, including repositories, builds, Release Bundles, and Edge node destinations.

The next generation of permission model (Permissions V2) is now available in the JFrog Platform for JFrog Cloud and JFrog Self-Hosted (from Artifactory 7.77.2). The new model is fully backwards compatible with the legacy permissions (Permissions V1) model. The new model simplifies the UI user flows to configure all resource types. For the legacy permissions model (Permissions V1), see Legacy Permissions.

permissions_main_screen.png

Note

In Permissions V1, a user with the manage permission was able to grant manage and other permissions to other users. This behavior was a security issue and has been fixed with permissions V2. A user with manage permissions can grant all permissions except the manage permission.

Starting from Artifactory version 7.117.1, you can revert to the previous behavior, which is not recommended. To revert to the less secure functionality, set one of the following feature flags in your Access Configuration YAML file:Supported Access Configurations

permissions:
    manage-user-permission-type: "<type>"  # permission type from the following list:
# exclude-manage - Default setting for Permissions V2. Users with manage permissions can grant only permissions that they have, except for manage permissions
# any-action-excluding-manage - users with manage permissions can grant any permissions, except for manage permissions
# any-action-including-manage - users with manage permissions can grant any permissions, including manage permissions

How Permissions Work

In the JFrog Platform, permissions are managed from a central location, where you can control how users or groups can view and perform actions.

Tip

You can use the JFrog Platform UI or the JFrog REST API to manage permissions.Create Permission

You can control permissions at the granular level through repository settings, or on the project level using Role-based access control (RBAC). For more information, see Manage Project Roles and Members.

By defining permission targets, you can set the physical resources, such as repositories, and select users or groups with a corresponding set of permissions, defining how they can access the specified repositories.

For example, if your environment includes two engineering teams using several repositories, you can create a group of users for each team. Then, you can create a permission target with a set of those repositories, in which you can grant access to the relevant resources with the appropriate permissions for each group.

Note

Starting from Artifactory 7.84.3, the anonymous user is removed from the Anything and Any Remote permissions by default. To grant permissions to anonymous users, the best practice is to create a new permission target containing the anonymous user and to assign it with read-only access to the relevant repositories.

The following topics provide detailed information about permissions in the JFrog Platform.