Projects Concepts and Terminology

JFrog Platform Administration Documentation

ft:sourceType
Paligo

Subscription Information

This feature is supported with Enterprise X and Enterprise+ licenses.

Overview

As part of JFrog Projects, you will encounter new terminology and concepts that apply to projects and are important to understand before planning and start working with project.

Please make sure you have read these topics before creating your first project:

Once you have planned your projects structure, you can proceed to create your first project and learn more about Managing Projects.

Basic Projects Terminology

To help you get started with Projects, refer to these basic terms and concepts.

The following diagram describes the basic components within the project entity.

JFrog_Projects_Structure.png
Project

A project is an organizational management entity in the JFrog Platform for hosting your resources (repositories, builds, Release Bundle, and Pipelines, etc.) and associating users/groups as members with specific entitlements.

Assigned/ Unassigned Resources

The JFrog Platform differentiates between assigned and unassigned resources in the scope of projects. When upgrading to the Platform with Projects, all the resources are set as 'Unassigned' as they have not yet been assigned to any project. To support assigning multiple resources to projects, you can assign projects to resources from the unassigned tab.

Project Key

A unique Project Key that helps you identify and group your projects. For example, add a key that identifies the location of the project in the US Site or the type of team - the Developer Team. From Artifactory 7.42.1, the minimum number of characters required in Project keys has been reduced from 3 to 2.

Project Members

Users or groups that are assigned a role in a project become a Project Member and are listed in the Members list for the project.

Resources

Resources are entities within the JFrog Platform including repositories, builds, and Pipelines. A set of product-specific actions are available if the product is installed on your system.

Environments

An Environment is used to aggregate project resources for simplified management of project resources (repository, Pipeline source, etc.). Administrators can create environments on a global level that are used by all projects as well as create environments that are defined for a specific project. See Environments. You can assign a set of roles to project members for each environment, providing you with an additional layer of role-based access granularity. See Managing Project Roles and Members.Environments

Role-Based Access Control (RBAC) and Actions

JFrog Platform users and groups can perform a set of actions in projects using a set of dedicated project-related RBAC roles including Global and project roles.

Project Personas

A set of dedicated project personas are set on the project level comprising of Global roles and Project roles. The main built-in role is the Project Admin role. By default, All Platform Administrators are automatically granted the Project Admin Role. For more information, see Project Roles and Members Concepts.

Xray Terminology and Concepts in Projects
Global Policy

A Policy that can be used in a Global Watch or a Project Watch when you have a set of rules that apply to more that one project or on all projects in your organization. A Platform Admin, a Security Manager, and a users with Manage Policies permissions can create Global Policies.

Global Watch

A Watch that can be applied on resources in any project or unassigned resources that are not specific to a project. A Platform Admin, a Security Manager, and a user with Manage Watches permissions can create Global Watches. Starting from Xray 3.27.2, you can apply a Global Watch on a Project resource. For more information, see Global WatchesConfiguring Xray Watches

Create a Global Watch and Global Policy in the context of All:

image2021-3-17_19-23-35.png
Global Watch Violations

Violations created by a Global Watch are not project specific, and will appear in the list of violations where the scanned resource resides, in any project. A user cannot ignore a violation from a Global Watch, only a Security Manager with the Ignore Global Watch Violations privilege can create a Global Ignore Rule.

Note

Global Watches can only contain Global Policies.

Global Report

A report that can be defined on all resources regardless of a project. A Platform Admin, a Security Manager, and a user with Manage Reports permissions can create Global Reports. Starting from Xray 3.27.2, you can create a Global Report on the Project scope. For more information, see Global Xray Reports.Xray Reports

Project Policy

A Policy that is created and used in the scope of a specific project. A Platform Admin, a Project Admin, a Security Manager, and a user with Manage Policies permissions can create project level Policies.

Project Watch

A Watch that is created and used in the scope of a specific project. A Platform Admin, a Project Admin, a Security Manager, and a user with Manage Watches permissions can create project level Watches.

Create a Project Policy and Project Watch in the context of the project you are in:

image2021-3-17_19-27-26.png
Project Watch Violations

Violations created by a Project Watch are applicable to that specific project and will appear in the list of violations for a user within that project. Other users who are not members of the project will not see these violations. A user with Manage Watches permissions, a Platform Admin, a Project Admin, and a Security Manager can ignore a violation from a Project Watch.

Project Report

A report that can be defined on resources in a specific project. A Platform Admin, a Project Admin, a Security Manager, and a user with Manage Reports permissions can create project-level Reports.

Project Roles and Members Concepts

Projects is based on the JFrog RBAC (Role-based Access Control) mechanism that simplifies the notion of permission targets. Three main categories of roles are supported: Platform, Global, and Project roles. These roles enable users that have been assigned to these roles to perform a set of predefined actions associated with the role on all of the resources in the project.

The following Admin roles can manage projects and assign roles to project members and allocate resources:

  • Platform Admins are users that are set with the 'Administer the Platform' role and are referred to as Platform Admins in the scope of projects.

  • Project Admins are assigned by the Platform Admins to perform project-related admin tasks. To gain more flexibility, Project Admins can assign roles to different environments within a project. Each project can have one or more project-level environments configured for it, and in addition can make use of all defined global environments. Resources in the JFrog Platform are associated with environments and Role Actions define the different access rights to the resources within each of the environments.

Permission Targets are replaced with Roles

Roles replace permission targets, that are only available when upgrading from a previous version to the JFrog Platform supporting projects.

Global and Project Role Types

Global and Project roles allow Platform users and groups assigned with these roles to perform a full array of actions on their projects. A user or group becomes a project Member after they have been assigned at least one Global or Project role within a selected project. The roles are intended to manage the access rights of users or groups according to their role definition. Theroles can include: Project Admin, Developer, Contributor, Release Manager, etc. The additional breakdown into Project roles provides flexibility when assigning different roles to the same user across the different projects. Project roles are more specific and represent access rights relevant to the specific project.

Global role-related procedures apply to all projects, whereas Project roles are project-specific and comprise of Global and Project roles. Global roles are assigned by the Platform Admin, whereas Project roles are defined by a Project Admin role. Global roles cannot be renamed or deleted; however the actions assigned to each role can be customized.

A project runs in one or more project-level and global environments. You can assign a set of roles to project members on each of the environments, providing you with an additional layer of role-based access granularity.

project_rolesandmembers.png
Project-Supported Actions by Role Types

Roles are cumulative, and are associated with a set of actions that allow users to have multiple roles within the predefined Platform hierarchy: Platform Administrators have the 'Administer the Platform' role and have full control over the entire platform including projects, while Project roles apply to specific projects or multiple projects. For example, a user can be a Project Admin for Project A and be assigned a Contributor role in Project B. In cases whereby there is a clash between roles at different levels, for example between a Global role and a project level, the project level role takes precedence.

Roles can be assigned two main types of actions:

  • CRUD Actions: A set of predefined CRUD Actions that can be applied at the Global role and Project role levels to each of the resources, including Read Artifacts, Write Artifacts, Delete Artifacts, and Delete Builds.

  • Product-based Actions: A set of product-specific actions are available if the product is installed on your system.

    For example, if you have installed:

    • JFrog Xray: The Trigger security scans action is supported

    • JFrog Distribution: The Distribute Release Bundle action is supported

    • JFrog Pipelines: The Trigger Pipeline and Manage Pipelines actions are supported

The following section lists the different roles and their associated actions.

Administer the Platform Role (Platform Admin)

This role is set at the User and Group level. By default, Platform administrators are considered 'Project Admins' and have full admin permissions on all the projects. They can view and manage the projects from the main projects dashboard and assign Projects Admins to perform admin types.

  • Create projects and delegate administrative rights for those projects. Sets quotas for projects, allowing groups to own multiple projects while still having the option to set quotas for individual projects

  • View the Projects dashboard

  • Set actions on Global roles

  • Assign Project Admins to Platform Users and Groups.

  • Grant Project Admins 'Manage Resources' and 'Manage Members' privileges.

  • Grant Project Admins Xray security privileges, such as 'Index Resources', 'Manage Security Assets, and 'Ignore Global Violations'.

  • Create Global and Project Policies, Watches, and Reports.

  • Ignore Global Watch Violations.

  • Set storage quotas on projects

  • Perform CRUD operations on projects

  • Define CRUD operations across projects including moving, copying, and deleting projects.

  • Move repository reassignment from one project to another.

  • Create new resources (Repositories, Builds, Pipelines, etc.)

Global Roles

Global roles are predefined high-level Project roles that allow project Members assigned with the role to perform a set of actions on all of the projects. The Platform admin defines the scope of the role by enabling the actions supported for each role and sets the environments - DEV (Development) or PROD (Production) in which the Global role will apply. The predefined global roles are:

  • Project Admin

  • Developer

  • Contributor

  • Viewer

  • Release Manager

  • Security Manager

The Global roles contain a set of actions that can be performed on resources within the projects including CRUD actions and product-specific actions.

Project Admin Role

The Project Admin is a Global role and is equivalent to the Platform Admin role at the project level.

  • Add and remove members in projects and across projects

  • Add resources to the project including: Repositories, Builds, and Pipelines sources.

  • Manually select resources to be indexed and scanned by Xray, if given the Index Resources privilege.

  • Create and manage project level Policies, Watches, and Reports, if given the Security Manager role.

  • Ignore Global Watch Violations if given the privilege.

  • Can onboard project Members (add/remove users/groups to roles)

  • Allow creating Ignore Rules on Security Violations

Project Roles

The Project Admin can assign a set of project-specific actions to Project roles, for example:

  • Automation Engineer

  • Contributor

  • Annotator

You can assign Basic or Advanced actions to your Project role.

Moving from Advanced to Basic Actions

Moving back from Advanced to Basic settings will delete your Advanced settings.

  • Basic Actions

    A set of actions that are performed on resources within the projects, including CRUD actions and product-specific actions. The actions associated with the basic Project roles are identical to Global Project actions.

  • Advanced Project Actions

    To gain an additional level of granularity on the resource level, you can assign advanced settings to the repository and build resources.

What's Next

Start by planning your projects structure in the organization including the Global and Project roles. For more information, see Managing Project Roles and Members.

You can then proceed to create your first project.