The scope
parameter in the Create Token REST API allows you to change the scope of access that the token provides.
Access to the REST API is always provided by default. Administrators can set any scope, while non-admin users can only create Identity Tokens (user scope). From Artifactory version 7.84.3, project admins can create access tokens that are tied to the projects in which they hold administrative privileges.
Note
The scope to assign to the token should be provided as a space-separated list of scope tokens, limited to 500 characters.
The supported scopes include:
Applied Permission Scopes
These are scopes which apply the permissions based on existing permissions definition in the platform, either of a specific user, groups, admin, or project roles.
User Permissions
This scope provides user access as specified in your platform. If left at the default setting, the token will be created with the user-identity scope, which allows users to identify themselves in the Platform but does not grant any other specific access permissions. This scope is used for the user identity tokens.
To apply user permissions, use this scope:
applied-permissions/user
Admin Permissions
This scope provides admin access as specified in your platform.
To apply admin permissions, use this scope:
applied-permissions/admin
Group Permissions
This scope provides access to groups as specified in your platform. For more information on groups, see Manage Groups.
To apply group permissions, use this scope:
applied-permissions/groups:<GROUP_NAME>[,<GROUP_NAME>...]
Note
Make sure to replace the placeholders in <angle brackets> with your own group names.
For example, when setting the following scope in the Create Token REST API call::
applied-permissions/groups:"group_1","group 2","group,3"
This scope will apply the permissions for the 3 groups:
"group_1"
"group 2"
"group,3"
This scope provides access to project roles as specified in your platform. For more information on roles, see Manage Project Roles.
To apply role permissions, use this scope:
applied-permissions/roles:<PROJECT_KEY>:<ROLE>[,<ROLE>...]
Note
Make sure to replace the placeholders in <angle brackets> with your own project key and roles.
For example:
applied-permissions/roles:jfrogdev:developer,qa
This scope will apply the developer and QA role permissions in the jfrogdev
project.
Resource Permission Scopes
Starting from Artifactory version 7.38.x, you can use access tokens with resource permission scopes to provide scoped access to specific resources, without requiring any permissions to be predefined in the platform or in any project.
The resource permission scope follows this structure:
<RESOURCE_TYPE>:<TARGET>[/<SUB_RESOURCE>]:<ACTIONS>
Where:
Parameter | Description | Example |
---|---|---|
| One of the permission resource types, from a predefined closed list. Currently, the only resource type that is supported is the |
|
| The target resource, can be exact name or a pattern. |
|
| (Optional) The target sub-resource, can be exact name or a pattern. If omitted the permission is granted on the entire target resource. |
|
| A comma-separated list of action acronyms. See note below for supported actions. To allow all actions, use |
|
Note
The supported pattern format is ant pattern
Each resource type supports a different set of actions
Overall supported actions:
"r"
- read"w"
- write"d"
- delete"a"
- annotate"x"
- execute"s"
- scan"m"
- manage permissions on the resource
Permission resource types:
Resource Type | Target | Sub-Resource | Actions |
---|---|---|---|
| Repository key | Artifact path |
|
For example, when setting the following scope in the Create Token REST API call:
"scope": "artifact:maven-local/org/**:r,w",
Artifactory would generate an access token with read and write permissions to all files under the org
folder in the maven-local
repository.
System Permission Scopes
Similar to resource permission scopes, used to grant access to system resources.
System Metrics Permissions
This scope provides access to getting service metrics information.
To apply system metrics permissions, use this scope:
system:metrics:r
Live Logs Permissions
This scope provides access to getting live logs information.
To apply live logs permissions, use this scope:
system:livelogs:r