Create Scoped Token

JFrog REST APIs

Content Type
REST API
ft:sourceType
Paligo

The scope parameter in the Create Token REST API allows you to change the scope of access that the token provides.

Access to the REST API is always provided by default. Administrators can set any scope, while non-admin users can only create Identity Tokens (user scope). From Artifactory version 7.84.3, project admins can create access tokens that are tied to the projects in which they hold administrative privileges.

Note

The scope to assign to the token should be provided as a space-separated list of scope tokens, limited to 500 characters.

The supported scopes include:

Applied Permission Scopes

These are scopes which apply the permissions based on existing permissions definition in the platform, either of a specific user, groups, admin, or project roles.

User Permissions

This scope provides user access as specified in your platform. If left at the default setting, the token will be created with the user-identity scope, which allows users to identify themselves in the Platform but does not grant any other specific access permissions. This scope is used for the user identity tokens.Understanding Identity Tokens

To apply user permissions, use this scope:

applied-permissions/user 

Admin Permissions

This scope provides admin access as specified in your platform.

To apply admin permissions, use this scope:

applied-permissions/admin

Group Permissions

This scope provides access to groups as specified in your platform. For more information on groups, see Manage Groups.Manage Groups

To apply group permissions, use this scope:

applied-permissions/groups:<GROUP_NAME>[,<GROUP_NAME>...]

Note

Make sure to replace the placeholders in <angle brackets> with your own group names.

For example, when setting the following scope in the Create Token REST API call::

applied-permissions/groups:"group_1","group 2","group,3"

This scope will apply the permissions for the 3 groups:

  • "group_1"

  • "group 2"

  • "group,3"

Role Permissions

This scope provides access to project roles as specified in your platform. For more information on roles, see Manage Project Roles.Manage Project Roles

To apply role permissions, use this scope:

applied-permissions/roles:<PROJECT_KEY>:<ROLE>[,<ROLE>...]

Note

Make sure to replace the placeholders in <angle brackets> with your own project key and roles.

For example:

applied-permissions/roles:jfrogdev:developer,qa

This scope will apply the developer and QA role permissions in the jfrogdev project.

Resource Permission Scopes

Starting from Artifactory version 7.38.x, you can use access tokens with resource permission scopes to provide scoped access to specific resources, without requiring any permissions to be predefined in the platform or in any project.

The resource permission scope follows this structure:

<RESOURCE_TYPE>:<TARGET>[/<SUB_RESOURCE>]:<ACTIONS>

Where:

Parameter

Description

Example

<RESOURCE_TYPE>

One of the permission resource types, from a predefined closed list. Currently, the only resource type that is supported is the artifact resource type.

artifact

<TARGET>

The target resource, can be exact name or a pattern.

maven-local

<SUB_RESOURCE>

(Optional) The target sub-resource, can be exact name or a pattern. If omitted the permission is granted on the entire target resource.

org/**

<ACTIONS>

A comma-separated list of action acronyms. See note below for supported actions. To allow all actions, use *.

r,w

Note

  • The supported pattern format is ant pattern

  • Each resource type supports a different set of actions

  • Overall supported actions:

    • "r" - read

    • "w" - write

    • "d" - delete

    • "a" - annotate

    • "x" - execute

    • "s" - scan

    • "m" - manage permissions on the resource

Permission resource types:

Resource Type

Target

Sub-Resource

Actions

artifact

Repository key

Artifact path

  • Read

  • Write (Deploy / Cache)

  • Delete / Overwrite

  • Annotate

  • Scan

  • Manage

For example, when setting the following scope in the Create Token REST API call:

  "scope": "artifact:maven-local/org/**:r,w",

Artifactory would generate an access token with read and write permissions to all files under the org folder in the maven-local repository.

System Permission Scopes

Similar to resource permission scopes, used to grant access to system resources.

System Metrics Permissions

This scope provides access to getting service metrics information.

To apply system metrics permissions, use this scope:

system:metrics:r 

Live Logs Permissions

This scope provides access to getting live logs information.Live Logs

To apply live logs permissions, use this scope:

system:livelogs:r