Create Scoped Token

JFrog REST APIs
Content Type
REST API

The scope parameter in the Create Token REST API allows you to change the scope of access that the token provides.

Access to the REST API is always provided by default. Administrators can set any scope, while non-admin users can only create Identity Tokens (user scope). From Artifactory version 7.84.3, project admins can create access tokens that are tied to the projects in which they hold administrative privileges.

Note

The scope to assign to the token should be provided as a space-separated list of scope tokens, limited to 500 characters.

The supported scopes include:

Applied Permission Scopes

These are scopes that apply the permissions based on existing permissions definitions in the platform, either for a specific user, group, admin, or project role.

User Permissions

This scope provides user access as specified in your platform. If left at the default setting, the token will be created with the user-identity scope, which allows users to identify themselves in the Platform but does not grant any other specific access permissions. This scope is used for the user identity tokens.Understanding Identity Tokens

To apply user permissions, use this scope:

applied-permissions/user

Admin Permissions

This scope provides admin access as specified in your platform.

To apply admin permissions, use this scope:

applied-permissions/admin

For example, when setting the following scope in the Create Token REST API call:

applied-permissions/admin" -d "username=test-user"

The token will be created with admin permissions and will be associated with the user test-user.

Note

It is possible to provide a username that does not exist in the instance, and the token will be granted admin permissions.

Group Permissions

This scope provides access to groups as specified in your platform. For more information on groups, see Manage Groups.Manage Groups

To apply group permissions, use this scope:

applied-permissions/groups:<GROUP_NAME>[,<GROUP_NAME>...]

Note

Make sure to replace the placeholders in <angle brackets> with your own group names.

Example 1

When setting the following scope in the Create Token REST API call:

applied-permissions/groups:"group2"

The token will be created with the permissions of group2.

Example 2

When setting the following scope in the Create Token REST API call:

applied-permissions/groups:"group_1","group 2","group,3"

The token will be created with the permissions of all 3 groups:

  • group_1

  • group 2

  • group,3

Role Permissions

This scope provides access to project roles as specified in your platform. For more information on roles, see Manage Project Roles.Manage Project Roles

To apply role permissions, use this scope:

applied-permissions/roles:<PROJECT_KEY>:<ROLE>[,<ROLE>...]

Note

Make sure to replace the placeholders in <angle brackets> with your own project key and roles.

For example:

applied-permissions/roles:jfrogdev:developer,qa

This scope will apply the developer and QA role permissions in the jfrogdev project.

When adding a role with more than one word, such as Project Admin, use quotation marks in the scope. For example:

applied-permissions/roles:jfrogdev:developer,qa,"Project Admin"

Resource Permission Scopes

Starting from Artifactory version 7.38.x, you can use access tokens with resource permission scopes to provide scoped access to specific resources, without requiring any permissions to be predefined in the platform or in any project.

The resource permission scope follows this structure:

<RESOURCE_TYPE>:<TARGET>[/<SUB_RESOURCE>]:<ACTIONS>

Where:

Parameter

Description

Example

<RESOURCE_TYPE>

One of the permission resource types, from a predefined closed list. Currently, the only resource type that is supported is the artifact resource type.

artifact

<TARGET>

The target resource, can be exact name or a pattern.

maven-local

<SUB_RESOURCE>

(Optional) The target sub-resource, can be exact name or a pattern. If omitted the permission is granted on the entire target resource.

org/**

<ACTIONS>

A comma-separated list of action acronyms. See note below for supported actions. To allow all actions, use *.

r,w

Note

  • The supported pattern format is ant pattern

  • Each resource type supports a different set of actions

  • Overall supported actions:

    • "r" - read

    • "w" - write

    • "d" - delete

    • "a" - annotate

    • "x" - execute

    • "s" - scan

    • "m" - manage permissions on the resource

Permission resource types:

Resource Type

Target

Sub-Resource

Actions

artifact

Repository key

Artifact path

  • Read

  • Write (Deploy / Cache)

  • Delete / Overwrite

  • Annotate

  • Scan

  • Manage

project

Project key

Members

  • Read

Artifact Permissions

This scope provides access to getting artifact permissions.

To apply Artifact permissions, use this scope:

  artifact:<path>:r,w

For example, when setting the following scope in the Create Token REST API call:

  "scope": "artifact:maven-local/org/**:r,w",

Artifactory would generate an access token with read and write permissions to all files under the org folder in the maven-local repository.

Project Permissions

This scope provides access to getting lists of projects and project members.

To apply project permissions, use this scope:

project:<project_key>:r

To apply project members permissions, use this scope:

project:<project_key>/members/**:r

Note

By default, this scope provides permissions for getting a list of members (users and groups) in the specified project. To provide only project users, use this scope:

project:<project_key>/members/users/:r

System Permission Scopes

System Permission Scopes enable providing access to system resources without the need for granting admin access.

System Metrics Permissions

This scope provides access to getting service metrics information.

To apply system metrics permissions, use this scope:

system:metrics:r

Live Logs Permissions

This scope provides access to getting live logs information.Live Logs

To apply live logs permissions, use this scope:

system:livelogs:r

System Access Identities

This scope provides access to getting lists of users or groups.

To apply identity permissions, use this scope:

system:identities:r

System Access Permissions

This scope provides access to getting a list of all the permissions in the environment.

To apply system access permissions, use this scope:

system:permissions:r

System Licenses

This scope provides access to getting lists of the currently installed licenses in the environment.

To apply licenses permission, use this scope:

system:info/licenses:r

System Storage Information

This scope provides access to getting storage summary information.

To apply storage permissions, use this scope:

system:info/storage:r

System Repositories

This scope provides access to getting repository configuration information.

To apply repository permissions, use this scope:

repo:<repo_name>:r