Managing Global Roles
Please note that the Access and Identity tab changes when navigating between the Platform view and the Project view in the UI. In the Platform view, you will find the Global roles and the Project view displays Members and Roles.
Global roles only apply to Projects and are predefined in the JFrog Platform. New Global roles cannot be added but Platform Admins can change the default environment and modify the actions set for each roles. The Global roles are inherited to the Project roles and can be edited by the Project Admin at the Project level.
Required Platform Admin Permissions
Only users with the 'Administer the Platform' role can set the environments and modify the environments and actions set for Global roles.
Setting Environments and Actions for Global Roles
To view the Global roles in the Administration pane, ensure that you have selected All Projects from the Projects list in the taskbar.
The Platform Admin has the option to enable or disable the actions and the environments associated with each of the Global roles - Project Admin, Developer, Contributor, Viewer, and Release Manager.
From the Administration module, navigate to Identity and Access | Global Roles.
A list of default Global roles are displayed, allowing you to change the default environment from Dev to Prod or enable both and modify the actions set on each role by selecting the edit icon located in the far right of the action entry.
Managing Project Roles
Project roles are set by the Project Admin and comprise of a predefined set of Global roles together with a set of customized Project roles. The combination of Global and Project-specific roles within a Project role provide multiple layers of granularity when setting access rights on Projects. When creating a new project, the Project Admin can modify the actions set in the Global roles and create new Project roles for each of the Projects to which they are assigned.
The following example demonstrates the permissions in the case of a Developer Global role and a Lead Developer Project role:
The Developer Global Role is granted the Read and Write actions in the DEV and PROD environments
The Lead Developer role is granted the Write and Delete actions in the DEV environment
The user or group assigned to the Developer role will be able to Read and Write artifacts in DEV and PROD environments. Adding the Lead Developer to the same user or group will also provide them with the ability to delete artifacts in the DEV environment only.
Step 1: Creating Project Roles
To create a Project role, you must be assigned an 'Administer the Platform' role or a Project Admin role.
From the Projects list, select the project on which to assign the role.
On the Project level, navigate to Identity and Access | Roles.
The Roles page is divided into Global roles and their assigned actions for the project and the user-defined Project roles.
Click Create Project Roles.
In the Create Project Role dialog, configure the role settings:
Type your user-defined Project Role name.
(Optional) Set the role in the DEV or PROD Environments. The default is set to DEV.
Set the Basic or Advanced role actions to be assigned to the role:
The Basic tab supports a limited number of actions regardless of the resource type.
The Advanced tab supports another level of granularity allowing Project Admins to assign actions according to resource type.
The action settings in the Advanced tab will be removed when moving back from Advanced to Basic mode.
The following example displays the QA Testing role in the US R&D Project with advanced actions including Read and Annotate on repositories, Builds, Release Bundles and Pipelines and the Trigger action on Pipelines.
Step 2: Adding Members to Projects
Project members are users that have been assigned a role. Unlike Project Admins, which are added by the Platform Admin as part of the process of creating a Project, Project members are simply users that have been added to the Members tab.
To add members to a project, go to Identity and Access | Members.