Projects Concepts and Terminology

Overview

As part of JFrog Projects, you will encounter new terminology and concepts that apply to projects and are important to understand before planning and start working with project.

Please make sure you have read these topics before creating your first project:

Basic Projects Terminology
Project Roles and Members Concepts

Once you have planned your projects structure, you can proceed to create your first project and learn more about Managing Projects.

JFrog Subscription Levels

SELF-HOSTED

_{ENTERPRISE X ENTERPRISE+}

Page Contents

Basic Projects Terminology

To help you get started with Projects, refer to these basic terms and concepts.

The following diagram describes the basic components within the project entity.

Project

A project is an organizational management entity in the JFrog Platform for hosting your resources (repositories, builds, Release Bundle, and Pipelines, etc.) and associating users/groups as members with specific entitlements.

Assigned/ Unassigned Resources

The JFrog Platform differentiates between assigned and unassigned resources in the scope of projects. When upgrading to the Platform with Projects, all the resources are set as 'Unassigned' as they have not yet been assigned to any project. To support assigning multiple resources to projects, you can assign projects to resources from the unassigned tab.

Project Key

A unique Project Key that helps you identify and group your projects. For example, add a key that identifies the location of the project in the US Site or the type of team - the Developer Team.

Project Members

Users or groups that are assigned a role in a project become a Project Member and are listed in the Members list for the project.

Resources

Resources are entities within the JFrog Platform including repositories, builds, and Pipelines. A set of product-specific actions are available if the product is installed on your system.

Environments on the Project

An Environment is used to aggregate project resources for simplified management of project resources (repository, Pipeline source, etc.) associated with either the DEV (Development) or PROD (Production) or both environments. It is mandatory to have at least one environment assigned to a resource and each resource is initially created in the DEV environment. You can assign a set of actions to the project members on each of the environments, providing you with an additional layer of role-based access granularity.

Role-Based Access Control (RBAC) and Actions

JFrog Platform users and groups can perform a set of actions in projects using a set of dedicated project-related RBAC roles including Global and project roles.

Project Personas

A set of dedicated project personas are set on the project level comprising of Global roles and Project roles. The main built-in role is the Project Admin role. By default, All Platform Administrators are automatically granted the Project Admin Role. For more information, see Project Roles and Members Concepts.

Xray Terminology and Concepts in Projects

Global Policy

A Policy that can be used in a Global Watch or a Project Watch when you have a set of rules that apply to more that one project or on all projects in your organization. A Platform Admin, a Security Manager, and a user with Manage Policies permissions can create Global Policies.

Global Watch

A Watch that can be applied on resources in any project or unassigned resources that are not specific to a project. A Platform Admin, a Security Manager, and a user with Manage Watches permissions can create Global Watches. Starting from Xray 3.27.2, you can apply a Global Watch on a Project resource. For more information, see Global Watches

Create a Global Watch and Global Policy in the context of All:

Global Watch Violations

Violations created by a Global Watch are not project specific, and will appear in the list of violations where the scanned resource resides, in any project. A user cannot ignore a violation from a Global Watch, only a Security Manager with the Ignore Global Watch Violations privilege can create a Global Ignore Rule.

Global Watches can only contain Global Policies.

Global Report

A report that can be defined on all resources regardless of a project. A Platform Admin, a Security Manager, and a user with Manage Reports permissions can create Global Reports. Starting from Xray 3.27.2, you can create a Global Report on the Project scope. For more information, see Global Xray Reports.

Project Policy

A Policy that is created and used in the scope of a specific project. A Platform Admin, a Project Admin, a Security Manager, and a user with Manage Policies permissions can create project level Policies.

Project Watch

A Watch that is created and used in the scope of a specific project. A Platform Admin, a Project Admin, a Security Manager, and a user with Manage Watches permissions can create project level Watches.

Create a Project Policy and Project Watch in the context of the project you are in:

Project Watch Violations

Violations created by a Project Watch are applicable to that specific project and will appear in the list of violations for a user within that project. Other users who are not members of the project will not see these violations. A user with Manage Watches permissions, a Platform Admin, a Project Admin, and a Security Manager can ignore a violation from a Project Watch.

Project Report

A report that that can be defined on resources in a specific project. A Platform Admin, a Project Admin, a Security Manager, and a user with Manage Reports permissions can create project level Reports.

Project Roles and Members Concepts

Projects is based on the JFrog RBAC (Role-based Access Control) mechanism that simplifies the notion of permission targets. Three main categories of roles are supported: Platform, Global, and Project roles. These roles enable users that have been assigned to these roles to perform a set of predefined actions associated with the role on all of the resources in the project.

The following Admin roles can manage projects and assign roles to project members and allocate resources:

Platform Admins are users that are set with the 'Administer the Platform' role and are referred to as Platform Admins in the scope of projects.
Project Admins are assigned by the Platform Admins to perform project-related admin tasks. To gain more flexibility, Project Admins can assign roles to different environments within a project. Each project comes with these predefined environments: DEV (Development) and PROD (Production). Resources in the JFrog Platform that are associated with Environment and Role Actions define the different access rights to the resources within each of the environments.

Permission Targets are replaced with Roles

Roles replace permission targets, that are only available when upgrading from a previous version to the JFrog Platform supporting projects.

Global and Project Role Types

Global and Project roles allow Platform users and groups assigned with these roles to perform a full array of actions on their projects. A user or group becomes a project Member after they have been assigned at least one Global or Project role within a selected project. The roles are intended to manage the access rights of users or groups according to their role definition. The roles can include: Project Admin, Developer, Contributor, Release Manager, etc. The additional breakdown into Project roles provides flexibility when assigning different roles to the same user across the different projects. Project roles are more specific and represent access rights relevant to the specific project.

Global role-related procedures apply to all projects, whereas Project roles are project-specific and comprise of Global and Project roles. Global roles are assigned by the Platform Admin, whereas Project roles are defined by a Project Admin role. Global roles cannot be renamed or deleted; however the actions assigned to each role can be customized.

A project runs in either an DEV (Development) or PROD (Production) environment or both. You can assign a set of roles to project members on each of the environments, providing you with an additional layer of role-based access granularity.

Project Supported Actions by Role Types

Roles are cumulative, and are associated with a set of actions that allow users to have multiple roles within the predefined Platform hierarchy: Platform Administrators have the 'Administer the Platform' role and have full control over the entire platform including projects, while Project roles apply to specific projects or multiple projects. For example, a user can be a Project Admin for Project A and be assigned a Contributor role in Project B. In cases whereby there is a clash between roles at different levels, for example between a Global role and a project level, the project level role takes precedence.

Roles can be assigned two main types of actions:

CRUD Actions: A set of predefined CRUD Actions that can be applied at the Global role and Project role levels to each of the resources, including Read Artifacts, Write Artifacts, Delete Artifacts, and Delete Builds.

Product-based Actions: A set of product-specific actions are available if the product is installed on your system.
For example, if you have installed:
- JFrog Xray: The Trigger security scans action is supported
- JFrog Distribution: The Distribute Release Bundle action is supported
- JFrog Pipelines: The Trigger Pipeline and Manage Pipelines actions are supported

The following section lists the different roles and their associated actions.

Administer the Platform Role (Platform Admin)

This role is set at the User and Group level. By default, Platform administrators are considered 'Project Admins' and have full admin permissions on all the projects. They can view and manage the projects from the main projects dashboard and assign Projects Admins to perform admin types.

Create projects and delegate administrative rights for those projects. Sets quotas for projects, allowing groups to own multiple projects while still having the option to set quotas for individual projects
View the Projects dashboard
Set actions on Global roles
Assign Project Admins to Platform Users and Groups.
Grant Project Admins 'Manage Resources' and 'Manage Members' privileges.
Grant Project Admins Xray security privileges, such as 'Index Resources', 'Manage Security Assets, and 'Ignore Global Violations'.
Create Global and Project Policies, Watches and Reports.
Ignore Global Watch Violations.
Set storage quotas on projects
Perform CRUD operations on projects
Define CRUD operations across projects including moving, copying and deleting projects.
Move repository reassignment from one project to another.
Create new resources (Repositories, Builds, and Pipelines, etc.)

Global Roles

Global roles are predefined high-level Project roles that allow project Members assigned with the role to perform a set of actions on all of the projects. The Platform admin defines the scope of the role by enabling the actions supported for each role and sets the environments - DEV (Development) or PROD (Production) in which the Global role will apply. The predefined global roles are:

Project Admin
Developer
Contributor
Viewer
Release Manager
Security Manager

The Global roles contain a set of actions that can be performed on resources within the projects including CRUD actions and product specific actions.

Basic Project Actions

Read Artifacts	Download artifacts and read the metadata.
Write Artifacts	Upload artifacts
Delete Artifacts	Delete or overwrites artifacts.
Delete Builds	Delete or overwrites artifacts.
Distribute Release Bundle	Requires an Enterprise+ license. Distribute Release Bundles according to their destination permissions
Trigger Pipelines	Manually trigger execution of steps
Manage Pipelines	Manage Pipelines: Create and edit pipeline sources
Trigger Security scan	Triggers Xray security scans on indexed resources
Manage Xray Data	Trigger Xray scans on builds. Create and delete custom issues and licenses.
Manage Reports	Manage, delete and modify Xray reports.
Manage Watches and Polices	Manage, delete and modify Xray Watches and Policies.
Ignore Global Violations	Ignore violations created by a Global Watch and are not project specific.

Project Admin Role

The Project Admin is a Global role and is equivalent to the Platform Admin role at the project level.

Add and remove members in projects and across projects
Add resources to the project including: Repositories, Builds, and Pipelines sources.
Manually select resources to be indexed and scanned by Xray, if given the Index Resources privilege.
Create and manage project level Policies, Watches, and Reports, if given the Security Manager role.
Ignore Global Watch Violations if given the privilege.
Can onboard project Members (add/remove users/groups to roles)
Allow creating Ignore Rules on Security Violations

Project Roles

The Project Admin can assign a set of project-specific actions to Project roles, for example:

Automation Engineer
Contributor
Annotator

You can assign Basic or Advanced actions to your Project role.

Moving from Advanced to Basic Actions

Moving back from Advanced to Basic settings will delete your Advanced settings.

Basic Actions
A set of actions that are performed on resources within the projects, including CRUD actions and product-specific actions. The actions associated with the basic Project roles are identical to Global Project actions.