Skip to end of metadata
Go to start of metadata

Overview

From version 1.9, JFrog Xray offers a flexible permissions model that gives an administrator fine-grained control over how users and groups access the different features of Xray. 

Authentication Provider Recommended

While it is not compulsory to specify an Authentication Provider, it is a recommended best practice. Through an authentication provider, you can apply permissions to all users defined in your LDAP or SAML servers, and also those internally defined in the corresponding Artifactory instance. Without an authentication provider, you can only apply permissions to users internally defined in Xray.

Permissions are managed as a set of rules applied to three vectors: Resources, Users/Groups and Actions.

Resources

Resources define the scope of a permission and specify the repositories and builds in the connected Artifactory instance to which the permission applies. Xray also lets you specify a Global Scope for a permission, and in this case, it applies to all repositories and builds in the connected Artifactory instance. For example, if a rule provides a user with "View Components" permission (see Actions below) on a global scope, it means that user will be able to see the components of all repositories and builds in the system.

Users and Groups

Once the scope of a permission (specific repositories/builds or Global Scope) is specified, you can specify the users and groups to which the permission applies. If you have selected one of the connected Artifactory instances as an Authentication Provider, Xray will work with the users and groups defined in the corresponding Artifactory instance. If you are not using an Authentication Provider, Xray will work with its own, internally defined users.

Page Contents

Actions

Once you have defined the resources and users/groups to which a permission applies, you can specify the actions that those users/groups can perform on the specified resources. The table below describes the actions you can specify for a permission.

ActionDescription
View Components
Allows the specified users/groups to view components on the resources specified in the rule. This applies to any activity related to components such as component search, component details, impact of issues etc. For example, if a repository called "maven-special" is not included in the scope of a permission, users/groups specified in that permission will not see any of the components hosted in that repository. Those components won't turn up in search queries, they won't be displayed in issue analysis etc. Note that this permission is version-agnostic which means that users/groups specified in the permission can see all versions of a component, even if some of those versions are in resources outside of the scope defined in the permission.
Manage Components
Allows the specified users/groups to perform actions on components in the specified resources. Currently, the only action available is to manually trigger a scan.
View Watches
Allows the specified users/groups to see Watches and Issues related to the resources specified in the permission.
Manage Watches
Allows the specified users/groups to add, edit and delete Watches, Ignore Violations related to the resources specified in the permission, and assign policies to Watches.
View Reports
This action can only be applied to a Global Scope. It allows the specified users/groups to view global security and license reports.
Admin
This action can only be applied to a Global Scope. It allows to view the Admin module and perform all actions available to an Xray administrator such as managing connected Artifactory instances, doing a DB sync etc.
Manage Policies
Allows users to view/add/edit/remove policies in the system.

 


Activating Permission Management 

For a clean installation of JFrog Xray version 1.9 and above, permission management is automatically enabled and you can create and edit permissions as described in the sections below. 

When upgrading Xray from a version that is below 1.9 to version 1.9 and above, when you start up Xray, it will migrate your component database to enable permission management. This process is initiated automatically by Xray upon startup and may take a while depending on the size of your database, however, the process runs in the background allowing you to continue using the other features of Xray in the mean time. You can view the progress of the migration process in the Admin module under Security | Permissions.

Migrating the components database

Permission management must be activated to be functional

Once the component database migration is complete, you must activate permission management for it to be functional. Note, however that activating permission management is optional. You may continue using Xray, as before, without any permission management. In this case all users accessing the system will have the same Admin privileges.

Once you activate permission management, you can create and edit permissions as described in the sections below.

 


Creating and Editing Permissions

You can access the list of Permissions defined in Xray from the Admin module under Security | Permissions.

Permissions

Double-click a Permission Name to edit an existing Permission, or click "New Permission" to create a new one.

Creating editing a permission is done in three steps.

  1. Specifying Resources
  2. Specifying Groups and Actions
  3. Specifying Users and Actions

After completing these steps, make sure to click "Save & Finish" to save your changes.

Specifying Resources

 

Permission Name
A logical name for this permission.
All Resources
If selected, this permission applies to all resources available. When selected, the rest of this form is disabled since there is nothing more to specify.
Selected Resources
If selected, you need to specify the resources (Artifactory instances, repositories and/or builds) to which this permission applies.
Filters

Gives you control over which resources this permission should apply.

Filters

Available Resources
Displays the resources available for this permission according to the filters you have applied.
Selected Resources
Displays the resources you have selected for this permission.

Once you have specified the resources for this permissions, select the Groups tab to specify the groups on which to apply it.

Specifying Groups and Actions

The Groups tab will display groups defined in the Artifactory instance specified as your authentication provider.

Using the arrow, or by double-clicking, add the Groups for which you want to define actions and then specify the actions allowed.

Specifying Groups and Actions

Once you have specified Groups and their allowed actions for this permission, select the Users tab to specify additional users on which to apply it.

Specifying Users and Actions

The Users tab will display uses defined in the Artifactory instance specified as your authentication provider as well as any other users defined internally in Xray.

Note that the list of users indicates where each user is defined. In the example below, we can see that the user called elady@jfrog.com is imported from the connected Artifactory instance defined as the Authentication Provider which is using SAML for authentication.

Using the arrow, or by double-clicking, add the users for which you want to define actions and then specify the actions allowed.

Specifying Users and Actions

 

 

 

 

 

  • No labels