Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-26282

Enhance project role permission granularity




      In general, while permission targets allow to create very fine-grained permissions for each repository, these are not possible when using a Project.

      When a Project is used, any permissions granted to a role are applied to all repositories within the project. For example, if a role has a Viewer permission, it means that it will be able to see each of the Project's repositories. The only possible technical limitation is selecting which environment (DEV or PROD) the role can the permissions apply to.

      I like how Projects provide a good abstraction to group different resources that have a similar goal e.g. belong to the same team. However, I would like to see more granularity in the Project's role permissions so that it can apply to a specific set of Project's repositories instead of all.

      An example use case is the following: a project is used by a team. This project has different roles, and these are associated to different users. It also has repos of different nature, such as Docker, Helm, Maven, NPM. And now, the orchestrator needs to pull an image from the Docker repository. This is easily achieved by creating an access token, associating it to a group and role. However, the current limitation implies that this role that would otherwise only need read-only access to the Docker repository, will have access to all the repositories.

      This limitation also affects a similar use case where different access tokens are generated for each of the repos (as those may be used by different tools) so that if one of them leaks, the impact is reduced. But since these tokens would have access to every single repository, this isn't possible.

      I hope this description is enough to consider this feature which is otherwise present in Artifactory as a permission target. Also it's important to remind that roles can already be limited through the environment as previously mentioned, so it may make sense that further delimitations can be drawn.




            Bacterigerm Ruben
            7 Vote for this issue
            12 Start watching this issue