The default administrator user gives you private to all aspects of the Nexus Repository Manger (NXRM) and uses the username admin and the initial password which can be found in an admin.password file in the $data-dir directory after startup.
The default configuration comes with roles and users with a standard set of permissions. You can create and customize security settings to protect repositories for multiple departments or development groups. Nexus repository manager provides a security model that can adapt to the situation.
Security related configuration can be performed with the feature views available via the security section of the Administration main menu. Many of the following features are only available to users with the necessary privileges to access them. The role based access control system is backed by different Authentification and Authorizations systems and are designed around the following security concepts:
The featured view for security realms administrators allows admins to activate and prioritize security realms used for authentification by adding them to the active list on the right and placing them higher or lower on the list. The Reams view and be accessed via the Realms menu item located under Security in the Administration main menu. This configuration determines what authentification realm is used to grant user access and the order the realms are evaluated.
Privileges control access to the specific functionality of the repository manager and can be grouped as a role and assigned to a specific user.
To access the Privileges control, go to Security in the Administration menu, where it’s listed as a sub-section. A list of privileges is prebuilt in the repository manager. This feature allows you to inspect existing privileges and create new ones.
The list has the following fields:
An example of the view:
Actions are functions allowing an explicit behavior the privilege can perform with the associated function.
You can assign a single or a combination of comma-delimited actions when creating new privileges. The privilege type to which you apply any of these actions will perform the actions implied behavior.
The actions are as follows:
To save a new custom privilege, cluck the create privilege button. The privilege can be found listed among the default privileges on the main Privileges screen. You can use the filter input box to find a specific privilege.
When creating a new Application privilege, you generally need to include the Name, Description, Domain, and actions associated with the privilege.
An example of creating a new Application privilege:
Roles aggregate privileges into a related context and can be grouped to create more complex roles. The Repository Manger ships with a predefined admin as well as an anonymous roles.
To inspect these roles, you can go to the view accessible via the Roles item in the Security Section of the Administration main menu. An example of the page:
To create a new role, click the Create Role button, select Nexus Role and fill out the Role Create feature When creating a new role, you will need to supply a Role ID, and a name and optionally a Description. Roles are comprised of either roles and individual privileges. To assign a role or privilege to a role, drag and drop the desired privileges from the available list to the given list under the privileges header. You can filter to narrow down the list of displayed privileges and the arrow buttons to add or remove privileges.
The same functionality is available under the Roles header to select among the available roles and add them to the list of contained Roles.
Once you have everything setup, you can press the Create Role button to get the role created. An existing role can be inspected and edited by clicking on the row in the list for the Role. This role-specific view allows you to delete the role with the delete role button. The built-in roles cannot be edited or deleted. The settings section displays the same section as the creation view.
An example of creating a new role view:
NXRM comes with two users by default: Admin and anonymous. This admin user has all privileges and the anonymous user only has read-only privileges. The initial password for the admin user can be found in an admin. Password file found in the $data-dir directory after starting the server.
The user feature view can be accessed via the Users item in the Security section of the Administration menu. The initial view lists the users alongside their User ID, First Name, Last Name and email, as well as what security Realm is elected and if the accounts status is active or disabled. The default security realm is the local NXRM realm. An example of the users display is:
Clicking on a user in the list or clicking on the Create user button displays the details view to edit or create the new user account. For external users, such as LDAP or Crowd, once you have your external realm setup you can edit their permissions here as well. Simply select the realm the user is on from the Source dropdown. Then type the user ID into the field to the right of that dropdown and search for it. Then click on the result desired to edit, same as a local user.
When creating a new user, the ID can be defined and remains fixed thereafter. In addition, you can specify the user’s First Name, Last Name, and Email Address. You must also enter and confirm a Password.
The status allows you to set an account to be disabled or Active. The roles control allows you to add and remove defined roles to the user and therefore control the privileges assigned to the user. A user can be assigned one or more roles that in turn can include references to other roles or to individual privileges.
When editing, the more button on the header allows you to select the Change Password item in the dropdown, and the password can be changed in the new dialog, provided the user is managed by the built-in security realm. For remote users, you can only edit their profiles, not create, fields defined by the remote system, such as ID will be uneditable. Ensure to change the password of the admin user to avoid security vulnerabilities, alternatively, you can create other users with administrative rights and disable the default admin user.
An example of creating a new user view:
To enable appending a default role to all authenticated users, create a new Capability (which further reading can be found here: Capability Documentation Link) using Capability type “default Role” you will then be able to select the role that you want applied to the users. Once this is saved, the default role realm will be added to the active list of security realms, and start applying the new role to all authenticated users. The default role is appended to authenticated users Dynamically, and will not show up as an assigned role to any user via the User settings page.
To create a new content selector, click on Content Selectors located in Repository from the Administration Menu, and click on Create Selector from the new menu. In the selector ID field, enter a name and an optional Description for the new selector. In the Specification section use the search expression field to build your query using CSEL syntax. You can preview your selector and what results will return by clicking the Preview Results button. On click a model will appear with the list of results. The Expression field will automatically be filled in with anything you had in the Search expression field. Similarly, any changes to Expression will be saved to the Search expression when you close the preview. An example of this:
To see results your selector would find, select a repository or grouping of repositories from the Preview Repository dropdown and click the Preview button. Assets that match will be returned in the space below the filter and can be filtered upon if you wish to check on a specific result. The Name column is also sortable in ascending or descending order. Close returns you to the content selector creation screen.
Once you are satisfied with your fields, click Create selector to create the Content Selector. All saved selector queries you create will be listed in the Content Selectors screen.
As part of the security setup, you can create user permissions to manage the filters you built in the create selector form. You can add a new privilege that controls operations such as read, edit, delete, and all ( * ), for components matching that selector. The privilege can even span multiple repositories.
To create a new content selector privilege, click Privileges in the Security Section of the Administration Panel, then click the create Privilege button. Locate and click the Repository Content Selector from the list of options in the Privilege Type selection, and fill out the following form:
Sean Malloy is working as an Automation Engineer at Crest Data Systems. Sean has worked on multiple automation and 508 Compliance projects for Splunk. Before joining Crest, Sean worked as an intern twice at SAP and has led multiple projects as part of his internship for Machine Learning and web development. Sean holds a Bachelor’s degree from UC Davis.