Sonatype nexus : Create role based on repositories name

Question

I'm actually managing a Nexus 3 instance for a multi-team compagnie and I want to dedicate some repository to some team.

To be more clear, I have a team A and a team B and npm, pypi and raw repositories for each teams.

Team A can't access team B repositories and vice versa

My repository names are : <team>-<technology>-<maturity>

Like : teamA-pypi-release

What I want to achieve is to create a role for each team that grant Read/Write access to each team repositories. I don't want to create one privilege per repository (the target is to mange around 130 teams with each 3 to 4 repositories) so I wanted something simple that can use a wildcard like <team>-*, it seems that it's not supported in Repository View Privileges.

Did someone as any tips for this ? or some best practices for multi-tenancy Nexus ? Maybe I'm thinking it wrong :)

Thanks

Answer 1

For those who have the same questions as me :)

I finally achieved this by creating one repository for all teams (can be duplicated like a release and snapshot repos...), then you need a content selector by teams to filter the view.

I’ve used the following query to filter, teamA example:

path =~ ".*/" or
format == "raw" and path =^ "/teamA/"

Then I’ve created a privilege by the team with the correspondent content selector with * as allowed actions.

And finally I’ve a role for each team with the following privileges:

• My content selector privilege previously created
• nx-search-read ==> Allow user to search artifacts from Nexus GUI
• nc-component-upload ==> Allow user to upload artifacts from the Nexus Gui

With this, all users can browse and upload artifacts only in their dedicated folder.

The search and upload privileges are not mandatory if users don’t use the Nexus GUI.

One limitation is that users can see all folders at the root level but they can’t see ton content of them, which is not an issue for use.

Hope this help :)