Access to group repo grants access to all member repos?

I’m migrating from artifactory to nexus and just noticed that a simple read access to a group maven repo grants read access to all repos inside this group - even if the member repos are not accessible for the user. This would make privileges completely useless, so I don’t think this is the desired behavior - but what do I miss?

My test user only got a read-privilege on the group repo but could download artifacts from the hosted member repo.

BTW: In Artifactory these groups work out-of-the-box as I expect…

This is by design, permissions for the group repository grant access for the user to make requests to content the group provides.

Group permissions do not provide access when talking directly to a member repository.

1 Like

You may find this article to be of some help:

It was written for Nexus Repo 2, but the principles are the same for 3.

Thanks for the clarification about group permissions. For me it’s a little bit unusual since this involves somehow group-repos in the permission model. Maybe you could explicitly document this somewhere.

This article a few hours earlier would have saved me some time :wink:

But I did it exactly like this: deny company artifacts on the group repo and activate the sub paths for teams. It works, but makes permissions quite complex because the content selectors for read access depend on string patterns. And I had to mix content selectors for read and repo views for write.

Seems to me a little bit complex for a common use case, but it works.

The solution with the different team groups doesn’t work very well if a user is in several groups because there’s no fixed url.