Restrict development staff from downloading artifacts from Internet

I am using Nexus 3.29.2 OSS. I have a particular scenario where I do not want development staff to be able to download artifacts from maven central (internet). They should only be able to use what already exists in that repository.
A specific admin role should be able to fetch/download artifacts from maven central, which can then be used by other staff.
Is it possible to configure user permissions/privileges like this ?

It sounds like you’re trying to build a golden repo which is considered an anti-pattern. We recommend using Nexus Firewall to prevent undesired packages from entering your repositories, or Nexus Lifecycle to keep you protected through complete software development lifecycle.
However, if you insist on building your golden repo, you will not be able to accomplish this using proxy repository, because there is no granular permission that would allow user to only download pre-existing content and prevent from downloading new content. You can restrict what content can be served (and downloaded from remote) based on their path using either Routing Rules or Content Selectors, but this will require you to write down all allowed paths manually.
If you really have to restrict your users to be able to download only the pre-approved components, you would have to use a hosted repository where you manually upload your approved content. Please believe us, this is truly terrible, terrible idea.