Tech Resource - Best Practice - Configuring a Least-Privilege Firewall User

firewall
privileges
rbac

#1

Problem Statement

Given NXRM Firewall configuration using an “admin” user, all the applications are displayed in the CIP: https://help.sonatype.com/integrations/iq-server-and-repository-management/iq-server-and-nxrm-3-x/viewing-component-information-in-nxrm-3-x

Sample:

Solution

Define a specific user (“nxrmfirewall” in the example below) in IQ Server that has access only to a single “sandbox” or “sample” application.

Background Information & Limitations

Sample Implementation Steps

Step 1: Create a “NXRM Firewall” User in IQ Server

Step 2: Assign “Component Evaluator” Access to Repositories

Step 3: Create or Select an Application and assign “Component Evaluator”

Step 4: Update the IQ Server configuration in NXRM to use the newly created user

Step 5: Browse the Repo to Test the Application list in the CIP

Assigning Firewall Report Access to a Repository User

Not as detailed as above, but if you need to give access to the repository firewall report to a repository user (ei developer) they will need a role created and assigned to them with the following privileges.

You will need to assign this role to the LDAP group.

  • nx-blobstore-read = needed to view the repository admin details.
  • nx-iq-violation-summary-read = to see Firewall violations.
  • nx-repository-admin-maven2-maven-central-read = to view maven-central violations
  • nx-repository-admin-{ format }-{ proxy=repository-name }-read = needed for each other proxy repository that the user will need access to.