Access and Authorization in Packages

Private and public repositories

You can create package repositories only within a particular project, i.e., repositories are project-wide entities. User permissions depend on the user role within the project and a repository type – private or public. In more detail:

Private	Only authorized users can access private repositories. The access is managed by the Package Repositories permissions group. By default: Project Member has Read, Write, Create, and Delete permissions. Organization Member has only Read permission. Project Admin in addition to Read, Write, Create, and Delete has the Admin permission that allows editing repositories. Automation Service has Read and Write permissions. When an Automation job pulls or pushes packages, it uses this predefined role to access repositories.
Public	All unauthorized users have Read permission to public repositories.

Private

Only authorized users can access private repositories. The access is managed by the Package Repositories permissions group. By default:

Project Member has Read, Write, Create, and Delete permissions.
Organization Member has only Read permission.
Project Admin in addition to Read, Write, Create, and Delete has the Admin permission that allows editing repositories.
Automation Service has Read and Write permissions. When an Automation job pulls or pushes packages, it uses this predefined role to access repositories.

Public

All unauthorized users have Read permission to public repositories.

To change the repository access type

Find the required repository.
Open repository settings.
Choose Public access or Private access.

To change repository access permissions for a role

Find the required project.
Open Project Settings → Access.
In the list of roles on the left, choose the role for which you want to change access permissions.
Set required permissions in the Package Repositories group.

Grant access to a repository to specific users and teams

As package repositories are project entities, by default, access to them is granted based on user roles within the project. However, you can make it more granular, providing access to a repository to any specific Space user or team.

Find the required repository.
In the repository menu, choose Share.
Add members or teams to which you want to grant access to the repository.
For each added member or team, choose the required access level:
- Viewer has only Read permission.
- Writer has Read and Write permissions.
- Manager has Read, Write, Delete, and Admin (editing repositories) permissions.
Choose the access policy:
- Inherited access (default) – the added members and teams get access to the repository based on the specified access level. All other members continue to access the repository based on their project roles.
- Restricted access – the added members and teams get access to the repository based on the specified access level. All other members lose access to the repository.
Click Update access. If Notify new members is selected, all added members will receive a notification about the granted access.

Authorize in Packages

Packages support a number of authorization ways:

Authorization	Use case
Using your Space username and password (Not recommended)	Accessing a repository with a tool like `docker`, `mvn`, `dotnet`, and so on.
Using your Space username and personal token	Accessing a repository with a tool like `docker`, `mvn`, `dotnet`, and so on.
Using an application account	Accessing a repository from an external service, for example, a CI/CD server.
No authorization (only public repositories)	Accessing publicly available repositories.

Authorize with Space user account

When asked for credentials, you can provide your Space username and password, though, this is not a secure way to access repositories. We strongly recommend that you use a personal permanent token instead of a password.

To create a token for Space Packages

To create a token, go to My Profile | Authentication | Personal Tokens and choose New personal token.
When creating the token, provide it as minimum permissions as possible:
- In Token permissions, select Limited access.
- With Add context, you may limit the token with access only to repositories of a particular project.
- Edit the particular permission context: add Read package repositories and Write package repositories for giving Read and Write access correspondingly.
Copy the generated permanent token to a secure place.
When a tool or an application asks you for the password, you should specify this token instead.

Authorize with application account

On the main menu, click Extensions and choose Installed.
Click New Application.
Specify the account Name.
Click Edit requested rights and provide the account as minimum rights as possible. To work with Packages, only rights from the Package repositories group are required.
After the application is created, switch to the Authorization tab.
Click Add project and select projects. The account will get access only to the repositories of the selected projects.
Switch to the Permanent Tokens tab and click New permanent token.
Copy the generated permanent token to a secure place.
Open the Authentication tab and copy the Client ID field.
When a tool or an application asks you for credentials, specify the copied Client ID as a username and the generated permanent token as a password.

Last modified: 21 December 2023