Federation Permissions
Identify the roles and internal scopes required for Federation operations.
This reference describes user-facing permissions and internal scopes used by Federation operations.
User-Facing Permissions
Platform Administrator
All Federation management operations require Admin role.
| Operation | Required role |
|---|---|
| Create Federated repository | Admin |
| Edit Federated repository | Admin |
| Delete Federated repository | Admin |
| Add/remove members | Admin |
| Trigger Full Sync | Admin |
| Set priority | Admin |
| Push configuration | Admin |
| View Federation status | Admin |
Platform User
Developers and build engineers use this role for artifact operations.
| Operation | Required permission |
|---|---|
| Browse artifacts | READ |
| Deploy artifacts | DEPLOY |
| Resolve artifacts | READ |
| Use Set Me Up (resolve snippets) | READ |
| Use Set Me Up (deploy snippets) | DEPLOY |
Internal Scopes
Federation operations use these scopes for service-to-service authentication.
| Scope | Purpose |
|---|---|
INTERNAL_SCOPE_VALIDATE_MIRROR | Validate remote mirror accessibility and configuration |
INTERNAL_SCOPE_FULL_SYNC | Authorize Full Sync operations |
INTERNAL_SCOPE_RTFS | General RTFS service operations |
INTERNAL_SCOPE_CONFIG_SYNC | Synchronize configuration across members |
INTERNAL_SCOPE_METADATA | Query and propagate metadata information |
INTERNAL_SCOPE_CONNECTION_STATES | Query Federation connection state information |
When federated.exchange.token.limit.scope.enabled is true (default), token exchanges are restricted to required scopes.
Token Exchange Flow
Federation members authenticate with each other using a token exchange mechanism:
- Master token setup: During platform setup, each JPD is provisioned with a master token that establishes the circle of trust between JPDs.
- Token exchange: When RTFS needs to communicate with a remote member, it exchanges the master token for a scoped access token via
POST /rtfs/v1/service_trust/exchange. See the REST API Reference Index for related authentication endpoints. The exchanged token is limited to the specific scopes required for the operation (for example,INTERNAL_SCOPE_FULL_SYNCfor Full Sync operations). - Scope limiting: When
federated.exchange.token.limit.scope.enabledistrue(default), token exchanges are restricted to only the required scopes for each operation, following the principle of least privilege. - Automatic refresh: The token refresh job (
federated.master.tokens.refresh.job.cron, default:0 0 * * * ? *) runs hourly to refresh tokens before they expire. The job refreshes tokensfederated.master.tokens.refresh.grace.days(default: 7) days before expiry. - Expiry margin: An additional margin (
federated.auth.token.expiry.margin.sec, default: 900 seconds, or 15 minutes) ensures tokens are not used when they are about to expire.
Token Exchange Properties
The following properties configure the token exchange flow.
| Property | Default | Description |
|---|---|---|
federated.exchange.token.limit.scope.enabled | true | Restrict token exchanges to required scopes only. |
federated.exchange.token.expiration.time.hours | 3600 (1 hour, stored in seconds) | Duration before exchanged tokens expire. Despite the property name, the value is in seconds. |
federated.master.tokens.refresh.job.cron | 0 0 * * * ? * | Cron for the token refresh job (hourly). |
federated.master.tokens.refresh.grace.days | 7 | Days before expiry to start refreshing tokens. |
federated.auth.token.expiry.margin.sec | 900 | Margin in seconds before token expiry to consider the token invalid. |
For example, in artifactory.system.properties:
federated.auth.token.expiry.margin.sec=900Related Topics
Updated about 7 hours ago
Did this page help you?
