Roles and permissions
These are the built-in roles for the Registry service. Each row lists a role, what it
grants, and the exact permissions it includes. Roles are system-defined (built-in) or
custom; permissions are system-defined and read-only. The platform-wide Viewer,
Editor, and Admin roles also apply across every service; see the
roles and permissions catalogue. You can also compose
a custom role from any of these permissions.
| Role | Included permissions |
|---|---|
| Registry Viewer Read-only access to all registry resources | registry.accesspolicy.getregistry.accesspolicy.listregistry.artifact.getregistry.artifact.listregistry.auditlog.listregistry.credential.getregistry.crossnamespacegrant.getregistry.crossnamespacegrant.listregistry.deploymentlock.getregistry.deploymentlock.listregistry.namespace.getregistry.namespace.listregistry.operation.getregistry.operation.listregistry.repository.getregistry.repository.listregistry.retentionpolicy.getregistry.retentionpolicy.listregistry.scan.getregistry.scanpolicy.getregistry.scanpolicy.list |
| Registry Editor Read and write access to all registry resources | registry.accesspolicy.createregistry.accesspolicy.getregistry.accesspolicy.listregistry.accesspolicy.updateregistry.artifact.getregistry.artifact.listregistry.auditlog.listregistry.credential.getregistry.crossnamespacegrant.createregistry.crossnamespacegrant.getregistry.crossnamespacegrant.listregistry.crossnamespacegrant.updateregistry.deploymentlock.createregistry.deploymentlock.getregistry.deploymentlock.listregistry.deploymentlock.updateregistry.namespace.createregistry.namespace.getregistry.namespace.listregistry.namespace.updateregistry.operation.getregistry.operation.listregistry.repository.createregistry.repository.getregistry.repository.listregistry.repository.updateregistry.retentionpolicy.createregistry.retentionpolicy.getregistry.retentionpolicy.listregistry.retentionpolicy.updateregistry.scan.getregistry.scan.triggerregistry.scanpolicy.createregistry.scanpolicy.getregistry.scanpolicy.listregistry.scanpolicy.update |
| Registry Admin Full access to all registry resources | registry.accesspolicy.createregistry.accesspolicy.deleteregistry.accesspolicy.getregistry.accesspolicy.listregistry.accesspolicy.updateregistry.artifact.deleteregistry.artifact.getregistry.artifact.listregistry.auditlog.listregistry.credential.getregistry.crossnamespacegrant.createregistry.crossnamespacegrant.deleteregistry.crossnamespacegrant.getregistry.crossnamespacegrant.listregistry.crossnamespacegrant.updateregistry.deploymentlock.createregistry.deploymentlock.deleteregistry.deploymentlock.getregistry.deploymentlock.listregistry.deploymentlock.updateregistry.namespace.createregistry.namespace.deleteregistry.namespace.getregistry.namespace.listregistry.namespace.updateregistry.operation.getregistry.operation.listregistry.repository.createregistry.repository.deleteregistry.repository.getregistry.repository.listregistry.repository.updateregistry.retentionpolicy.createregistry.retentionpolicy.deleteregistry.retentionpolicy.getregistry.retentionpolicy.listregistry.retentionpolicy.updateregistry.scan.getregistry.scan.triggerregistry.scanpolicy.createregistry.scanpolicy.deleteregistry.scanpolicy.getregistry.scanpolicy.listregistry.scanpolicy.updateregistry.tag.delete |
| Namespace Viewer View namespaces | registry.credential.getregistry.namespace.getregistry.namespace.listregistry.operation.getregistry.operation.list |
| Namespace Editor View and manage namespaces | registry.credential.getregistry.namespace.createregistry.namespace.getregistry.namespace.listregistry.namespace.updateregistry.operation.getregistry.operation.list |
| Namespace Admin Full access to namespaces | registry.credential.getregistry.namespace.createregistry.namespace.deleteregistry.namespace.getregistry.namespace.listregistry.namespace.updateregistry.operation.getregistry.operation.list |
| Repository Viewer View repositories | registry.repository.getregistry.repository.list |
| Repository Editor View and manage repositories | registry.repository.createregistry.repository.getregistry.repository.listregistry.repository.update |
| Repository Admin Full access to repositories | registry.repository.createregistry.repository.deleteregistry.repository.getregistry.repository.listregistry.repository.update |
| Artifact Viewer View artifacts | registry.artifact.getregistry.artifact.list |
| Artifact Editor View artifacts | registry.artifact.getregistry.artifact.list |
| Artifact Admin Full access to artifacts | registry.artifact.deleteregistry.artifact.getregistry.artifact.list |
| Tag Admin Detag artifacts (registry.tag.delete) | registry.tag.delete |
| Scan Viewer Read vulnerability scan reports | registry.scan.get |
| Scan Editor Read scan reports and trigger scans | registry.scan.getregistry.scan.trigger |
| Scan Admin Read scan reports and trigger scans | registry.scan.getregistry.scan.trigger |