Privileges in Nexus Repository group repositories are transitive, but in Nexus Repository 3, when a user is given a privilege to a group repository, then that user will also have that privilege to all transitive members of that group repository only when their request is directed to the group repository. Direct requests to individual member repositories will only work if the user is given explicit permission to the individual repository.
To organize group repositories per team, make a group repository that has all of the repositories that are needed across all teams (such as your central proxy) and then make additional group repositories per team that contain the hosted repositories they need access to.
So as a specific example of this strategy:
Team A Group
team-a-private
Public_Group
Maven_Central
Thirdparty
...
Team B Group
team-b-private
Public_Group
Maven_Central
Thirdparty
....
Note that the Public_Group repository contains everything all teams need.
To control the read access for specific content in the repository Content Selectors can be used, this allows you to define what content users are allowed to access.
- Create a content selector with the search expression, there is an option to preview the repository content that matches the search expression.
- Manage the selector permissions, by creating a privilege type of "Repository Content Selector" for the above created content selector and select the repository this should be used for and the actions for this privilege.
The content selector with expression like below and assigning read privileges for it, will allow access to everything that isn't under "/org/someplace/
path =~"(?!/org/someplace/And the content selector search expression like below with read privileges for it, will allow the access to everything under "/org/someplace/allowed/"
path =^ "/org/someplace/allowed/"
Note: For HA deployments, Content selectors without regular expressions should be used. More details can be found here.