How to Plan for, Create, and Configure Restricted Feeds in ProGet

With ProGet, you can control access to different feeds by permitting or restricting which users and groups can view, publish, and promote packages. There are a lot of options for defining more granular access rules, and this guide will walk you through some common scenarios for creating restricted feeds.

To start, if you haven't already, download ProGet, and create your feeds.

Step 1: Plan out Desired Access & Restrictions

Permissions and restrictions will vary from organization-to-organization and team-to-team. For this article, we'll use three different NuGet feeds (unapproved-nuget, approved-nuget, and mycompany-nuget) that are configured for a package approval workflow.

This means that we'll need the following rules:

• Everyone can View & Download Packages from the mycompany-nuget feed
• Senior Developers can Promote from the unapproved-nuget to the approved-nuget feed
• Build servers can View and Publish to the mycompany-nuget feed

These three basic rules can be implemented relatively easily.

Advanced Permissions

Later on in the article, we'll add new access controls to be more granular by using custom tasks.

• Everyone can View Packages from all feeds
• Developers can View & Download Packages from all feeds
• Developers cannot Download Packages on the unapproved-nuget feed

Step 2: Ensure Users and Groups are Configured

You can create users and groups in ProGet, but it's much easier to integrate LDAP/Active Directory and ProGet so that you don't have to manage users/groups for everyone who needs to login.

ProGet has three "pseudo-groups" that you also use to control access:

• Authenticated – all users that have logged-in to ProGet
• Anonymous – all users accessing ProGet, but not logged in
• Everyone – all users in all groups, whether anonymous or authenticated

For our example, we'll use the "Everyone" pseudo-group and the "Developers" and "Senior Developers" groups. These groups could be defined in ProGet or in Active Directory; creating permissions and restrictions work the same way.

Step 3: Configure Permissions

By default, only Administrators will have permissions in ProGet. This means you'll need to add permissions to allow other users to access ProGet.

This is done with Tasks, which essentially describes what users can do. For example, the built-in "Manage Feed" task allows "access to manage feed settings, delete packages, and overwrite packages."

To see which users and groups have permissions to perform what tasks, navigate to Admin (the gear icon) > Manage security > Tasks/Permissions:

This page will groups permissions and restrictions based on task and scope.

• There are five built-in tasks (Administer, Manage Feed, Promote Packages, Publish Packages, and View & Download Packages), and you can add more as needed
• Scope refers to which Feed or Feed Group that Task applies to

Add Permissions for "Everyone"

Based on the desired access we defined in Step 1, we'll need to create a permission that allows everyone to View & Download Packages from the mycompany-nuget feed.

To do this, click on "Add Permission" and enter the desired permission.

Once this has been added, everyone - regardless of whether they've logged in or not - can view and download packages on the mycompany-nuget. However, they won't be able to access the unapproved-nuget or approved-nuget feeds.

Add Permission for "Senior Developers"

We also want to permit Senior Developers to promote packages from the unapproved-nuget feed to the approved-nuget feed. This will require adding two permissions:

After configuring these permissions, the Tasks page will look like this:

Step 4: Create API Key

API keys will allow you to connect your ProGet feeds to other automated tools like a build server, and they work a little differently than tasks.

Our desired access for build servers (from Step 1) was to allow viewing and publishing to the mycompany-nuget feed. To create an API key for this, navigate to Admin > API Keys, click "create api key", and enter a name, description, and the desired access.

Although not required for the example configuration, you can create different types of API Keys:

• System API Keys help automate the management and configuration of ProGet
• Feed API Keys can be restricted to a single feed or group, and can only use feed-related APIs
• Personal API Keys can be managed by ProGet users and effectively "impersonate" that user's access to ProGet

After clicking Save API Key, the newly-created API Key will be shown on the API Key List page:

Viewing & Using API Keys

Unless you specify a value for the API key field, ProGet will automatically generate a value for you after clicking Save API Key.

To view an API key, click on the "edit" link. From there, you can copy that key and paste it in your build server to give it access to ProGet and the mycompany-nuget feed.

Step 5: Customizing Tasks (Advanced)

To enable more granular permissions that better model governance and compliance policies, you can customize the tasks available in ProGet by navigating to Admin > Manage Security > Tasks / Permissions > select [Customize Tasks] from the "Test Privileges" drop down.

On this page, you can add, edit, and delete tasks.

Our example desired access can be implemented using two new tasks: "View Packages" and "Download Packages. We can then give permission and restrict who can perform those task.

Create "View Packages" Task

To create a custom task, click "Add Task" and enter the name, description, and desired attributes.

Create "Download Packages" Task

This task will be similar identical to the View Packages task, and contain only a single task.

However, instead of using this task to give permission, we will use it to restrict access.

Step 6: Configure Permissions and Restrictions (Advanced)

The additional desired access rules we want to create are:

• Everyone can View Packages from all feeds
• Developers can View & Download Packages from all feeds
• Developers cannot Download Packages on the unapproved-nuget feed

That last access control rule is a bit tricky: using only permissions, we would need to add View & Download Packages on all feeds except one. Instead, we can use a combination of a permission and a restriction to accomplish this.

You can add a restriction by clicking "Add Restriction" back on the Tasks / Permissions page.

In addition to this restriction, we'll need to add two new permissions:

After configuring these, the Tasks page will show all of access control rules.

These access control rules are complicated, but so are the desired access requirements.

Troubleshooting Permissions

To determine whether a user has access to do something in ProGet, all of the permissions from all of their groups will be combined.

A restriction will override a permission, unless that permission is more granular. For example, even though Developers are restricted from Downloading Packages on the unapproved-nuget feed, you could add a User-based permission to allow a single user to download packages. A User is more granular than a group, so the permission would override the restriction. The same applies to System-, Feed Group-, and Feed-level permissions and restrictions.

Because access control rules can get complicated, you can test access by using the "Test Privileges" button.

This will show you what permissions a specific user has for a give feed.

Next Steps

Permissions are very complex and can get granular. So it's important to plan in advance the groups, tasks, permissions, and restrictions you'd like in place.

Feed Groups can help simplify permissions by grouping feeds together that will require the same permission or restriction rules.

Keep in mind that while there's no limit, permissions and restrictions that are too granular means you'll defining a lot of privileges that may need to be changed one day.

Feed-level permissions are only available in paid versions of ProGet. Request a free trial key for ProGet to set up your Restricted NuGet Feed today.