Roles & permissions¶
Repod uses role-based access control (RBAC) with 5 roles. Roles are cumulative β a higher role includes all permissions of lower roles.
Role hierarchy¶
Note
This is a conceptual hierarchy for understanding scope, not a strict inheritance chain. Each role has a precisely defined permission set β see the matrix below.
Permission matrix¶
| Permission | reader | auditor | uploader | maintainer | admin |
|---|---|---|---|---|---|
| Packages | |||||
| List packages | β | β | β | β | β |
| View package details & CVE | β | β | β | β | β |
| Download packages (APT) | β | β | β | β | β |
| Upload packages | β | β | β | β | β |
| Import from upstream | β | β | β | β | β |
| Delete packages | β | β | β | β | β |
| Promote between distributions | β | β | β | β | β |
| Security | |||||
| View CVE findings | β | β | β | β | β |
| View review queue | β | β | β | β | β |
| Approve / reject CVE packages | β | β | β | β | β |
| Trigger CVE rescan | β | β | β | β | β |
| Quarantine a package | β | β | β | β | β |
| Update ClamAV signatures | β | β | β | β | β |
| SBOM | |||||
| Export SBOM | β | β | β | β | β |
| Sync & index | |||||
| Sync APT sources | β | β | β | β | β |
| Sync security sources | β | β | β | β | β |
| Audit trail | |||||
| Read audit logs | β | β | β | β | β |
| Export audit logs | β | β | β | β | β |
| Users & tokens | |||||
| List users | β | β | β | β | β |
| Create / edit / delete users | β | β | β | β | β |
| Reset any user's password | β | β | β | β | β |
| Change own password | β | β | β | β | β |
| Create own API tokens | β | β | β | β | β |
| Revoke own API tokens | β | β | β | β | β |
| Manage all API tokens | β | β | β | β | β |
| Settings | |||||
| Read settings | β | β | β | β | β |
| Modify settings | β | β | β | β | β |
| Generate GPG keys | β | β | β | β | β |
| Statistics | |||||
| View download stats | β | β | β | β | β |
| View health dashboard | β | β | β | β | β |
Role descriptions¶
reader¶
Read-only access to packages and statistics. No write operations of any kind.
Intended for: humans or systems that only need to install packages via apt, or browse the package catalog.
auditor¶
Everything reader can do, plus read access to audit logs and the CVE review queue.
Intended for: compliance officers, external auditors, CISO team members who need visibility without write access. This role is designed to satisfy NIS2 audit trail requirements without granting operational permissions.
Tip
Give this role to your SIEM service account for automated audit log export.
uploader¶
Everything reader can do, plus the ability to upload and import packages, and manage their own API tokens.
Intended for: CI/CD pipelines, developers publishing packages. This is the recommended role for automated systems. It deliberately cannot approve CVEs, delete packages, or modify settings.
Warning
Do not give CI/CD systems a higher role than uploader. If a pipeline is compromised, the blast radius is limited to package uploads.
maintainer¶
Everything uploader can do, plus package lifecycle management (delete, promote, quarantine) and repository synchronisation. Can also read audit logs.
Intended for: platform engineers and DevOps leads responsible for repository health. Cannot approve CVE decisions β that authority is reserved for admin.
admin¶
Full access to all features, including user management, settings, GPG key generation, and CVE approval/rejection.
Intended for: repository administrators and designated security reviewers (CISO). This role is required to approve packages from the CVE review queue.
Danger
Limit admin accounts to the minimum number of people who genuinely need it. Use auditor for read-only security visibility and maintainer for day-to-day operations.
Assigning roles¶
Web UI¶
Go to Users in the left sidebar. Click the role dropdown next to any user to change their role immediately.
API¶
curl -X PATCH http://REPO_HOST:8000/auth/users/jdupont \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"roles": ["maintainer"]}'
LDAP group mapping¶
If LDAP is configured, you can map directory groups to Repod roles in Settings β LDAP β Group mapping. Users are assigned the mapped role at login time. See Configure LDAP.
API token roles¶
API tokens can be scoped to a subset of the creating user's roles. A maintainer user can create a token with only uploader permissions β useful for giving CI/CD systems the minimum viable access.
# Create an uploader-scoped token (even if you're an admin)
curl -X POST http://REPO_HOST:8000/auth/api-tokens \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"name": "ci-pipeline", "roles": ["uploader"]}'
Role changes take effect immediately¶
When a user's role is changed, the new permissions apply to their next API request. Existing JWT tokens are not invalidated (they expire after 60 minutes), but the role is re-read from the database on every authenticated request.
Info
To immediately block a user, deactivate the account (is_active = false) rather than just changing the role. A deactivated account is rejected regardless of token validity.