Creating Organizations and Teams and Managing Permissions In Cloudsmith

One reason for building a ‘single source of truth’ for software assets is that it gives the organization control over who can use what when. 

The ‘wild West’ of public repositories gives no control at all and can lead to a situation in which packages and dependencies of dubious provenance are integrated into builds without a second thought. Within the Cloudsmith world, we want to have the maximum security and control possible. 

Permissions can also help the individuals and teams in the organization find what they need faster, by ensuring that the repositories they see are optimized for them alone.

To help make that happen, Cloudsmith includes the ability to create teams and organizations and limit access to repositories at team and individual level. Let’s take a look in more detail about how to make that happen, and discuss other considerations when building out teams and orgs.

Creating Organizations

It all starts with the organization. Organizations give you the ability to configure access for teams, individuals and machines that map to your companies organizational structure - and building security and resilience into the management of teams and workflows is essential in today's ecosystem. 

We recommend creating only one organization in Cloudsmith. You are not limited to one, but as we allow as many teams as you like beneath any organization, there isn’t really a need to create more. Similarly, as all teams and users are associated with a specific organization, more than one of the latter will usually mean replication of effort.

As a further consideration, a single organization helps in terms of transparency as reporting, auditing etc is also delivered at the organization level.

Creating an organization is simple (full details are in our documentation here). Once that is done, you can configure name, billing and contact details and so on before considering global permissions.

At the organization level Cloudsmith allows users to define global privileges for members around inviting new collaborators and members, and creating teams and repositories. In the same way object privileges can be set - that determine the access level members have in terms of access and actions for repositories within that organization.

Similarly, at an organization level you can define usage limits for repositories and check what the current situation is around usage at any time - handy for managing or avoiding unpredictable usage bills.

Creating And Managing Teams

In order to manage permissions and access at a more granular level, you will want to create teams within organizations. Cloudsmith then enables permissions for teams to be managed at the repository level. 

When creating teams, think clearly about meaningful distinctions between groups within your organization when it comes to package management. You may want to limit publishing packages to repositories (write access) to specific teams, which limiting others to read access, for example. 

To put that another way, when giving any team access to a repo, you will be asked to specify the level of access for that team (as shown in the image below), so it makes sense to build out teams with that in mind.

Setting team level permissions in Cloudsmith
Setting team level permissions in Cloudsmith

Although teams can help manage permissions quickly and transparently, it is of course also possible to give named individual users access to individual repositories, and specify what level of access they have - in this way individuals not in teams can be given access, and those already in teams can be given improved access over that offered to the team as a whole.

Lastly remember that ultimately permissions are controlled at the repository level. When creating a repository (or indeed at any time after) Cloudsmith enables you to specify precisely what ‘Admin’, ‘Write’ and ‘Read’ access will enable each user or team to perform, and this is specified at the repository level as shown in Figure 2.

This effectively means that a single team (or individual) can have ‘Write’ access to separate repositories that means something slightly different in each case. Ideal for fine-grained control. Cloudsmith is all about securing your software assets. Our platform gives the control to do that. Remember - err on the side of caution!

Defining privileges at the repository level
Defining privileges at the repository level