MyGet Security
MyGet features a rich security model around your feeds. You, as a feed owner, always have the richest set of permissions possible. You can assign privileges to specific users on MyGet using their email address or username.
Available Feed Types
MyGet offers 3 standard feed types supporting various scenarios. You can change feed type at any time (given you did not exceed any subscription, feed or user quota).
- Public feeds - Everyone can search and download packages from this feed. Only users with sufficient privileges will be able to push packages to this feed. Public feeds listed in the Gallery have the ReadOnly tag. Public feeds are free (quota may apply based on your subscription plan).
- Community feeds - Everyone can search and download packages from this feed. Additionally, any user can push and manage their own packages on this feed. Community feeds listed in the Gallery have the Community tag. Community feeds are free (quota may apply based on your subscription plan).
- Private feeds - Nobody except the feed owner has access by default. The feed owner will invite people to this feed and assign feed privileges (see below). Private feeds are available on all paid subscription plans (quota may apply based on your subscription plan).
If you are a MyGet Enterprise user, a fourth feed type is available:
- Enterprise feeds - Everyone in your organization gets read access to this feed unless other privileges are given to specific users.
Personal security: access tokens
There are several credentials linked to your MyGet profile. Every user gets at least one the primary API key, which can be used when publishing packages with NuGet.exe, NuGet Package Explorer, npm, Bower and so on. There's also a username and password for consuming private feeds from Visual Studio or a build server.
Additional access tokens can be generated from your profile page. The primary API key can be regenerated and new tokens can be easily created or revoked.
- Access tokens can be given a short description: this will help keeping track of where you used the access token and revoke it if necessary.
- Access tokens can be scoped to allow access only to a specific feed - limiting the surcace area to which a given access token can push packages.
- Access tokens can be given an optional expiration date, after which the token will no longer be valid.
Access tokens can be used for all authentication purposes, except logging into the MyGet.org website. They can be used when pushing to your MyGet feed or as an alternate password when authenticating against a private feed.
When configuring a continuous integration system to restore NuGet packages, we recommend creating separate access tokens for different build steps, based on their requirements.
For instance, you can create an access token that has readonly access to all feeds accessible to your MyGet account, but disable write access. Then you can create another access token with write access to a specific feed only, and configure that one in the relevant project build configuration. This avoids CI builds to accidentally publish to other feeds. Of course you can restrict read access to a particular set of feeds too.
Inviting other users to your feed
MyGet features a rich security model around your feeds. You, as a feed owner, always have the richest set of permissions possible. You can assign privileges to specific users on MyGet using their email address or username.
In order to give other users a certain privilege on your feed, they have to be invited to your MyGet feed. This can be done in the Feed security tab for your feed. This tab lists all users that currently have access to your feed as well as a list of "pending" invitations, that is: users that have been invited to your feed but haven’t confirmed yet.
The Add feed privileges... button will open a dialog and allows you to invite a user to your feed by entering his e-mail address. You can immediately assign the correct privilege to this user to ensure the correct privilege will be assigned once the user confirms the invitation.
Below you can see an example invitation for a user to whom, once the invitation is confirmed, the "can consume this feed" privilege will be assigned.
Once you’ve clicked the Add user button, an e-mail will be sent to the e-mail address provided. The user being added to your feed will receive this e-mail and can choose to claim the privileges you’ve assigned or to simply ignore the invitation.
Once the user confirms this e-mail by clicking the link provided in the e-mail body, the user will be granted access to your feed with the privileges chosen in the Add feed privileges dialog.
Managing User Permissions
After inviting a user to your feed, you can change the privileges previously assigned. For example, a user who could previously only consume packages may now be granted the privilege of contributing packages to your feed. Also, a user who could previously manage all packages on the feed can be locked down into a privilege where he can only consume packages and no longer manage them.
The Feed security tab for your feed lists all users that currently have access to your feed as well as a list of users that have been invited to your feed but haven’t confirmed their privileges yet. The dropdown next to a user’s name allows you to modify the currently assigned privilege.
Note: When assigning the "Has no access to this feed" privilege to a certain user, the user will be removed from the list of users. If afterwards you want to assign a dfferent privilege to this user, the user should be sent a new invitation using the Add feed privileges.. button.
Available Feed Privileges
Permissions on a MyGet feed can be granted to other users. The table below lists all possible permissions and their meaning:
| Permission | Description | MyGet account required? |
|---|---|---|
| Has no access to the feed | The user is denied access to the feed and cannot perform any operations on it. | no |
| Can consume this feed | The user can search and consume packages but pushing packages is not allowed. | no |
| Can contribute own packages to this feed | The user can search, consume and push packages to the feed. Users with this privilege will only be able to manage their own packages. This security setting is identical to the security settings on the official NuGet package source, and the default security setting for a MyGet Community feed. |
yes |
| Can manage all packages for this feed | The user can search, consume and push packages to the feed as well as use the MyGet website to manage packages. | yes |
| Can manage users and all packages for this feed | The user can search, consume and push packages to the feed as well as use the MyGet web site to manage packages and users. It is as good as being a feed owner except that deleting a feed isn't allowed. | yes |
| Owns the feed | The owns the feed and can perform all operations on it. The user manage feed settings, packages and user privileges. | yes |
Adding a new feed owner
This how to describes how to assign a new owner to your feed.
- Log into MyGet and navigate to the feed that you want to add a new owner to
- Select Feed Security, located down the left hand side of the page
- Click the Add feed privileges... button
- In the Add Feed Privileges window, enter the MyGet Username, or the email address of the user, that you would like to assign owner permission of the feed to
- In the Privileges drop down list select Owner of this feed
- You will receive the following warning
This will make the chosen user the owner of the feed, and make you a co-owner. If you are happy to proceed, click OK - The new permissions take immediate effect
The new owner will receive an email informing them of the change. At this point the new owner can choose to reduce your permissions to the feed, or revoke them completely.
Read our contribution guidance or edit this page's source on GitHub.