We are using the Artifactory tool to distribute gradle files and other artifacts to customers, secured by a per customer login. However, if those customers get Webapp access (which they need to for example change their passwords) they can see all repositories and artifacts they have (read) access to, including WHO last downloaded the file.
Is there any way of changing this, besides building our own password change site?
Right now there is no way to remove the "Last Downloaded" information from the JFrog Artifactory screen. If that is a requirement you have, you can always reach out to the JFrog support team to have them log an enhancement request.
As an alternative, if you really want to use Artifactory for this use case, you might want to consider giving each customer their own repository and only giving them access to that repo. Artifactory stores files only once. The first time a file is uploaded, Artifactory calculates a checksum and stores the file accordingly (including putting a record in a database). If files are uploaded again, or copied to multiple destinations, only the database is updated to create a record mapping the file's checksum to its new location as well. On the positive side, you've got the artifacts stored once and your customers only see their own repo. On the down side, you'll end up with many more repos in Artifactory.