Matrix-based security is one of the authorization strategies available for securing Jenkins. It allows you to grant specific permissions to users and groups. The available permissions are listed below with their descriptions, and are also available by hovering over the permission heading in the Jenkins UI.
Note: These are the most common permissions available. Other plugins may add their own permissions.
Overall
Several of these permissions are at least as powerful as Administer, but for historical reasons are implied by the Administer permission (i.e. everyone with Administer can also perform the actions associated with these other permissions):
- RunScripts allows executing arbitrary code in the context of any (Jenkins internal) user, including the internal SYSTEM user.
- UploadPlugins allows uploading plugins, which in turn can execute arbitrary code in the context of any (Jenkins internal) user.
- ConfigureUpdateCenter can configure proxy settings and thereby control the update site metadata and plugin files downloaded by the Jenkins plugin manager, which in turn can be used to execute arbitrary code.
Permission |
Description |
---|---|
Administer |
Make system-wide configuration changes. Perform highly sensitive operations that amounts to full local system access (within the scope granted by the underlying OS). |
Read |
View almost all pages within Jenkins. |
RunScripts |
Run groovy scripts via the groovy console or groovy cli command. |
UploadPlugins |
Upload arbitrary plugins. |
ConfigureUpdateCenter |
Configure update sites and proxy settings. |
Slave
Permission |
Description |
---|---|
Configure |
Configure existing slaves. |
Delete |
Delete existing slaves. |
Create |
Create new slaves. |
Disconnect |
Disconnect slaves or mark slaves as temporarily offline. |
Connect |
Connect slaves or mark slaves as online. |
Job
Permission |
Description |
---|---|
Create |
Create a new job. |
Delete |
Delete an existing job. |
Configure |
Update the configuration of an existing job. |
Read |
Grants read-only access to project configurations. |
Discover |
Redirect anonymous users to a login form rather than presenting an error message if they don't have permission to view jobs. |
Build |
Start a new build and cancel a running build. |
Workspace |
Retrieve the contents of a workspace that Jenkins has checked out for performing a build. |
Cancel |
Cancel a running build. |
Run
Permission |
Description |
---|---|
Delete |
Delete specific builds from a build's history. |
Update |
Update the description and other properties of a build. (For example, to leave notes about the cause of a build failure.) |
View
Permission |
Description |
---|---|
Create |
Create new views. |
Delete |
Delete existing views. |
Configure |
Update the configuration of existing views. |
Read |
See any existing views. |
SCM
Permission |
Description |
---|---|
Tag |
Create a new tag in the source code repository for a given build. |