Hello, first of all, congratulations you are the first to create a good plugin to reorganize how Hudson works with user/group/permissions.

Second, I have a question, how can I configure a role to have permissions on 2 projects with diferent names, like ProjectABC and BuildMyProject? how to put it on Pattern field?

Is it possible to add new roles/users via CLI or remote API?

The problem is, that we need to do this fully automated and by updating the configuration file directly, we would have to restart hudons after a modification right?

I'm trying to add a project role with a role name and a regular expression. When pressing the add button, nothing happens.
I tried it also with a regular expression ".*" which should cover all my projects, but even then, nothing happens.
TRied to check Hudson log files, but no output found from plugin.

Hello, this is a very nice plugin.

On my local hudson configuration, your

However, on the production server, I encounter a problem.

On the main board (with the project list), I'm always asked to enter my login/password even when I'm already logged in.

Sometimes, i can access this page, but can't explain when and why.

Strangely, I have no problem to access other pages (configuration, users...)

Configuration :

Customed Hudson v1.364 (no major changes)

I'm using an LDAP based anthentication + LDAP groups

I have some users in several groups.

Thank's in advance for your advice

Hello again,

Just to say there are some small mistakes in the french property file :

You wrote "&ocric;" instade of "&ocirc ;" (I added a space in order to make it appear)

Bye

Ok, you will never believe me about the previous bug (asking me to authenticate myself) :

There is certainly a bug with Firefox. Here are the steps :

Configuration :

- Firefox 3.0.19

- Internet Explorer 7

1 - I log in on firefox

--> I have the error

2 - I open Internet Explorer

3 - I log in with IE (same user or not makes no difference)

--> No error on IE

4 - I go back on Firefox

5 - I refresh the page

--> No error !

If I logout and login again on Firefox --> The bug come back

It's just like the privileges index is not well refreshed when loggin with Firefox

That's kind of magic

(Still no bug on local)

Hi,
Thanks for this plugin - it is very useful.
I recently upgraded to version 1.386 of hudson. I'm not able to add roles/group at project level.
I click on the "add" button & nothing happens.

Can any one confirm?

Thanks,

I really like this plugin since it allows to hide some 'internal' jobs (which are not fully tested or just meta-steps in a job chain) and show them only to authenticated users - thank you very much.

But: if I set the global role for anonymous to

<permission>hudson.model.Hudson.Read</permission>

and then add a project role to some jobs with

<permission>hudson.model.Item.Read</permission>

the anonymous user can not only see the jobs I granted to him, but also the sidebar information! This might cause some trouble since the sidebar shows the build executors and in my case also the userContent directory on the hudson server. Is it possible the restrict the view on the sidebar in the same fashion as for projects?

Hi, this plugin is very useful to us, thanks.

Sorry if this is a FAQ or my mistake, but I suppose that
this plugin outputs data to config.xml without sorting elements, for example:

• permissions/pemisson
• assignedSIDs/sid

Of course, this is no harm, but as a result,
simple diff of config.xml (ex. jobConfigHistory plugin) becomes very dirty ...

Hi,

I'm using Promoted builds plugin. The "promote" right is displayed in global authorization matrix, but not in role strategy matrix.

Can you please add it?

I don't know if this has been asked before, but I am tryign to use the Logged-in users can do anything.  I was wondering though how do you create a user?  I cannot log into my system to do anything at this point.  Thanks.

Is it possible to reset all security settings?

Are there plans to add a default authenticated user role (basically the opposite of anonymous)? This is similar to the Logged-in users requested, I want authenticated users to be able to perform certain operations without having to manage them individually.

I'd like to close access for Anonymous except Overall/read but I can't use RSS notifications because I have to login in first. Does somebody know some workaround?

Plugin crashes tomcat6,
We are using Windows XP, IE8

Anybody has faced same problem?

Please Help!!

I'm having trouble with the project roles.

I have a project called “reporting_build”, and I created a role called “reporting” with the pattern “reporting_build” with all permissions enabled.

I then assigned a user (mark) to that role.

But when mark logs in, I get “Access Denied, user is missing the Read permission”.

If I assign mark to a global role, i can log on and see everything (which, of course, is not what I need).

I've googled “missing the Read permission”, but I haven't found anything that's relevant.

What does this error mean? Is it a problem with the role set up, or is there a more fundamental configuration issue that I'm missing?

I'm using Hudson 2.2.0 with Hudson's user database and v1.1.2 of the plug in.

Thanks for any pointers.

I get issue with project specific role.. Global setting always takes precedence and project specific role is ignored.. I am trying to make separate group /User to own there own jobs without modifying / restricting other Jobs..  

I tried following steps above.

Hi Guy's,

is it possible to connect to jenkins via CLI while this plugin is enabled?

Hi Guys,

 This plugin is giving awesome features on securing the Jenkins .Thanks for the plugin

 We are struggling to update the project roles for the users .Is there any future release with filtering the users based on roles or user?

 If we have filter in the assign roles matrix that would be very great and helpful to most of the users

 And also i found some issue with current version of the plugin. It is not working with latest version (1.27) of AD plugin

Thanks Romain

will get in touch with Daniel

Hello,

Can you correct French translations ?

In the "Manage and Assign Roles" page > "Global roles" > "Role" > "Run" translate in "Lancer" but it will better with "Historique des builds"

In the "Manage and Assign Roles" page > "Global roles" > "Role" > "View" translate in "Voir" but it will better with "Vues"

To translate other phrases, do you want help?

Thank you

Hello,

Can you correct French translations ?

In the "Manage and Assign Roles" page > "Global roles" > "Role" > "Run" translate in "Lancer" but it will better with "Historique des builds"

In the "Manage and Assign Roles" page > "Global roles" > "Role" > "View" translate in "Voir" but it will better with "Vues"

To translate other phrases, do you want help?

Thank you

Hi,

I have stumbled upon and issue which I am not sure qualifies as a bug for I might be doing something wrong.

I have two roles:

a.builders which have build permissions - these users should be able to build a pattern of a(.*) build name pattern

a.releasers which have release permissions - these users should be able to build and release a(.*) build name pattern
users in either group have the ability to release which is kind of missing the point - the question is how does the plugin apply the permissions, the release permission is introduced only if the release plugin is installed and my question is why isn't the permission applied. - let me know if I should file a bug.

Thanks,HP

Need help here how to do

I need to create multiple groups like raildev here who can login only with their defined view & access permission( with set of pattern matching jobs-trains.*). + cant view to other jobs in other's view.

but right now when raildev user logs in he is able to view all other views also & its job. How can i hide this?

I needed to give users the ability to manually trigger a set of jobs, all of which had a common prefix in their names. I thought I had to tediously modify each of them using the "Project-based matrix authorization strategy".

But then I ran into your plugin, and set everything up in a matter of minutes. Thanks very much, works great! 

I set the pattern to any of j* ,  j.*  , j. , "j."  for a job that is named jenkinstest but every time I get an error during login with the user who is assigned to that role. Should you use double quotes when creating the pattern or quotes not needed?

If I assign the user to admin role then the user can login successfully. I am using the Collabnet plugin for authentication.

HTTP Status 404 -

type Status report

message

description The requested resource is not available.

Apache Tomcat/7.0.30

Hi,

I have configured the plugin and it works well. However, I have noticed that the plugin does a case sensitive match when searching for usernames. 

I personally think that this search should be case insensitive. Is this a bug or is this how the plugin has been designed to work? This is causing us a lot of grief as we have to add each user twice , once with uppercase username and one with lowercase username.

Please advise..

Regards

Would be nice to give some people access to create their own jobs, and for them to have full access over their own jobs that they created automatically.  Perhaps a way to restrict their job names to always start with a certain prefix, then we could just give permissions to that prefix.

Hi

we are using this plugin to server our needs for segregating the Job access to users based on the  Job name

we are having some issues using regex .Manage and Assign Roles-> Manage Roles->Project Roles  is not working. the regex is not working. 

say we are trying to apply the regex for all job names starting with "test" with ignoring case.( like "(?!)test.*" ). this is not able to filter the jobs. i have tried this using the latest version of the update too. Any suggestions :)

Thanks a lot Oleg:) i overlooked the symbol..it working now thanks  alot

Thanks a lot, This is really a great plugin. I have a doubt and requirement.

I am using ldap authentication for the jenkins and using role-based-stategy plugin for authorization.

My problem is that i can not put the list of user in the global roles because

1. there is huge list.

2. Even i don't know the complete list because users are being added and deleted in ldap.

I would like to have something like "*" which should include all users, so that users added or deleted will not be manual task in jenkins.

Thanks,

Vishal

I'm wondering:

"It should be noted that the Global Roles override anything you specify in the Project Roles. That is, when you give a role the right to Job-Read in the Global Roles, then this role is allowed to read all Jobs, no matter what you specify in the Project Roles."

What is the rational behind this? It is very counterintuitive and IMHO makes no sense at all. Everyone I know would assume exactly the opposite. I guess it is now to late to change that ... but I wonder why it came to that decission.

Hi,

Could you please add a bit more detailed description of the slave roles to this wiki? Unfortunately the help is not available for the pattern variable of the slave role section at the Manage Roles page. And how will these Slave Roles work against Global Roles. If I want to restrict a group of user to be able to build only a group of slaves in Jenkins I have to leave the Build right empty on global level for these users?

Thanks!

Hello,
Can you expand on this note for the 2.2.0 release?

Support of Create Job permissions since jenkins-1.566 (issue #19934)
   - The permission requires the specific item name validation strategy, which should be selected in Jenkins global configuration

I'm trying to understand what is meant by "The permission requires the specific item name validation strategy".

Thanks,
Ben

Is there a role provided to allow users to edit their own profile? I'd like to allow users to access /user/[username]/configure without granting all users administrative rights.

I've been trying to get the ?i case insensitivity switch to work on Assign Roles/Global Roles so it works the same way as Active Directory but I can't seem to make it work.  Is it possible?

Is it possible to require a user to be part of two groups to access certain builds? Like say I have ldapGroupA and ldapGroupB, and I want to require that the logged in user has access to both groups to have role N.

Hello again! So I think maybe I miss spoke when I said "certain builds". I mean to continue using the plugin as it is used now, by assigning groups to roles in order for them to have access to a project. It's just that I would need to be able to specify that the current user be part of two groups to be granted that role. If that is not possible I'm more than happy to try and contribute to the plugin, I'm just a little uncertain on where to start.

Great plugin!  Is it (yet) possible to update projects / assign roles via means outside of check boxes?  I would like to do so from a groovy script.  For example, I'd like to pull redmine groups / permissions and apply them to Jenkins.  Thanks!

Hello. I'm trying to use this plugin to restrict access to a jenkins slave. The setup that I am working with has only a single slave. My slave role has a pattern of ^.*$ and all of the permissions are enabled. I then assign this role to an LDAP group and members outside that group are still able to run jobs on the slave with the slave being specified in the job using the "Restrict where this project can be run" setting. I have tried various things like creating a role with no permissions and the slave node as the pattern and assigning that role to the group that should not be allowed to run things on the slave, but nothing seems to have any effect on the job being able to run on the slave. The test user I have in the LDAP group is always able to run the job on the slave. 

Any suggestions?

Hi Oleg,

We have a custom UI on top of Jenkins and I would like to get a role of a user.

Please advise how can I get the user role using the REST API?

If it is not implemented do you have some plan to do this?

Regards,

Dmitry

Hi guys,

I'm trying to configure a restrict permissions using this plugin for users and groups on my AD based on our internal policy on Jenkins.

The scenario that I'm working on is:

-jenkins 1.579
-role strategy plugin 2.2.0
-AD win 2k8

The "configuration to be expect" should be:

(Role) "Role 1" -> assigned to ->(Group) Group A ->that contains ->(Group) Group B ->that contains -> users.

The workaround that we have implemented is:

(Role) "Role 1" ->assigned to ->(Group) Group B ->that contains -> users.

The issue seems due to nested group on AD that doesn't works correctly with the plugin.

Any suggestion would be appreciated.

Thank in advance for your help.

Best Regards.

Michele

I would like to create a setup in which:

• The ability to run builds on slaves is restricted by LDAP group membership. Essentially, users in a certain group can run builds on their own slave, but not on a slave "belonging" to another group.
• A project's configuration is completely agnostic to slave restrictions. So, there would be no "job ownership" or "project roles" involved, and no need to name projects any particular way.

Is such a capability available now, or in the pipeline?

(Currently running: Core 1.565.1, v2.2.0 of Role Strategy plugin, v0.3 of Job Restrictions plugin, v0.5.1 of Ownership plugin)

Hi Oleg,

      We had ldap integration and "authenticated" user bit was working fine to assign role for the logged in user.
However after SAML integration for SSO, "authenticated" user role stopped working without throwing any error.
Role based strategy plugin is working fine for individual users but it is not working for authenticated users.

Any idea where could be the problem?

I already raised a ticket https://issues.jenkins-ci.org/browse/JENKINS-27829

Why overall read necessity is a stupid idea

Because I don't want anyone to see all the jobs! I want testers to see jobs that are related to them. I want administrators to have their playground that is not visible to others. Maybe I want testers to give authorization to build all the jobs, so that authorization plugin don't have problems to run them as testers, but I don't want them to be able to run them directly. Well tell me just what is it good for and I'll shut my mouth.

If it is necessary somehow because of the code, wouldn't it be possible to decline some read authorization at least? Just get me rid of that stuff. Please.

I'm trying to use this plugin but it got me all confused but not sure if its working.

I've created few roles like DevManager with privileges like only Read for builds and DevLead with create/delete jobs.

and I created users for both roles and assigned users for both roles. but when I login as user of both roles i see the same

screens and privileges. Even the DevManager is able to create/delete jobs and users which I've haven't given them.

I've only created Global roles, no project level roles. But nothing seems to be working unless I missed something.

Is there anything I missed other than creating the users and roles and assigning users to the roles?

Thanks,

Sunder

Could you please update the documentation in terms of project based credentials? I would like to set up project based credentials, but it is not clear how is it working. If I add a global read credential permission to my user, it can see all the credentials, if I remove the global read permission, it cannot see anything. I am unable to see how the project based credentials affect the global visibility of the credentials.

Could you please advise?

Thank you!

Chris

We have numbers as our usernames. I am wondering if this plug-in could be enhanced to allow a text column to the far right or left for each User/group (in Assign Roles). We could then add a user and use the description for their real names.

Hi,

what if I lock myself out on a project/job level? I enabled the auth for a job, added some user, after some time I removed everyone and - accidentally - pressed save button. After that I can not see the config and noone else can. 

I have updated the job's config.xml, but it did not help. I removed the whole security section from there, still not ok. 

I can not copy the job. 

Any ideas?

br,

Gabor

Environment:

OS: Windows Server 2012 64-bit

Jenkins: 2.7

Role-based Authorization Strategy: 2.2.0

Folders plugin: 5.11

We have a top-level folder called Technical_Support and one job in this folder: Test1. I've created the following project roles and patterns:

Developer_A: ^Technical_Support/.*

Developer_A2: ^Technical_Support.*

Developer_A3: ^Technical_Support\/.*

and I've created the following global roles and permissions:

Overall_Read: Overall/Read and Job/Discover

In roles assignments, I have the following roles/assignments:

Global: authenticated: Overall_Read

Project: brbennett: Developer_A, Developer_A3

Issue: This configuration does not give user brbennett any permissions to jobs in folder Technical_Support. We have to use role Developer_A2 in order to get permissions so it would appear that I'm not coding the pattern for the folder correctly. However, that pattern does not include the '/' delimiter so it could match Technical_Support/testjob1 and Technical_Support2/testjob2 and job Technical_Support_job in the root. Is there a coding method I can use to specifically have it apply to only folder Technical_Support?

Is it necessary to enable "Role-based Strategy" in order to see the Manage Jenkins >> Manage Roles section? I was hoping to configure the roles while using the existing strategy so as not to affect production, and let flip it over when ready.

Thanks

Hi All,

I am using Role-based Authorization Strategy in my organization for managing and assigning roles to users. In my Manage and Assign Roles -> Assign roles tab, I have 160 users for Global Roles and 160 users for Project Roles. When I tried to add 161th user to the Project Roles, it threw a "FormContentSize" error. But I was able to add when I removed an existing inactive user. So my question here is does this plugin has the limitation of users to 160/320, if yes how can we bump the number of users. 
Any help would be highly appreciated. 

Hi,

Similarly to "Project roles" and "Slave roles", is it possible to also add "View roles" to better control permission for view reading/editing? Thanks a lot!

Is it possible to use roles to provide them as "submitter" argument for the pipeline "input" step?

I have a question to the Project Roles. The text states that: "...First, assign that user/ group to read/ discover permissions with pattern " ^foo.* ", then assign that same user/ group to the more particular permissions with pattern " ^foo/bar.* "...". I tried to do this. But as soon as I try to add my Role "SystemEngineering" a second time, with a different pattern, i get the error "Entry for 'SystemEngineering' already exists". What am I doing wrong?

So I seem to be having an issue.   I use LDAP for authentication and want to restrict the users abilities to build on given nodes.  I installed this plugin along with Authorize Project plugin.   I have configured the project to run as the user that triggered the build.   In the roles I have setup two different levels of permissions, one set should be allowed to run all their jobs on one slave and not the other and vice versa.  So I have left all AGENT permissions in the Global Permission unchecked.  I then configure those permissions as all enabled for the node that matches the name based on the regular expression pattern defined.  I assign the specific user one of the global roles and then the appropriate node specific role.  I even made a very generic .* rule so that any node name would match.   Seems that the rules are not even checked and I get a 'pending—Waiting for next available executor'  in jenkins.  Has anyone else seen this issue?   

Hi, can anyone tell me how to do a subtraction/exception with the project role patterns? For instance, I want to specify anything starting with a capital letter, except for a folder called "Admin". So I want to say [A-Z].*(except)Admin

Now, the (except) is the bit I don't know how to write. I've tried ^ and !. Also, what regex specification does this use? Doesn't seem to be Java because in Java ^ is the the exception operator.

Hi, I'm trying to allow a user to create credentials in the Jenkins root, but not inside any other folders.

I'm trying to do this by specifying a pattern regex for anything not containing a forward slash (/):

[^/]*

but for some reason it's allowing the user to do exactly the opposite, to create credentials within folders and not in the root.

I also tried specifying that the user may create credentials so long as they're names are completely alphanumeric:

^[a-zA-Z0-9]*$

Which implies that there are no forward slashes in the path. But I still get the opposite behavior.

Can anyone please help?

This is an amazing plugin and I have been using it for some time.

One feature I can think of for this plugin is "Redirecting Jenkins Home Folder based on Project" . 

We can have one more option while configuring the permissions and set Home folder for each project.

So if a user having access to a particular project access Jenkins, then he should be redirected to the project folder directly.

Eg - Instead of http://localhost:8080/jenkins/, it will be nice to redirect to http://localhost:8080/jenkins/job/[FolderName].

Thanks,

Vishnu

Hello,

I am new to curl and JENKINS as well. I am trying to list the roles as shown in the example provided: 

• List roles: curl -X GET localhost:8080/role-strategy/strategy/allRoles

However, this page is not found. Could someone kindly tell me the URL I should be using. I am also unable to create and assign roles using the provided examples..

curl -X GET https://jenkins.xxx.xxx/role-strategy/allRoles --user xxx:xxxx

<html>

--

<body><h2> HTTP ERROR 404</h2>

<p> Problem accessing /role-strategy/allRoles. Reason:

<pre> Not found </pre></p>...

--

</html>

Hey,

Recently it's been happening a lot that some users get a 'USER is missing the Overall/Read permission' error. They do have this permission, and all I have to do is restart in order to fix the problem.

Any idea what could be causing this or how I could fix it?

Kind Regards,

Jeroen.

Hi

Is it possible to create a role manager which will be allowed to manage role for a folder/project? I'm just explaining what's going on.

I keep jobs grouped in folders. One folder per project. Folder contains some jobs. In global roles authenticated group can only build or cancel job. It cannot create a new item or configure existing ones.

In Project roles I've created a new role Test jobs which matches to ^Test jobs(/.*)? and can create, configure or delete a job. And I've assigned authenticated to Test jobs in Item Roles and it works. But I would like to create local admin or manager role which will be able to assign any user to Test jobs role.

King Regards, Piotr

Hello,

Can you please advise me on how to input the project role pattern for the project role type via CURL ?

• Add Role: curl -X POST localhost:8080/role-strategy/strategy/addRole --data "type=globalRoles&amp;roleName=ADM&amp;permissionIds=hudson.model.Item.Discover,hudson.model.Item.ExtendedRead&amp;overwrite=true"

Thanks in advance.

Thanks,

Ashok Kumar Srinivas

would like a way to add a sid without assigning to a role (for automation reasons)

JENKINS-37856 - Getting issue details... STATUS  Facing this issue , can someone help me understand if this is a LDAP Plugin isue or Role Strategy Plugin Issue

I've asked this question before but had no luck so I'm rephrasing and posting it again. I'm trying to write a regex to refer to the Jenkins root. To allow a user to create credentials globally, but not inside any folders. I've tried these:

• Anything not containing a slash: [^/]*
• Empty: ^$

I've had no luck with either. Is it possible to do this?

Here is a feature request:  On the "Assign Roles" page would it be possible to show the Full Name field for each user (assuming they have entered it on the Profile configure page)?  The reason I ask is that ours is a part of a large organization which assigns userid's that are not indicative of the person's real name, making administrative management of the Assign Roles page more difficult than it needs to be as more users are added to the system.

First thank you for your good job!

Your plugin is powerful, and easy to use, but still I have some difficulties, about your plugin, and about Jenkins, hope you can help me.

1. Jenkins can manages users, but I cannot create group to put some users in it so I can easily assign permissions as a whole. Suppose when I use Jenkins in a large organization with 200 engineers, I have 20 projects, every project has 10 people with the same permissions , in fact I would like to manage 20 groups, not 200 users. But now I use your plugin, I have to deal with 200 users, a huge authorization matrix, it's a terrible thing. Maybe I use Jenkins and your product improperly? 
2.Your plugin maybe provide the functions like backup and import? Once a colleague uninstalled your plugin without my agreement, this made me lose my configuration data.

Hope you well, thank you!

I have a parameter called Environment with values "dev, test and prod". Is there a way that I can restrict some users not to display the prod option at all. else do we have option not to build when demo is selected for some users. 

Can some one help me with example

Assign Role api can not assing multi user when the type is projectrole
It's may be a bug. I call many times the Assign Role api at the same projectrole only assign the last user.The global role not like this

Hi Guys, today i try to use this plugin, but i have some problem.

i try to assign two different Project Roles like:

Developer Dev*    with Any JOB,Run,SCM grants     

 Tester      Test*          with Any JOB,Run,SCM grants

and at Global level both user are member of "Employee" roles and have grant to read OverAll and any grant to View

but when i try to login i received message like :

Access Denied

devuser is missing the Overall/Read permission

I install all on selfinstaller for Windows on Win2k12, try using firefox and explorer

have someone find the same problem?

Hi,

I am trying to use this plugin to control ability to execute a job and observe different behavior for GUI access and Gitlab webhook trigger.

I have a user having two project roles - first granting 'Job/Read' for all jobs and the second granting Job/Build just for some subset of jobs.

I the global role, the Job/Build permission is NOT granted.

When I log into Jenkins and browse the web GUI the behavior is correct. I see all builds and can trigger just some.

And now gitlab - I use Gitlab plugin and have enabled /project end-point authentication (no checking would have been performed otherwise). In Gitlab I've located some project and a set up two webhooks - one for the job that is permitted to be triggered and the second to job that should be denied to trigger.

When testing the webhooks, I always observe the same behavior - both are denied. When I enable Job/Build in the global role, than both are permitted.

Have anyone tried the same?

Of course, I can't tell whether this is a problem in this plugin or in Gitlab plugin.

How to freeze the grid header for the entier table in assgin role ?

Hi, is it possible to define a role that can only configure the jenkins but is not able to build or configure jobs?

Thanks and regards

Andreas