Child pages
  • Role Strategy Plugin
Skip to end of metadata
Go to start of metadata
Adds a new role-based strategy to manage users' permissions.

Plugin Information

View Role-based Authorization Strategy on the plugin site for more information.

Older versions of this plugin may not be safe to use. Please review the following warnings before using an older version:

About this plugin

This plugin adds a new role-based strategy to ease and fasten users management. This strategy allows:

  • Creating global roles, such as admin, job creator, anonymous, etc., allowing to set Overall, Slave, Job, Run, View and SCM permissions on a global basis.
  • Creating project roles, allowing to set only Job and Run permissions on a project basis.
  • Creating slave roles, allowing to set node-related permissions.
  • Assigning these roles to users.

Table of contents

User guide

Getting started

Using the plugin is fairly simple:

  1. Activate the Role-Based Strategy by using the standard Manage Jenkins > Configure System screen:
  2. Define and assign roles by using the Manages Roles item which appears in the Manage Jenkins screen:

    You then get following options:
    #* Manage Roles is the place where to set up roles:

    There's nothing much to say here, this is self-explanatory. The only tricky field is the Pattern one. This field consists in a regular expression aimed at matching the full name (including the folder name, if you're using Cloudbees Folders Plugin) of the jobs which the role will apply to. For example, if you set the field to "Roger-.*", then the role will match all jobs which name starts with "Roger-". Note that the pattern is case-sensitive. To perform a case-insensitive match, use (?i) notation: upper, "Roger-.*" vs. lower, "roger-.*" vs. case-insensitive, "(?i)roger-.*". If you have a nested folder structure where you want to provide the particular access to the second folder (or deeper), consider having a two-level security structure as well (Say you want to provide exclusive write/ modify type access to foo/bar and not everything else under "foo": First, assign that user/ group to read/ discover permissions with pattern " ^foo.* ", then assign that same user/ group to the more particular permissions with pattern " ^foo/bar.* " - Similar to what you'd do in a Unix/ Linux environment.
  1. #* Assign Roles is the place where to assign the defined roles to users:

Global Roles vs. Project Roles

It should be noted that the Global Roles override anything you specify in the Project Roles. That is, when you give a role the right to Job-Read in the Global Roles, then this role is allowed to read all Jobs, no matter what you specify in the Project Roles.

It may therefore be advisable to leave most (all) options unchecked in Job, Run and SCM in the Global Roles section for normal users.

Built-in Roles

There are two built-in roles:

*Anonymous* — Users who have not logged in

authenticated — Logged in users

Macros support (since 2.1.0)

Macros allow to extend analysis of user's access rights (see @RoleMacroExtension). If user's sid meets criteria in Roles and Assignments, then analysis will be propagated to extension, which makes decisions according to instance and parameters.

Available macros

You can get list of available macros and theirs descriptions at the JENKINS_URL/role-strategy/list-macros page. At the current state, plugin has minimal set of available macros, but they can be added by extensions from plugins.

Known macros:

  • Built-in: @BuildableJob
  • Ownership plugin: Ownership-based roles: @Owner and @CoOwner (will be released in ownership-0.2)

Macro usage

Macros can be used in the following fields:

  • RoleMacros - name of the role
  • UserMacros - Not supported yet
    Macro format: @macroName[:id][(parameter1, parameter2, ...)]>
  • macroName - name of the macro (see available macros in the table below)
  • id - identifier of the macro. Technical parameter, which allows to use same macros for multiple patterns
  • parameter - additional parameters. At the current state, they don't support variables or TokenMacros

Macro string examples:

  • @BuildableJob - Primitive macro invocation. Such invocation can be used only once in each roles category.
  • @BuildableJob:1 - Macro with id
  • @ParameterizedMacro(param1) - Invokes macro with one parameter
  • @ParameterizedMacro:2(param1,param2) - Invokes macro with two parameters. Id prevents naming conflicts

External add-ons

The management interface becomes difficult to use with a large number of users and/or roles. Several Greasemonkey userscripts exist to make the UI easier to use (Jira issue):

Jenkins Role Strategy UI enhancer
This userscript adds a tooltip to the checkboxes indicating the row (e.g. user name) and column (e.g. permission).

Jenkins Role Strategy Role Management Enhancer and Jenkins Role Strategy Role Assignment Enhancer
These userscripts rotate the text in the column title cells on the Role Strategy configuration pages by 90 degrees so they use less horizontal space. Additionally, the first (header) column is repeated at the end of the table.

Version history

Version 2.7.0 (Feb 06, 2018)

Version 2.6.1 (Oct 04, 2017)

Version 2.6.0 (Aug 28, 2017)

  • (plus) PR #30 - Add REST API endpoints to get and unassign roles
    • Examples:
      • Unassign role: curl -X POST localhost:8080/role-strategy/strategy/unassignRole --data "type=globalRoles&roleName=AMD&sid=username"
      • List roles: curl -X GET localhost:8080/role-strategy/strategy/getAllRoles
  • (info) Update Jenkins core minimal requirement to 1.625.3

Version 2.5.1 (July 10, 2017)

Version 2.5.0 (Jun 02, 2017)

Version 2.4.0 (Apr 10, 2017)

This change is a part of the Security release in Jenkins.

  • (error) SECURITY-410 - Prohibit dangerous permissions by default
    • Permissions like "Jenkins.RUN_SCRIPTS" cannot be granted to non-admin users by default
    • After the upgrade to 2.4.0, such dangerous permission configurations will be disabled and reported in the Administrative Monitor
    • "org.jenkinsci.plugins.rolestrategy.permissions.DangerousPermissionHandlingMode.enableDangerousPermissions" system property can be used to allow these dangerous permissions (not recommended)
    • See the referenced issue for more info
  • (error) Fixed escaping of descriptions in the Role Strategy Macros list (JENKINS-38230)

 

Warning!

After the update the dangerous permissions will be disabled, hence some Jenkins instances may require reconfiguration if they rely on dangerous configurations (e.g. RUN_SCRIPTS without ADMINISTER)

 

Version 2.3.2 (06/13/2016)

  • (error) Performance: Disable user authorities resolution in permission checks by default (JENKINS-35515)
    • It has been done due to the reported performance degradation in 2.3.0
    • The 2.3.0 behavior can be restored by the org.jenkinsci.plugins.rolestrategy.Settings.treatUserAuthoritiesAsRoles system property
    • If you enable it, the performance can be also tweaked by org.jenkinsci.plugins.rolestrategy.Settings.userDetailsCacheMaxSize and org.jenkinsci.plugins.rolestrategy.Settings.userDetailsCacheExpircationTimeSec
  • (error) Authorities resolution: Catch Runtime Exceptions from underlying Security Realms. Prevents Jenkins DoS in such case (JENKINS-35652)
  • (info) Generalize the help message for role patterns (JENKINS-35250)

2.3.1 is skipped due to the typo in the property name

Version 2.3.0 (06/07/2016)

WARNING!

There are performance regressions reported to this version. Upgrade only after testing

Version 2.2.0 (06/29/2014)

  • (plus) Support of Create Job permissions since jenkins-1.566 (JENKINS-19934)
    • The permission requires the specific item name validation strategy, which should be selected in Jenkins global configuration
  • (error) Fixed help links in manage-roles pages (JENKINS-15030)
  • (info) Slave permissions: Allow assignment of permissions, which don't belong to "Slave" group (JENKINS-18978)

Version 2.1.0 (07/20/2013)

Version 1.1.3 (07/10/2013)

  • Prevented exceptions in case of missing roles (JENKINS-18648)
  • Prevented exceptions in case of deleted Permissions
  • Support of folders plugin (JENKINS-17482)
  • Upgraded to Jenkins 1.424

Version 1.1.2 (10/14/2011)

  • Implemented JENKINS-9325: Permissions contributed by plugins can now be managed at the project roles level
  • Upgraded to Jenkins 1.409

Version 1.1.1 (09/19/2011)

  • Fixed JENKINS-8058: "<" and ">" characters were not supported in regular expression patterns

Version 1.1 (06/08/2011)

  • SCM permissions (e.g. Tag) can now be handled at the project roles level
  • Improved UI to handle large installations:
    • Deletion buttons are now also displayed on the left of each table
    • When having table with more than 20 entries, a footer is now added which repeats header
    • It is now possible to edit already defined patterns by double-clicking on them in the Project roles table
  • Fixed some typos
  • Fixed some image display issues

Version 1.0 (09/20/2010)

  • Initial release

Save

176 Comments

  1. Hello, first of all, congratulations you are the first to create a good plugin to reorganize how Hudson works with user/group/permissions.

    Second, I have a question, how can I configure a role to have permissions on 2 projects with diferent names, like ProjectABC and BuildMyProject? how to put it on Pattern field?

    1. Simply build a regular expression which fits that: (ProjectABC.*|BuildMyProject.*)

  2. Is it possible to add new roles/users via CLI or remote API?

    The problem is, that we need to do this fully automated and by updating the configuration file directly, we would have to restart hudons after a modification right?

    1. No it's not possible yet (+ yes, you're right, you would have to restart Hudson). May you create a JIRA ticket for that please? I've just requested through the ML for the creation of the JIRA role-strategy component.

  3. Unknown User (michil)

    I'm trying to add a project role with a role name and a regular expression. When pressing the add button, nothing happens.
    I tried it also with a regular expression ".*" which should cover all my projects, but even then, nothing happens.
    TRied to check Hudson log files, but no output found from plugin.

    1. Please create an issue in JIRA with screenshots + the technical configuration.

  4. Unknown User (valley.antoine)

    Hello, this is a very nice plugin.

    On my local hudson configuration, your

    However, on the production server, I encounter a problem.

    On the main board (with the project list), I'm always asked to enter my login/password even when I'm already logged in.

    Sometimes, i can access this page, but can't explain when and why.

    Strangely, I have no problem to access other pages (configuration, users...)

    Configuration :

    Customed Hudson v1.364 (no major changes)

    I'm using an LDAP based anthentication + LDAP groups

    I have some users in several groups.

    Thank's in advance for your advice

  5. Unknown User (valley.antoine)

    Hello again,

    Just to say there are some small mistakes in the french property file :

    You wrote "&ocric;" instade of "&ocirc ;" (I added a space in order to make it appear)

    Bye

    1. Hi,

      Thanks for reporting the typo. I've fixed that locally and will commit once SVN is fully back.

      May you next time create an issue in JIRA to report bugs/request enhancements?

      Regards.

  6. Unknown User (valley.antoine)

    Ok, you will never believe me about the previous bug (asking me to authenticate myself) :

    There is certainly a bug with Firefox. Here are the steps :

    Configuration :

    - Firefox 3.0.19

    - Internet Explorer 7

    1 - I log in on firefox

    --> I have the error

    2 - I open Internet Explorer

    3 - I log in with IE (same user or not makes no difference)

    --> No error on IE

    4 - I go back on Firefox

    5 - I refresh the page

    --> No error !

    If I logout and login again on Firefox --> The bug come back

    It's just like the privileges index is not well refreshed when loggin with Firefox

    That's kind of magic

    (Still no bug on local)

    1. OK.

      Kindly create an issue in JIRA (if not already there) for the Hudson core component (since it's not related to the Role Strategy plugin).

  7. Unknown User (raghuram_028@yahoo.com)

    Hi,
    Thanks for this plugin - it is very useful.
    I recently upgraded to version 1.386 of hudson. I'm not able to add roles/group at project level.
    I click on the "add" button & nothing happens.

    Can any one confirm?

    Thanks,

    1. Which browser are you using? It highly depends on it. E.g., it works fine on Firefox 4.0 but not on Internet Explorer 6.0.

      1. Same problem here, using IE 8.

        Do you have any more detailed information, what the problem causes?

        Is there a chance, that this problem can be solved?

        (IE is company standard)

        Thank you in advance.

  8. I really like this plugin since it allows to hide some 'internal' jobs (which are not fully tested or just meta-steps in a job chain) and show them only to authenticated users - thank you very much.

    But: if I set the global role for anonymous to

    <permission>hudson.model.Hudson.Read</permission>

    and then add a project role to some jobs with

    <permission>hudson.model.Item.Read</permission>

    the anonymous user can not only see the jobs I granted to him, but also the sidebar information! This might cause some trouble since the sidebar shows the build executors and in my case also the userContent directory on the hudson server. Is it possible the restrict the view on the sidebar in the same fashion as for projects?

    1. How have you added the userContent dir in the sidebar? Is it a plugin or a direct modification to Hudson core? In both cases, what you have to do is to add a new permission or to reuse an existing one in order to protect your sidebar.

      1. Thanx for your help, I added the userContent via the Sidebar-Link Plugin. Could be please be a bit more concrete how to add a new permission? Do I have to modify the source of the plugin or of Hudson core?

  9. Hi, this plugin is very useful to us, thanks.

    Sorry if this is a FAQ or my mistake, but I suppose that
    this plugin outputs data to config.xml without sorting elements, for example:

    • permissions/pemisson
    • assignedSIDs/sid

    Of course, this is no harm, but as a result,
    simple diff of config.xml (ex. jobConfigHistory plugin) becomes very dirty ...

    1. I think I can implement sorting easily since the plugin uses its own converter to serialize data.
      May you please fill an issue in JIRA to track that? Thanks.

      1. I posted JIRA, instead of Takesh.
        I'm a newbie of JIRA, so feel free to modify this report (including my English) and please don't hurry to fix this tiny problem.

        Thanks in advance !

  10. Hi,

    I'm using Promoted builds plugin. The "promote" right is displayed in global authorization matrix, but not in role strategy matrix.

    Can you please add it?

    1. This is something I have to do for some time now. May you please create an issue in JIRA about that so that I don't forget? Thanks.

  11. I don't know if this has been asked before, but I am tryign to use the Logged-in users can do anything.  I was wondering though how do you create a user?  I cannot log into my system to do anything at this point.  Thanks.

  12. Is it possible to reset all security settings?

    1. I guess you're asking for this: Disable security.

  13. Are there plans to add a default authenticated user role (basically the opposite of anonymous)? This is similar to the Logged-in users requested, I want authenticated users to be able to perform certain operations without having to manage them individually.

    1. We really would have found an "Authenticated" user useful here as well.  We have the case where we would like to allow anyone to start a type of build, but would like to track who started the builds.  An authenticated user would allow us to do this.

      1. I have raised the issue https://issues.jenkins-ci.org/browse/JENKINS-13029 for this feature request. Please Vote if you think it is a good idea.

  14. I'd like to close access for Anonymous except Overall/read but I can't use RSS notifications because I have to login in first. Does somebody know some workaround?

  15. Plugin crashes tomcat6,
    We are using Windows XP, IE8

    Anybody has faced same problem?

    Please Help!!

    1. Don't attach log files to this page: This is a wiki, not a bug tracker or a support tool. Please use appropriate tools for that: Take a look at the users mailing list or at JIRA.

      1. Sorry about that, i just updated my comment.But could you at least tell me why am i facing above issue

  16. I'm having trouble with the project roles.

    I have a project called “reporting_build”, and I created a role called “reporting” with the pattern “reporting_build” with all permissions enabled.

    I then assigned a user (mark) to that role.

    But when mark logs in, I get “Access Denied, user is missing the Read permission”.

    If I assign mark to a global role, i can log on and see everything (which, of course, is not what I need).

    I've googled “missing the Read permission”, but I haven't found anything that's relevant.

    What does this error mean? Is it a problem with the role set up, or is there a more fundamental configuration issue that I'm missing?

    I'm using Hudson 2.2.0 with Hudson's user database and v1.1.2 of the plug in.

    Thanks for any pointers.

    1. I got it to work.

      I went back and followed the example above slavishly and discovered that you need to have the global anonymous role with overall read permission set.After that, everything worked as advertised. It seems odd that the plug-in doesn't set that permission autom-magically.

      The anonymous user is quite useful.

      • If the global anonymous job read permission is set, anybody can see the status of projects. Let's the managers see but not touch.
      • If you allow users to sign up, they can then access any project roles that are assigned to anonymous. We have contractors rotate through regularly, and being able to give them access to some functions without administrative overhead is quite handy.

      A cool plug-in.

      1. Yes, a very critical part of the configuration that was not explicitly mentioned. In my case, I don't want Anonymous being able to read, so I substituted Anonymous for authenticated users.

  17. <!-- /* Style Definitions */ table.MsoNormalTable

    Unknown macro: {mso-style-name}

    -->

    I'm not sure if this can be classified as a bug but I just discovered this while doing some testing.

    Don’t laugh @ my job names and views as they are fake. I work for a large org and I'm setting up a CI environment for my division so we have a CI QA space for testing and experimenting. I setup this Jenkins space to simulate multiple teams with one team having multiple projects (multiple apps). I'm using LDAP for login authentication. The job naming convention will determine the group. For example: all apache-* jobs belong to team Apache.

     What I did:

     In the Manage and Assign Roles view, I created a role called apache_only_access (only users assigned to role can chnage apache-* jobs) and grant it the global permission to create jobs.

     In Project Roles, I granted role apache_only_accessfull project permission.  I then assigned a specific user (user1) to this role. This works beautifully.

     User1 has read-only access to the other jobs but cannot make any changes. User1 can only modify the apache-* jobs.

     User1 can also create a new job as long as the job name begins with "apache" For example, new job apache-something works is allowed.

     What is the issue?

     Logged in as user1, I clicked on New Job, select Build a maven2/3 project , enter job name "my-new-job" then click next where the following error is shown

     Access Denied:user1 is missing the ExtendedRead permission

     This I expected since user1 is restricted based on the role I created.

     The issue (again, not sure if this is an issue/bug) is the job user1 intended to create is created and shows up in the default view (last image). User1 can view the job but cannot delete it. To remove the job, I have to log in as admin and delete it.

    1. This is normal: The permission to create a job, well, allows for creating jobs. It doesn't control the name of these jobs. So if the user has this permission, then he can create whatever job he wants. But he won't be able to view/edit/delete them (depending on the perm) if he's not been allowed to.

      1. Thanks Romain!

        I suspected such was the case as the job is saved after you leave the initial screen and go to the job configuration screen.

        However i feel the Jenkins should factor in the user's permission BEFORE saving the job . After all, if a user only has permission to create, for example, apache.* jobs, creating a job titled otherwise would be point less.

        In any case, I'm nitpicking on this one ;-)

        This plugin is a great addition to Jenkins!

  18. I get issue with project specific role.. Global setting always takes precedence and project specific role is ignored.. I am trying to make separate group /User to own there own jobs without modifying / restricting other Jobs..  

    I tried following steps above.

  19. Hi Guy's,

    is it possible to connect to jenkins via CLI while this plugin is enabled?

  20. Hi Guys,

     This plugin is giving awesome features on securing the Jenkins .Thanks for the plugin

     We are struggling to update the project roles for the users .Is there any future release with filtering the users based on roles or user?

     If we have filter in the assign roles matrix that would be very great and helpful to most of the users

     And also i found some issue with current version of the plugin. It is not working with latest version (1.27) of AD plugin

    1. Hey,

      Yes, this is something I wanted to achieve. I started the work (you can a screenshot in this JIRA issue: JENKINS-8075) but didn't complete it. Daniel (you'll see his name in the JIRA issue) will be your guy for that.

  21. Thanks Romain

    will get in touch with Daniel

  22. Hello,

    Can you correct French translations ?

    In the "Manage and Assign Roles" page > "Global roles" > "Role" > "Run" translate in "Lancer" but it will better with "Historique des builds"

    In the "Manage and Assign Roles" page > "Global roles" > "Role" > "View" translate in "Voir" but it will better with "Vues"

    To translate other phrases, do you want help?

    Thank you

  23. Hello,

    Can you correct French translations ?

    In the "Manage and Assign Roles" page > "Global roles" > "Role" > "Run" translate in "Lancer" but it will better with "Historique des builds"

    In the "Manage and Assign Roles" page > "Global roles" > "Role" > "View" translate in "Voir" but it will better with "Vues"

    To translate other phrases, do you want help?

    Thank you

    1. Hi Damien,

      These translations are not part of the plugin, they are part of Jenkins core: The plugin gathers permissions from Jenkins itself and from other plugins, so it's the reponsibility of Jenkins and these plugins to provide the right translations.

  24. Hi,

    I have stumbled upon and issue which I am not sure qualifies as a bug for I might be doing something wrong.

    I have two roles:

    a.builders which have build permissions - these users should be able to build a pattern of a(.*) build name pattern

    a.releasers which have release permissions - these users should be able to build and release a(.*) build name pattern
    users in either group have the ability to release which is kind of missing the point - the question is how does the plugin apply the permissions, the release permission is introduced only if the release plugin is installed and my question is why isn't the permission applied. - let me know if I should file a bug.

    Thanks,HP

  25. Need help here how to do

    I need to create multiple groups like raildev here who can login only with their defined view & access permission( with set of pattern matching jobs-trains.*). + cant view to other jobs in other's view.

    but right now when raildev user logs in he is able to view all other views also & its job. How can i hide this?


  26. I needed to give users the ability to manually trigger a set of jobs, all of which had a common prefix in their names. I thought I had to tediously modify each of them using the "Project-based matrix authorization strategy".

    But then I ran into your plugin, and set everything up in a matter of minutes. Thanks very much, works great! 

  27. E B

    I set the pattern to any of j* ,  j.*  , j. , "j."  for a job that is named jenkinstest but every time I get an error during login with the user who is assigned to that role. Should you use double quotes when creating the pattern or quotes not needed?

    If I assign the user to admin role then the user can login successfully. I am using the Collabnet plugin for authentication.

    HTTP Status 404 -


    type Status report

    message

    description The requested resource is not available.


    Apache Tomcat/7.0.30

    1. E B

      Resolved this "The requested resource is not available"  issue. Created a readonly role and then needed to give read access in global to Anonymous . 

      But this looks like a bad design or bug to me to have to give read access to Anonymous at global level.

  28. Hi,

    I have configured the plugin and it works well. However, I have noticed that the plugin does a case sensitive match when searching for usernames. 

    I personally think that this search should be case insensitive. Is this a bug or is this how the plugin has been designed to work? This is causing us a lot of grief as we have to add each user twice , once with uppercase username and one with lowercase username.

    Please advise..

    Regards

    1. Hello,

      By default, user names are case-sensitive in Jenkins. Several security plugins (like Active Directory) allow user to connect with any case, which cause such SIDs difference. I'm going to add support of user macros at the some point (https://issues.jenkins-ci.org/browse/JENKINS-19320). Such macros can resolve your issue, but it can significantly affect performance of the plugin.

      BR, Oleg Nenashev

  29. Would be nice to give some people access to create their own jobs, and for them to have full access over their own jobs that they created automatically.  Perhaps a way to restrict their job names to always start with a certain prefix, then we could just give permissions to that prefix.

    1. Hello,

      https://wiki.jenkins-ci.org/display/JENKINS/Ownership+Plugin implements such functionality w/o any additional prefixes.

      BR, Oleg Nenashev

  30. Hi

    we are using this plugin to server our needs for segregating the Job access to users based on the  Job name

    we are having some issues using regex .Manage and Assign Roles-> Manage Roles->Project Roles  is not working. the regex is not working. 

    say we are trying to apply the regex for all job names starting with "test" with ignoring case.( like "(?!)test.*" ). this is not able to filter the jobs. i have tried this using the latest version of the update too. Any suggestions :)

    1. Hi Rakesh,

      It is not an issue in the plugin. You should use "(?i)test.*" (i instead of !)

      Useful link: https://blogs.oracle.com/xuemingshen/entry/case_insensitive_matching_in_java

      Best regards, Oleg Nenashev

  31. Thanks a lot Oleg:) i overlooked the symbol..it working now thanks  alot

  32. Thanks a lot, This is really a great plugin. I have a doubt and requirement.

    I am using ldap authentication for the jenkins and using role-based-stategy plugin for authorization.

    My problem is that i can not put the list of user in the global roles because

    1. there is huge list.

    2. Even i don't know the complete list because users are being added and deleted in ldap.

    I would like to have something like "*" which should include all users, so that users added or deleted will not be manual task in jenkins.

    Thanks,

    Vishal

    1. Hello Vishal,

      You can use "authenticated" User/group to assign all authenticated users to a global role. Does it resolve your issue?

      Best regards, Oleg Nenashev

      1. Hi Oleg, Your are superb.

        Yes, this solves my problem.

        I can't tell you how useful this feature is for me.

        once again, great plugin .

        Thanks,

        Vishal

  33. I'm wondering:

    "It should be noted that the Global Roles override anything you specify in the Project Roles. That is, when you give a role the right to Job-Read in the Global Roles, then this role is allowed to read all Jobs, no matter what you specify in the Project Roles."

    What is the rational behind this? It is very counterintuitive and IMHO makes no sense at all. Everyone I know would assume exactly the opposite. I guess it is now to late to change that ... but I wonder why it came to that decission.

    1. It a common approach for multi-role/group authorization systems. Most of them provide cumulative permissions like role-strategy does. If you assign an user to any role, he will get its permissions.

      Global roles just affect all jobs. You can just consider them as project roles with ".*" pattern.

  34. Hi,

    Could you please add a bit more detailed description of the slave roles to this wiki? Unfortunately the help is not available for the pattern variable of the slave role section at the Manage Roles page. And how will these Slave Roles work against Global Roles. If I want to restrict a group of user to be able to build only a group of slaves in Jenkins I have to leave the Build right empty on global level for these users?

    Thanks!

    1. I'll add such info to the Wiki. Just a short answer to your question...

      • The approach is similar to project roles
      • Pattern is a regexp expression, which will be used to check the slave's name
      • Permissions in global and slave roles are cumulative, so you cannot restrict global "Build" permissions.
      • I recommend to create separate roles for general-availability slaves and for private ones
      1. Thanks for the quick answer Oleg!

        1. Hi,

          Just one more issue, I also use Project roles for users in Jenkins. Slave roles will be cumulative with these also? The problem is with the build permissions, which are already restricted by the project roles. And I also wan't to have a filter not just on the project but on the nodes also for users in our Jenkins.

          Thanks!

          1. Sorry and one more thing in addition. If I remove the build permission of a user for a node abortion of jobs running on that will be also disallowed for that user? I hope that it works like that. :)

            1. Seems I've missed the Wiki update notification...

              • All roles are cumulative between global and specific (Project/Slave) roles
              • Job.Build and Slave.Build are different permissions, so they are not cumulative
              • The second one just prohibits the execution on a node for the build's authenticated user if you have an enabled QueueItemAuthenticator extension (e.g. "Authorize Project Plugin").
              • AFAIK, the Slave.Build permission does not do anything on default configurations
              1. Hi,

                Thanks, is it possible to add cancel right for a user on a job(s), but just on a group of slaves, not on both?

                1. AFAIK, it is not possible now. Such permission type should be provided by Jenkins core. "Computer.Build" is a new permission, other slave-specific permissions have not been implemented yet.

                  Please create a feature request on JIRA (component=core) if you need such functionality.

                  1. OK, thanks for your help!

  35. Hello,
    Can you expand on this note for the 2.2.0 release?

    Support of Create Job permissions since jenkins-1.566 (issue #19934)
       - The permission requires the specific item name validation strategy, which should be selected in Jenkins global configuration

    I'm trying to understand what is meant by "The permission requires the specific item name validation strategy".

    Thanks,
    Ben

      1. Go to JENKINS_URL/configure
      2. Click on the "Restrict project naming" checkbox
      3. Select the "Role Strategy" validation strategy
  36. Is there a role provided to allow users to edit their own profile? I'd like to allow users to access /user/[username]/configure without granting all users administrative rights.

    1. This functionality is available out-of-the-box

      BTW, it may be prohibited by your Security realm

      1. How would I configure this? I can edit my own and other users as an admin. Other users cannot edit their own account unless I add the overall administer role.

        1. What Jenkins version do you use? There's no such problems on 1.509.4

          1. Turns out this was a case-sensitivity issue. My LDAP users can log in successfully using lowercase, but only if they log in using uppercase do they have the option to configure their account.

  37. I've been trying to get the ?i case insensitivity switch to work on Assign Roles/Global Roles so it works the same way as Active Directory but I can't seem to make it work.  Is it possible?

    1. What switches do you mean?

      1. When I add users to Global Roles on the Assign Roles page at the moment I have to add two, 'user.name' and 'User.Name' - if I only add 'user.name' then when they log in to Jenkins with 'User.Name' they don't get the right features as per their assigned role.

        However having looked at the link you gave it seems you are already working on this one.  I shall wait for the update...  :)

        1. I'm not sure If the PR will be merged.

          New versions of Jenkins core provide the similar functionality since 1.566. See https://issues.jenkins-ci.org/browse/JENKINS-22247

  38. Is it possible to require a user to be part of two groups to access certain builds? Like say I have ldapGroupA and ldapGroupB, and I want to require that the logged in user has access to both groups to have role N.

    1. Currently, the plugin does not support specific permissions on the builds level. This case is very rare.

      Feel free to contribute to the plugin or to submit a feature request on Jenkins JIRA

  39. Hello again! So I think maybe I miss spoke when I said "certain builds". I mean to continue using the plugin as it is used now, by assigning groups to roles in order for them to have access to a project. It's just that I would need to be able to specify that the current user be part of two groups to be granted that role. If that is not possible I'm more than happy to try and contribute to the plugin, I'm just a little uncertain on where to start.

  40. Great plugin!  Is it (yet) possible to update projects / assign roles via means outside of check boxes?  I would like to do so from a groovy script.  For example, I'd like to pull redmine groups / permissions and apply them to Jenkins.  Thanks!

    1. Yes, it is possible.

      Groovy system scripts have full access to all public and private (not recommended) methods of plugin classes. For example, we use Groovy scripts to temporary grant ADMINISTER permissions (sudo mode).

      1. Awesome! Thank you.  If it's not too much to ask, can you show an example?  As much as I've tried, I can't figure out how to access plugin methods from a groovy script.  Thanks!

        1. I've posted an example to Gist. Please note it's internal hack implementation from a Jenkins job, hence it takes some info from the environment.

          https://gist.github.com/oleg-nenashev/7ff848fabc291cdc1236

          1. Ah, you just made my week!  Thank you so much.

  41. Hello. I'm trying to use this plugin to restrict access to a jenkins slave. The setup that I am working with has only a single slave. My slave role has a pattern of ^.*$ and all of the permissions are enabled. I then assign this role to an LDAP group and members outside that group are still able to run jobs on the slave with the slave being specified in the job using the "Restrict where this project can be run" setting. I have tried various things like creating a role with no permissions and the slave node as the pattern and assigning that role to the group that should not be allowed to run things on the slave, but nothing seems to have any effect on the job being able to run on the slave. The test user I have in the LDAP group is always able to run the job on the slave. 


    Any suggestions?

    1. Computer.BUILD permission elaborates the internal authentication of jobs, which should performed by Jenkins extensions. This permissions won't take affect on a default Jenkins installation.

      See https://wiki.jenkins-ci.org/display/JENKINS/Authorize+Project+plugin . It provides a relevant user definition for the project.

      You can also use https://wiki.jenkins-ci.org/display/JENKINS/Job+Restrictions+Plugin in order to get the required functionality outside the Permission Matrix

      1. Hi. I don't quite understand your answer(sorry :-) and I have the same type of challenge as Joshua but more generic.

        Is it possible to use the node label and parametrized build plugins to allow the user to select a node to run a job on. But then check wether that user is allowed to run jobs on a specific slave?

        I've tried back and forth with the job restrictions plugin only to realize that I misunderstood "Jobs owner must belong to the list". 

        So basically person A but not B should be allowed to run job x on slave Y, while person A and B should be able to run job x on slave Z. Slaves are listed as parameters (node labels) when starting the build. Or are you saying

        that the only way to achieve that is to add the authorize project plugin to properly be able to pick up the user when evaluating slave roles?

        1. @Christopher

          Job Restrictions Plugin may be updated for the case. I suppose that "Started by a user" may help (https://issues.jenkins-ci.org/browse/JENKINS-25726).

  42. Hi Oleg,

    We have a custom UI on top of Jenkins and I would like to get a role of a user.

    Please advise how can I get the user role using the REST API?

    If it is not implemented do you have some plan to do this?

    Regards,

    Dmitry

    1. Hi Dmitry,

      REST API is not available for the plugin. There's no such feature requests in JIRA, so it would be useful if you create such one. In any case, I don't have enough resources to implement this feature in the short-term perspective. If you want to implement this feature on your own, I'm ready to review pull requests, etc. So feel free to contribute ;)

      To emulate REST API you can do the following:

      1. Implement required methods using Scriptler Plugin
      2. Use Scriptler Plugin's built-in support of REST API

      BR, Oleg Nenashev

  43. Hi guys,

    I'm trying to configure a restrict permissions using this plugin for users and groups on my AD based on our internal policy on Jenkins.

    The scenario that I'm working on is:

    -jenkins 1.579
    -role strategy plugin 2.2.0
    -AD win 2k8

    The "configuration to be expect" should be:

    (Role) "Role 1" -> assigned to ->(Group) Group A ->that contains ->(Group) Group B ->that contains -> users.

    The workaround that we have implemented is:

    (Role) "Role 1" ->assigned to ->(Group) Group B ->that contains -> users.

    The issue seems due to nested group on AD that doesn't works correctly with the plugin.

    Any suggestion would be appreciated.

    Thank in advance for your help.

    Best Regards.

    Michele

    1. Hi Michele,

      Please create an issue in JIRA for your case.

  44. I would like to create a setup in which:

    • The ability to run builds on slaves is restricted by LDAP group membership. Essentially, users in a certain group can run builds on their own slave, but not on a slave "belonging" to another group.
    • A project's configuration is completely agnostic to slave restrictions. So, there would be no "job ownership" or "project roles" involved, and no need to name projects any particular way.

    Is such a capability available now, or in the pipeline?

    (Currently running: Core 1.565.1, v2.2.0 of Role Strategy plugin, v0.3 of Job Restrictions plugin, v0.5.1 of Ownership plugin)

    1. I have the same problem. user authenticate via LDAP and they should only use slaves that are allowed for their group.

      Using the following plugins with core 1.580.2 (LTS)

      • authorize project v 1.0.3
      • role strategy v 2.2.0
      • LDAP v 1.11
      • Ownership plugin v 0.5.1
      • job restriction v 0.3

      the slave-role permission "slave/build" should do the check whether a user is allowed to run a job on a specified slave - but it is not working!

      If you define a slave-role with the "slave/configure" permission given and assign this role to an LDAP group, all users in this group are allowed to configure every node/slave that matches the pattern of the role.

      But if I activate the "slave/build" permission for this slave-role, the user cannot run a job on any slave that matches the pattern ?!?!? The job would idle forever waiting for the slave.

      I suppose that this is a bug in the plugin, since the role-based access to configure a slave works perfectly, but not the permission to build on a slave - maybe the plugin developer could comment on this?

      BTW: I need a global role "authenticated" with overall/read permission in order to view the dashboard for an authenticated user. One might activate the slave/build permission for the global role, but than every authenticated user can use every slave ...

        1. Hi Oleg,

          I have now updated to

          • job restriction v 0.4
          • ownership plugin v 0.6

          and restricted job execution on dedicated slaves to some LDAP groups only. This is working as intended only if I am giving "slave/build" permission to the authenticated user in the global role! Interestingly this is eg. not needed for the "slave/connect" permission ...

          Another remark: if a user tries to start a job on a slave for which his LDAP group does not have the permission, the job idles forever in the build queue. It would be nice to reject such a job already when it is submitted, such that the user gets to know about his "error". Do you know of any easy way to achieve this?

          1. > This is working as intended only if I am giving "slave/build" permission to the authenticated user in the global role!

            The permission has been introduced in relatively new Jenkins versions, so there could be an issue within the plugin. Please create an JIRA issue and attach the info about your job. I'll check it and create appropriate tests.

            > if a user tries to start a job on a slave for which his LDAP group does not have the permission, the job idles forever in the build queue. It would be nice to reject such a job already when it is submitted, such that the user gets to know about his "error". Do you know of any easy way to achieve this?

            AFAIK Christopher Suarez is working on such feature for job-restrictions. I'll review changes and release the new version when he creates a pull request.

            1. I just created the issue #26485 - thank you for having a look at this

  45. Hi Oleg,

          We had ldap integration and "authenticated" user bit was working fine to assign role for the logged in user.
    However after SAML integration for SSO, "authenticated" user role stopped working without throwing any error.
    Role based strategy plugin is working fine for individual users but it is not working for authenticated users.

    Any idea where could be the problem?

    I already raised a ticket https://issues.jenkins-ci.org/browse/JENKINS-27829

  46. Why overall read necessity is a stupid idea

    Because I don't want anyone to see all the jobs! I want testers to see jobs that are related to them. I want administrators to have their playground that is not visible to others. Maybe I want testers to give authorization to build all the jobs, so that authorization plugin don't have problems to run them as testers, but I don't want them to be able to run them directly. Well tell me just what is it good for and I'll shut my mouth.

    If it is necessary somehow because of the code, wouldn't it be possible to decline some read authorization at least? Just get me rid of that stuff. Please.

    1. Seems you misinterpret meanings of Overall.READ, Item.READ and Item.DISCOVER.

      Overall read is not necessary in Jenkins core and plugins. Role Strategy allows to configure the behavior without a global read, so I don't get your complain at all. 

      1. Well OK, I just wanted to show you how it was always showing all the jobs to tester accounts. But it suddenly started to work the way I was expecting it the whole time. I feel like complete idiot, sorry. Is there any delay between when I change the policy and when it actually starts working? I just don't know what was happening.

        1. > Is there any delay between when I change the policy and when it actually starts working?

          No, there is no delay. Make sure that item discovery is set up correctly. If yes, create an issue on Jenkins JIRA, specify the aux data according to https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue and also provide a configuration of Roles and assignments

          1. Well ... somehow it works now. If it behaves strangly again, i'll report it.

          2. Well ... somehow it works now. If it behaves strangly again, i'll report it.

  47. I'm trying to use this plugin but it got me all confused but not sure if its working.

    I've created few roles like DevManager with privileges like only Read for builds and DevLead with create/delete jobs.

    and I created users for both roles and assigned users for both roles. but when I login as user of both roles i see the same

    screens and privileges. Even the DevManager is able to create/delete jobs and users which I've haven't given them.

    I've only created Global roles, no project level roles. But nothing seems to be working unless I missed something.

    Is there anything I missed other than creating the users and roles and assigning users to the roles?

    Thanks,

    Sunder

    1. Sorry, missed the comment due to the vacation. This Wiki page is not a support portal BTW. Use Jenkins JIRA, IRC or jenkinsci-users list to ask questions.

      The description seems to be correct, but it should work (it's a very basic case). If the issue still exists, it would be helpful if you crate a JIRA issue and attach your security configs there.

  48. Could you please update the documentation in terms of project based credentials? I would like to set up project based credentials, but it is not clear how is it working. If I add a global read credential permission to my user, it can see all the credentials, if I remove the global read permission, it cannot see anything. I am unable to see how the project based credentials affect the global visibility of the credentials.

    Could you please advise?

    Thank you!

    Chris

    1. Hi Chris,

      "Credentials" term may be quite confusing, because it's another security mechanism in Jenkins. I'm not sure what you mean under "project based credentials", because there is no such feature in Jenkins IIRC. Could you clarify the question or probably attach several screenshots? 

  49. We have numbers as our usernames. I am wondering if this plug-in could be enhanced to allow a text column to the far right or left for each User/group (in Assign Roles). We could then add a user and use the description for their real names.

    1. It could be enhanced in such way. Feel free to submit a pull request or to create a JIRA issue.

  50. Hi,

    what if I lock myself out on a project/job level? I enabled the auth for a job, added some user, after some time I removed everyone and - accidentally - pressed save button. After that I can not see the config and noone else can. 

    I have updated the job's config.xml, but it did not help. I removed the whole security section from there, still not ok. 

    I can not copy the job. 

    Any ideas?

    br,

    Gabor

    1. Hi. Role Strategy plugin has no configuration options on the job/project level.

      I suppose you use another plugin like Matrix-based security or RBAC (the second one is a proprietary one from CloudBees)

      1. You're right, thanks. I hope they reply (Matrix guys). I don't see too much activity on their page...

        1. Wiki is not a QA channel, so all activity there is pretty random. Response is not guaranteed. The right way to ask questions is to use Jenkins IRC or jenkinsci-users mailing list.

          Regarding your issue, most probably you need to setup an admin account having global Jenkins.ADMINISTER permissions. Then this user will be able to open any job and fix permissions there.

          1. I already have admin account, it can't see that job config neither. Stange, isn't it. I tried to remove the security stuff from config.xml, reloaded the confg from disk, still the same. 

  51. Environment:

    OS: Windows Server 2012 64-bit

    Jenkins: 2.7

    Role-based Authorization Strategy: 2.2.0

    Folders plugin: 5.11

    We have a top-level folder called Technical_Support and one job in this folder: Test1. I've created the following project roles and patterns:

    Developer_A: ^Technical_Support/.*

    Developer_A2: ^Technical_Support.*

    Developer_A3: ^Technical_Support\/.*

    and I've created the following global roles and permissions:

    Overall_Read: Overall/Read and Job/Discover

    In roles assignments, I have the following roles/assignments:

    Global: authenticated: Overall_Read

    Project: brbennett: Developer_A, Developer_A3

    Issue: This configuration does not give user brbennett any permissions to jobs in folder Technical_Support. We have to use role Developer_A2 in order to get permissions so it would appear that I'm not coding the pattern for the folder correctly. However, that pattern does not include the '/' delimiter so it could match Technical_Support/testjob1 and Technical_Support2/testjob2 and job Technical_Support_job in the root. Is there a coding method I can use to specifically have it apply to only folder Technical_Support?

      1. If I change role Developer_A to pattern ^Technical_Support$.*, then user brbennett has rights to Technical_Support2/... jobs, so that isn't the fix.

        1. I apologize as I didn't take your suggestion literally and I added '.*' at the end of it. Now I've modified role Developer_A to ^Technical_Support$ and am now having success. My unit test is that I've created folders Technical_Support and Technical_Support2 and user brbennett (still in role Developer_A) is not even seeing Technical_Support2. I'll do some further testing, but wanted to thank you in the interim.

          1. But pattern ^Technical_Support$  in role Developer_A is not allowing user brbennett the ability to create new items under folder Technical_Support. Is there an accompanying pattern I would have to enter to allow that?

            1. OK, I now have a working model:

              Global role Overall_Read gives Overall/Read right.

              Two folders in root level: Technical_Support and Technical_Support2.

              Role Developer_A has pattern ^Technical_Support$ and all project rights.

              Role Developer_A4 has pattern ^Technical_Support/.* and all project rights.

              User brbennett is in roles Developer_A and Developer_A4 and can only see folder Technical_Support (not Technical_Support2) and is able to add, modify and delete jobs in Technical_Support.

              1. Just completed my testing and I am ecstatic! This allows me to setup my Jenkins environment and share it with multiple groups. Thanks again for your help and support.

  52. Is it necessary to enable "Role-based Strategy" in order to see the Manage Jenkins >> Manage Roles section? I was hoping to configure the roles while using the existing strategy so as not to affect production, and let flip it over when ready.

    Thanks

    1. Yes, it's required in the current implementation. Feel free to create an enhancement issue in JIRA.

      On the other hand, my recommendation would be to create and test the strategy on a test server. Then you will be able to safily propagate the new strategy to the master

  53. Hi All,

    I am using Role-based Authorization Strategy in my organization for managing and assigning roles to users. In my Manage and Assign Roles -> Assign roles tab, I have 160 users for Global Roles and 160 users for Project Roles. When I tried to add 161th user to the Project Roles, it threw a "FormContentSize" error. But I was able to add when I removed an existing inactive user. So my question here is does this plugin has the limitation of users to 160/320, if yes how can we bump the number of users. 
    Any help would be highly appreciated. 

    1. Hi,

      There is no limitation in the plugin, but Jenkins web container has a limited form size by default. This size limit can be configured via the System Property (see http://stackoverflow.com/questions/3861455/form-too-large-exception).

      Regarding the number of users, maybe such straightforward user adding is not a perfect approach in any case. Role strategy extensions like https://wiki.jenkins-ci.org/display/JENKINS/Ownership-Based+security may simplify the configuration and administration sometimes.

  54. Hi,

    Similarly to "Project roles" and "Slave roles", is it possible to also add "View roles" to better control permission for view reading/editing? Thanks a lot!

  55. T H

    Is it possible to use roles to provide them as "submitter" argument for the pipeline "input" step?

    1. AFAIK no, but you can get address some Pipeline use-cases by using Ownership integration, which provides Ownership global variables. If you need something specific, please create a JIRA ticket with details

      https://speakerdeck.com/onenashev/jw2016-ownership-plugin-demo

  56. I have a question to the Project Roles. The text states that: "...First, assign that user/ group to read/ discover permissions with pattern " ^foo.* ", then assign that same user/ group to the more particular permissions with pattern " ^foo/bar.* "...". I tried to do this. But as soon as I try to add my Role "SystemEngineering" a second time, with a different pattern, i get the error "Entry for 'SystemEngineering' already exists". What am I doing wrong?

    1. Role names must be unique. But you can edit their patterns in the configuration after the creation. I am pretty sure it's what the text says

       

      1. Ah, I see. "assign that same user/ group to the more particular permissions" means, add a second role, with a different pattern and add this role to the user/group. Not add the same role with a different pattern. My bad. Clearly 'user/group' does not mean 'role'. Thanks for the explanation!

  57. So I seem to be having an issue.   I use LDAP for authentication and want to restrict the users abilities to build on given nodes.  I installed this plugin along with Authorize Project plugin.   I have configured the project to run as the user that triggered the build.   In the roles I have setup two different levels of permissions, one set should be allowed to run all their jobs on one slave and not the other and vice versa.  So I have left all AGENT permissions in the Global Permission unchecked.  I then configure those permissions as all enabled for the node that matches the name based on the regular expression pattern defined.  I assign the specific user one of the global roles and then the appropriate node specific role.  I even made a very generic .* rule so that any node name would match.   Seems that the rules are not even checked and I get a 'pending—Waiting for next available executor'  in jenkins.  Has anyone else seen this issue?   

    1. If the the authenticated user has no Computer.BUILD permission, the job will not be accepted. With your setup the user will be anonymous if the job is started by the Periodic Trigger. Maybe it is the root cause

      It is hard to say your plugin is configured properly, you can find a configuration sample here: https://github.com/oleg-nenashev/demo-jenkins-config-as-code

      1. This may be my problem.  I misunderstood the Computer.BUILD Permission.   I had just installed the plugin through the Jenkins interface, along with the Authorize Project plugin.  From a read I did above I thought that was all that needed to be done outside of setting the patterns properly in the node permissions.  I will look at the at the sample and if I have any questions I will let you know.

  58. Hi, can anyone tell me how to do a subtraction/exception with the project role patterns? For instance, I want to specify anything starting with a capital letter, except for a folder called "Admin". So I want to say [A-Z].*(except)Admin

    Now, the (except) is the bit I don't know how to write. I've tried ^ and !. Also, what regex specification does this use? Doesn't seem to be Java because in Java ^ is the the exception operator.

    1. Also, what regex specification does this use? Doesn't seem to be Java because in Java ^ is the the exception operator.

      Only within character classes. You're looking for negative lookahead/lookbehind, just google for that.

      1. Thanks Daniel, I'm now using (?!Admin)[A-Z].* and it did the trick (smile)

  59. Hi, I'm trying to allow a user to create credentials in the Jenkins root, but not inside any other folders.

    I'm trying to do this by specifying a pattern regex for anything not containing a forward slash (/):

    [^/]*

    but for some reason it's allowing the user to do exactly the opposite, to create credentials within folders and not in the root.

    I also tried specifying that the user may create credentials so long as they're names are completely alphanumeric:

    ^[a-zA-Z0-9]*$


    Which implies that there are no forward slashes in the path. But I still get the opposite behavior.

    Can anyone please help?

    1. Small update. What I'm getting is not "the opposite behavior" and it's not happening just for credentials.

      What's happening is that whatever pattern I use to try grant the create job or create credentials privileges to a user, it doesn't apply to the Jenkins root. Even if I use .* to assign create credentials or create job permissions, the user can then create jobs and credentials in any folder, but not in the root.

      I'm starting to think this is an edge case that's not covered by this plugin.

  60. This is an amazing plugin and I have been using it for some time.

    One feature I can think of for this plugin is "Redirecting Jenkins Home Folder based on Project" . 

    We can have one more option while configuring the permissions and set Home folder for each project.

    So if a user having access to a particular project access Jenkins, then he should be redirected to the project folder directly.

    Eg - Instead of http://localhost:8080/jenkins/, it will be nice to redirect to http://localhost:8080/jenkins/job/[FolderName].


    Thanks,

    Vishnu

    1. Such redirects are not the part of this plugin. You could write a new plugin for it. Probably it could be done using the existing DefaultView user property and a system script, which just assigns them to users

  61. Hello,

    I am new to curl and JENKINS as well. I am trying to list the roles as shown in the example provided: 

    • List roles: curl -X GET localhost:8080/role-strategy/strategy/allRoles

    However, this page is not found. Could someone kindly tell me the URL I should be using. I am also unable to create and assign roles using the provided examples..

    curl -X GET https://jenkins.xxx.xxx/role-strategy/allRoles --user xxx:xxxx

    <html>

    --

    <body><h2> HTTP ERROR 404</h2>

    <p> Problem accessing /role-strategy/allRoles. Reason:

    <pre> Not found </pre></p>...

    --

    </html>


  62. Hey,

    Recently it's been happening a lot that some users get a 'USER is missing the Overall/Read permission' error. They do have this permission, and all I have to do is restart in order to fix the problem.

    Any idea what could be causing this or how I could fix it?

    Kind Regards,

    Jeroen.

  63. Hi

    Is it possible to create a role manager which will be allowed to manage role for a folder/project? I'm just explaining what's going on.

    I keep jobs grouped in folders. One folder per project. Folder contains some jobs. In global roles authenticated group can only build or cancel job. It cannot create a new item or configure existing ones.

    In Project roles I've created a new role Test jobs which matches to ^Test jobs(/.*)? and can create, configure or delete a job. And I've assigned authenticated to Test jobs in Item Roles and it works. But I would like to create local admin or manager role which will be able to assign any user to Test jobs role.

    King Regards, Piotr

    1. I had a similar requirement and managed to cover it by combining this Role Strategy with the Ownership Plugin. I recommend you look into that.

      1. Thx, I'll check it and I let you know.

          1. Do not hesitate to update the page if there are mistake. It's Wiki for a reason. Thanks!

  64. Hello,

    Can you please advise me on how to input the project role pattern for the project role type via CURL ?

    Thanks in advance.

     

    Thanks,

    Ashok Kumar Srinivas

  65. would like a way to add a sid without assigning to a role (for automation reasons)

  66. JENKINS-37856 - Getting issue details... STATUS  Facing this issue , can someone help me understand if this is a LDAP Plugin isue or Role Strategy Plugin Issue

  67. I've asked this question before but had no luck so I'm rephrasing and posting it again. I'm trying to write a regex to refer to the Jenkins root. To allow a user to create credentials globally, but not inside any folders. I've tried these:

    • Anything not containing a slash: [^/]*
    • Empty: ^$

    I've had no luck with either. Is it possible to do this?

  68. Here is a feature request:  On the "Assign Roles" page would it be possible to show the Full Name field for each user (assuming they have entered it on the Profile configure page)?  The reason I ask is that ours is a part of a large organization which assigns userid's that are not indicative of the person's real name, making administrative management of the Assign Roles page more difficult than it needs to be as more users are added to the system.

    1. Please file your request in JIRA. Pull requests are welcome

  69. First thank you for your good job!

    Your plugin is powerful, and easy to use, but still I have some difficulties, about your plugin, and about Jenkins, hope you can help me.

    1. Jenkins can manages users, but I cannot create group to put some users in it so I can easily assign permissions as a whole. Suppose when I use Jenkins in a large organization with 200 engineers, I have 20 projects, every project has 10 people with the same permissions , in fact I would like to manage 20 groups, not 200 users. But now I use your plugin, I have to deal with 200 users, a huge authorization matrix, it's a terrible thing. Maybe I use Jenkins and your product improperly? 
    2.Your plugin maybe provide the functions like backup and import? Once a colleague uninstalled your plugin without my agreement, this made me lose my configuration data.

    Hope you well, thank you!

      1. Consider using something https://github.com/jenkinsci/ownership-plugin/blob/master/doc/OwnershipBasedSecurity.md
      2. There are plugins for backup management on the Jenkins-level (e.g. PeriodicBackup Plugin or JobConfigHistory Plugin). There are no plans to implement something plugin-specific though I am ready to consider pull requests
    1. Hi Fang Wei,

      About item 1, you first have understand that the Jenkins extension point to define authentication is a SecurityRealm and the extension point to define authorization is an AuthorizationStrategy. This plugin implements the latter –extremely well I might add-- but not the former. What you're asking for in terms of being able to define user groups must be provided by a plugin that implements a SecurityRealm, so that based on your own custom rules you can assign GrantedAuthorities to a user, which are roughly equivalent to user groups. The Jenkins SAML plugin is a good example of this. Of course this also means you'd be delegating authentication to an external Identity Provider.

      About item 2, look for the config.xml file in your Jenkins home folder. There you'll find an element called authorizationStrategy which nests a bunch of roleMap elements, each one being a role and the user/group that's that have it assigned. Back up this file and restore whenever needed. That will fix your problem. If you've been periodically backing up your Jenkins home folder as you should then this is your solution.

       

  70. I have a parameter called Environment with values "dev, test and prod". Is there a way that I can restrict some users not to display the prod option at all. else do we have option not to build when demo is selected for some users. 

    Can some one help me with example

  71. Assign Role api can not assing multi user when the type is projectrole
    It's may be a bug. I call many times the Assign Role api at the same projectrole only assign the last user.The global role not like this

  72. Hi Guys, today i try to use this plugin, but i have some problem.

    i try to assign two different Project Roles like:

    Developer Dev*    with Any JOB,Run,SCM grants     

     Tester      Test*          with Any JOB,Run,SCM grants

     

    and at Global level both user are member of "Employee" roles and have grant to read OverAll and any grant to View

    but when i try to login i received message like :

     

    Access Denied

    devuser is missing the Overall/Read permission

     

    I install all on selfinstaller for Windows on Win2k12, try using firefox and explorer

    have someone find the same problem?

  73. Hi,

    I am trying to use this plugin to control ability to execute a job and observe different behavior for GUI access and Gitlab webhook trigger.

    I have a user having two project roles - first granting 'Job/Read' for all jobs and the second granting Job/Build just for some subset of jobs.

    I the global role, the Job/Build permission is NOT granted.

     

    When I log into Jenkins and browse the web GUI the behavior is correct. I see all builds and can trigger just some.

     

    And now gitlab - I use Gitlab plugin and have enabled /project end-point authentication (no checking would have been performed otherwise). In Gitlab I've located some project and a set up two webhooks - one for the job that is permitted to be triggered and the second to job that should be denied to trigger.

     

    When testing the webhooks, I always observe the same behavior - both are denied. When I enable Job/Build in the global role, than both are permitted.

     

    Have anyone tried the same?

     

    Of course, I can't tell whether this is a problem in this plugin or in Gitlab plugin.

  74. How to freeze the grid header for the entier table in assgin role ?

  75. Hi, is it possible to define a role that can only configure the jenkins but is not able to build or configure jobs?

    Thanks and regards

    Andreas

Write a comment…