Due to some maintenance issues, this service has been switched in read-only mode, you can find more information about the why

and how to migrate your plugin documentation in this blogpost

Skip to end of metadata
Go to start of metadata
The performance of this plugin is being improved as a part of Google Summer of Code 2019. Help us understand how you use this plugin through our Gitter chat.
Adds a new role-based strategy to manage users' permissions.

Plugin Information

View Role-based Authorization Strategy on the plugin site for more information.

Older versions of this plugin may not be safe to use. Please review the following warnings before using an older version:

About this plugin

This plugin adds a new role-based strategy to ease and fasten users management.

See the plugin documentation on GitHub: https://github.com/jenkinsci/role-strategy-plugin/blob/master/README.md

Version history

Version 2.11 and newer versions

See the changelog here

Version 2.10 (Feb 11, 2019)

  • (info) Jenkins 2.60.3 is now the minimal requirement of the plugin
  • (plus) JENKINS-44472 - "Manage roles" table now supports preview of jobs matching the regular expression 
  • (plus) PR #45 - REST API: getRole now also returns SID assignments
  • (info) JENKINS-55804,  JENKINS-55803 - Improve performance of the plugin on instances with many roles
  • (info) JENKINS-49102 - "Manage roles" page now displays patterns in quotes to properly visualize whitespace patterns
  • (info) JENKINS-45942 - REST API: Throw error when a non-existent permission is added in the addRole call
  • (error) JENKINS-54900 - REST API: Prevent concurrency issues when permissions are checked in parallel with REST API calls

Internal changes:

  • (plus) JENKINS-55916 - RoleWalker iterator now can be aborted by the handler
  • (plus) JENKINS-55933 - First version of the Role Strategy performance testing instance

Version 2.9.0 (Aug 27, 2018)

  • (plus) PR #42 - Add REST API for retrieving particular roles
    • Example: curl -XGET 'http://localhost:8080/jenkins/role-strategy/strategy/getRole?type=globalRoles&roleName=admin'

Version 2.8.2 (Aug 07, 2018)

  • (error) PR #41 - getAllRoles REST API call was not closing output writer properly, and responses were missing in some cases
  • (error) PR #40 - Prevent NullPointerException when getAllRoles REST API is called for non-existent role type

Version 2.8.1 (May 25, 2018)

  • (error) PR #39 - Prevent NullPointerException when adding role to an empty type from REST API

Version 2.8.0 (May 16, 2018)

  • (plus) PR #37 - getAllRoles method now allows retrieving Job and Agent roles
    • Example: curl -X GET localhost:8080/role-strategy/strategy/getAllRoles?type=globalRoles ("projectRoles" or "slaveRoles")

Version 2.7.0 (Feb 06, 2018)

Version 2.6.1 (Oct 04, 2017)

Version 2.6.0 (Aug 28, 2017)

  • (plus) PR #30 - Add REST API endpoints to get and unassign roles
    • Examples:
      • Unassign role: curl -X POST localhost:8080/role-strategy/strategy/unassignRole --data "type=globalRoles&roleName=AMD&sid=username"
      • List roles: curl -X GET localhost:8080/role-strategy/strategy/getAllRoles
  • (info) Update Jenkins core minimal requirement to 1.625.3

Version 2.5.1 (July 10, 2017)

Version 2.5.0 (Jun 02, 2017)

Version 2.4.0 (Apr 10, 2017)

This change is a part of the Security release in Jenkins.

  • (error) SECURITY-410 - Prohibit dangerous permissions by default
    • Permissions like "Jenkins.RUN_SCRIPTS" cannot be granted to non-admin users by default
    • After the upgrade to 2.4.0, such dangerous permission configurations will be disabled and reported in the Administrative Monitor
    • "org.jenkinsci.plugins.rolestrategy.permissions.DangerousPermissionHandlingMode.enableDangerousPermissions" system property can be used to allow these dangerous permissions (not recommended)
    • See the referenced issue for more info
  • (error) Fixed escaping of descriptions in the Role Strategy Macros list (JENKINS-38230)


After the update the dangerous permissions will be disabled, hence some Jenkins instances may require reconfiguration if they rely on dangerous configurations (e.g. RUN_SCRIPTS without ADMINISTER)

Version 2.3.2 (06/13/2016)

  • (error) Performance: Disable user authorities resolution in permission checks by default (JENKINS-35515)
    • It has been done due to the reported performance degradation in 2.3.0
    • The 2.3.0 behavior can be restored by the org.jenkinsci.plugins.rolestrategy.Settings.treatUserAuthoritiesAsRoles system property
    • If you enable it, the performance can be also tweaked by org.jenkinsci.plugins.rolestrategy.Settings.userDetailsCacheMaxSize and org.jenkinsci.plugins.rolestrategy.Settings.userDetailsCacheExpircationTimeSec
  • (error) Authorities resolution: Catch Runtime Exceptions from underlying Security Realms. Prevents Jenkins DoS in such case (JENKINS-35652)
  • (info) Generalize the help message for role patterns (JENKINS-35250)

2.3.1 is skipped due to the typo in the property name

Version 2.3.0 (06/07/2016)


There are performance regressions reported to this version. Upgrade only after testing

Version 2.2.0 (06/29/2014)

  • (plus) Support of Create Job permissions since jenkins-1.566 (JENKINS-19934)
    • The permission requires the specific item name validation strategy, which should be selected in Jenkins global configuration
  • (error) Fixed help links in manage-roles pages (JENKINS-15030)
  • (info) Slave permissions: Allow assignment of permissions, which don't belong to "Slave" group (JENKINS-18978)

Version 2.1.0 (07/20/2013)

Version 1.1.3 (07/10/2013)

  • Prevented exceptions in case of missing roles (JENKINS-18648)
  • Prevented exceptions in case of deleted Permissions
  • Support of folders plugin (JENKINS-17482)
  • Upgraded to Jenkins 1.424

Version 1.1.2 (10/14/2011)

  • Implemented JENKINS-9325: Permissions contributed by plugins can now be managed at the project roles level
  • Upgraded to Jenkins 1.409

Version 1.1.1 (09/19/2011)

  • Fixed JENKINS-8058: "<" and ">" characters were not supported in regular expression patterns

Version 1.1 (06/08/2011)

  • SCM permissions (e.g. Tag) can now be handled at the project roles level
  • Improved UI to handle large installations:
    • Deletion buttons are now also displayed on the left of each table
    • When having table with more than 20 entries, a footer is now added which repeats header
    • It is now possible to edit already defined patterns by double-clicking on them in the Project roles table
  • Fixed some typos
  • Fixed some image display issues

Version 1.0 (09/20/2010)

  • Initial release



  1. Unknown User (giulianobr)

    Hello, first of all, congratulations you are the first to create a good plugin to reorganize how Hudson works with user/group/permissions.

    Second, I have a question, how can I configure a role to have permissions on 2 projects with diferent names, like ProjectABC and BuildMyProject? how to put it on Pattern field?

    1. Unknown User (rseguy)

      Simply build a regular expression which fits that: (ProjectABC.*|BuildMyProject.*)

  2. Unknown User (dominik)

    Is it possible to add new roles/users via CLI or remote API?

    The problem is, that we need to do this fully automated and by updating the configuration file directly, we would have to restart hudons after a modification right?

    1. Unknown User (rseguy)

      No it's not possible yet (+ yes, you're right, you would have to restart Hudson). May you create a JIRA ticket for that please? I've just requested through the ML for the creation of the JIRA role-strategy component.

  3. Unknown User (michil)

    I'm trying to add a project role with a role name and a regular expression. When pressing the add button, nothing happens.
    I tried it also with a regular expression ".*" which should cover all my projects, but even then, nothing happens.
    TRied to check Hudson log files, but no output found from plugin.

    1. Unknown User (rseguy)

      Please create an issue in JIRA with screenshots + the technical configuration.

  4. Unknown User (valley.antoine)

    Hello, this is a very nice plugin.

    On my local hudson configuration, your

    However, on the production server, I encounter a problem.

    On the main board (with the project list), I'm always asked to enter my login/password even when I'm already logged in.

    Sometimes, i can access this page, but can't explain when and why.

    Strangely, I have no problem to access other pages (configuration, users...)

    Configuration :

    Customed Hudson v1.364 (no major changes)

    I'm using an LDAP based anthentication + LDAP groups

    I have some users in several groups.

    Thank's in advance for your advice

  5. Unknown User (valley.antoine)

    Hello again,

    Just to say there are some small mistakes in the french property file :

    You wrote "&ocric;" instade of "&ocirc ;" (I added a space in order to make it appear)


    1. Unknown User (rseguy)


      Thanks for reporting the typo. I've fixed that locally and will commit once SVN is fully back.

      May you next time create an issue in JIRA to report bugs/request enhancements?


  6. Unknown User (valley.antoine)

    Ok, you will never believe me about the previous bug (asking me to authenticate myself) :

    There is certainly a bug with Firefox. Here are the steps :

    Configuration :

    - Firefox 3.0.19

    - Internet Explorer 7

    1 - I log in on firefox

    --> I have the error

    2 - I open Internet Explorer

    3 - I log in with IE (same user or not makes no difference)

    --> No error on IE

    4 - I go back on Firefox

    5 - I refresh the page

    --> No error !

    If I logout and login again on Firefox --> The bug come back

    It's just like the privileges index is not well refreshed when loggin with Firefox

    That's kind of magic

    (Still no bug on local)

    1. Unknown User (rseguy)


      Kindly create an issue in JIRA (if not already there) for the Hudson core component (since it's not related to the Role Strategy plugin).

  7. Unknown User (raghuram_028@yahoo.com)

    Thanks for this plugin - it is very useful.
    I recently upgraded to version 1.386 of hudson. I'm not able to add roles/group at project level.
    I click on the "add" button & nothing happens.

    Can any one confirm?


    1. Unknown User (rseguy)

      Which browser are you using? It highly depends on it. E.g., it works fine on Firefox 4.0 but not on Internet Explorer 6.0.

      1. Unknown User (markusd)

        Same problem here, using IE 8.

        Do you have any more detailed information, what the problem causes?

        Is there a chance, that this problem can be solved?

        (IE is company standard)

        Thank you in advance.

  8. Unknown User (hbockelmann)

    I really like this plugin since it allows to hide some 'internal' jobs (which are not fully tested or just meta-steps in a job chain) and show them only to authenticated users - thank you very much.

    But: if I set the global role for anonymous to


    and then add a project role to some jobs with


    the anonymous user can not only see the jobs I granted to him, but also the sidebar information! This might cause some trouble since the sidebar shows the build executors and in my case also the userContent directory on the hudson server. Is it possible the restrict the view on the sidebar in the same fashion as for projects?

    1. Unknown User (rseguy)

      How have you added the userContent dir in the sidebar? Is it a plugin or a direct modification to Hudson core? In both cases, what you have to do is to add a new permission or to reuse an existing one in order to protect your sidebar.

      1. Unknown User (hbockelmann)

        Thanx for your help, I added the userContent via the Sidebar-Link Plugin. Could be please be a bit more concrete how to add a new permission? Do I have to modify the source of the plugin or of Hudson core?

  9. Unknown User (yamabb)

    Hi, this plugin is very useful to us, thanks.

    Sorry if this is a FAQ or my mistake, but I suppose that
    this plugin outputs data to config.xml without sorting elements, for example:

    • permissions/pemisson
    • assignedSIDs/sid

    Of course, this is no harm, but as a result,
    simple diff of config.xml (ex. jobConfigHistory plugin) becomes very dirty ...

    1. Unknown User (rseguy)

      I think I can implement sorting easily since the plugin uses its own converter to serialize data.
      May you please fill an issue in JIRA to track that? Thanks.

      1. Unknown User (k96)

        I posted JIRA, instead of Takesh.
        I'm a newbie of JIRA, so feel free to modify this report (including my English) and please don't hurry to fix this tiny problem.

        Thanks in advance !

  10. Unknown User (maxime_lem)


    I'm using Promoted builds plugin. The "promote" right is displayed in global authorization matrix, but not in role strategy matrix.

    Can you please add it?

    1. Unknown User (rseguy)

      This is something I have to do for some time now. May you please create an issue in JIRA about that so that I don't forget? Thanks.

      1. Unknown User (maxime_lem)

  11. Unknown User (kww228)

    I don't know if this has been asked before, but I am tryign to use the Logged-in users can do anything.  I was wondering though how do you create a user?  I cannot log into my system to do anything at this point.  Thanks.

  12. Unknown User (mako)

    Is it possible to reset all security settings?

    1. Unknown User (rseguy)

      I guess you're asking for this: Disable security.

      1. Unknown User (mako)

  13. Unknown User (spots107)

    Are there plans to add a default authenticated user role (basically the opposite of anonymous)? This is similar to the Logged-in users requested, I want authenticated users to be able to perform certain operations without having to manage them individually.

    1. Unknown User (wwightman1)

      We really would have found an "Authenticated" user useful here as well.  We have the case where we would like to allow anyone to start a type of build, but would like to track who started the builds.  An authenticated user would allow us to do this.

      1. Unknown User (spots107)

        I have raised the issue https://issues.jenkins-ci.org/browse/JENKINS-13029 for this feature request. Please Vote if you think it is a good idea.

  14. Unknown User (mako)

    I'd like to close access for Anonymous except Overall/read but I can't use RSS notifications because I have to login in first. Does somebody know some workaround?

  15. Unknown User (swac22)

    Plugin crashes tomcat6,
    We are using Windows XP, IE8

    Anybody has faced same problem?

    Please Help!!

    1. Unknown User (rseguy)

      Don't attach log files to this page: This is a wiki, not a bug tracker or a support tool. Please use appropriate tools for that: Take a look at the users mailing list or at JIRA.

      1. Unknown User (swac22)

        Sorry about that, i just updated my comment.But could you at least tell me why am i facing above issue

  16. Unknown User (redicebiker)

    I'm having trouble with the project roles.

    I have a project called “reporting_build”, and I created a role called “reporting” with the pattern “reporting_build” with all permissions enabled.

    I then assigned a user (mark) to that role.

    But when mark logs in, I get “Access Denied, user is missing the Read permission”.

    If I assign mark to a global role, i can log on and see everything (which, of course, is not what I need).

    I've googled “missing the Read permission”, but I haven't found anything that's relevant.

    What does this error mean? Is it a problem with the role set up, or is there a more fundamental configuration issue that I'm missing?

    I'm using Hudson 2.2.0 with Hudson's user database and v1.1.2 of the plug in.

    Thanks for any pointers.

    1. Unknown User (redicebiker)

      I got it to work.

      I went back and followed the example above slavishly and discovered that you need to have the global anonymous role with overall read permission set.After that, everything worked as advertised. It seems odd that the plug-in doesn't set that permission autom-magically.

      The anonymous user is quite useful.

      • If the global anonymous job read permission is set, anybody can see the status of projects. Let's the managers see but not touch.
      • If you allow users to sign up, they can then access any project roles that are assigned to anonymous. We have contractors rotate through regularly, and being able to give them access to some functions without administrative overhead is quite handy.

      A cool plug-in.

      1. Unknown User (zacharysyoung)

        Yes, a very critical part of the configuration that was not explicitly mentioned. In my case, I don't want Anonymous being able to read, so I substituted Anonymous for authenticated users.

  17. Unknown User (damianshameer)

    <!-- /* Style Definitions */ table.MsoNormalTable

    Unknown macro: {mso-style-name}


    I'm not sure if this can be classified as a bug but I just discovered this while doing some testing.

    Don’t laugh @ my job names and views as they are fake. I work for a large org and I'm setting up a CI environment for my division so we have a CI QA space for testing and experimenting. I setup this Jenkins space to simulate multiple teams with one team having multiple projects (multiple apps). I'm using LDAP for login authentication. The job naming convention will determine the group. For example: all apache-* jobs belong to team Apache.

     What I did:

     In the Manage and Assign Roles view, I created a role called apache_only_access (only users assigned to role can chnage apache-* jobs) and grant it the global permission to create jobs.

     In Project Roles, I granted role apache_only_accessfull project permission.  I then assigned a specific user (user1) to this role. This works beautifully.

     User1 has read-only access to the other jobs but cannot make any changes. User1 can only modify the apache-* jobs.

     User1 can also create a new job as long as the job name begins with "apache" For example, new job apache-something works is allowed.

     What is the issue?

     Logged in as user1, I clicked on New Job, select Build a maven2/3 project , enter job name "my-new-job" then click next where the following error is shown

     Access Denied:user1 is missing the ExtendedRead permission

     This I expected since user1 is restricted based on the role I created.

     The issue (again, not sure if this is an issue/bug) is the job user1 intended to create is created and shows up in the default view (last image). User1 can view the job but cannot delete it. To remove the job, I have to log in as admin and delete it.

    1. Unknown User (rseguy)

      This is normal: The permission to create a job, well, allows for creating jobs. It doesn't control the name of these jobs. So if the user has this permission, then he can create whatever job he wants. But he won't be able to view/edit/delete them (depending on the perm) if he's not been allowed to.

      1. Unknown User (damianshameer)

        Thanks Romain!

        I suspected such was the case as the job is saved after you leave the initial screen and go to the job configuration screen.

        However i feel the Jenkins should factor in the user's permission BEFORE saving the job . After all, if a user only has permission to create, for example, apache.* jobs, creating a job titled otherwise would be point less.

        In any case, I'm nitpicking on this one ;-)

        This plugin is a great addition to Jenkins!

  18. Unknown User (raj1985)

    I get issue with project specific role.. Global setting always takes precedence and project specific role is ignored.. I am trying to make separate group /User to own there own jobs without modifying / restricting other Jobs..  

    I tried following steps above.

  19. Unknown User (tribuni)

    Hi Guy's,

    is it possible to connect to jenkins via CLI while this plugin is enabled?

  20. Unknown User (venkatannangi)

    Hi Guys,

     This plugin is giving awesome features on securing the Jenkins .Thanks for the plugin

     We are struggling to update the project roles for the users .Is there any future release with filtering the users based on roles or user?

     If we have filter in the assign roles matrix that would be very great and helpful to most of the users

     And also i found some issue with current version of the plugin. It is not working with latest version (1.27) of AD plugin

    1. Unknown User (rseguy)


      Yes, this is something I wanted to achieve. I started the work (you can a screenshot in this JIRA issue: JENKINS-8075) but didn't complete it. Daniel (you'll see his name in the JIRA issue) will be your guy for that.

  21. Unknown User (venkatannangi)

    Thanks Romain

    will get in touch with Daniel

  22. Unknown User (damienfinck67)


    Can you correct French translations ?

    In the "Manage and Assign Roles" page > "Global roles" > "Role" > "Run" translate in "Lancer" but it will better with "Historique des builds"

    In the "Manage and Assign Roles" page > "Global roles" > "Role" > "View" translate in "Voir" but it will better with "Vues"

    To translate other phrases, do you want help?

    Thank you

  23. Unknown User (damienfinck67)


    Can you correct French translations ?

    In the "Manage and Assign Roles" page > "Global roles" > "Role" > "Run" translate in "Lancer" but it will better with "Historique des builds"

    In the "Manage and Assign Roles" page > "Global roles" > "Role" > "View" translate in "Voir" but it will better with "Vues"

    To translate other phrases, do you want help?

    Thank you

    1. Unknown User (rseguy)

      Hi Damien,

      These translations are not part of the plugin, they are part of Jenkins core: The plugin gathers permissions from Jenkins itself and from other plugins, so it's the reponsibility of Jenkins and these plugins to provide the right translations.

  24. Unknown User (hagzag)


    I have stumbled upon and issue which I am not sure qualifies as a bug for I might be doing something wrong.

    I have two roles:

    a.builders which have build permissions - these users should be able to build a pattern of a(.*) build name pattern

    a.releasers which have release permissions - these users should be able to build and release a(.*) build name pattern
    users in either group have the ability to release which is kind of missing the point - the question is how does the plugin apply the permissions, the release permission is introduced only if the release plugin is installed and my question is why isn't the permission applied. - let me know if I should file a bug.


  25. Unknown User (kapilanarang)

    Need help here how to do

    I need to create multiple groups like raildev here who can login only with their defined view & access permission( with set of pattern matching jobs-trains.*). + cant view to other jobs in other's view.

    but right now when raildev user logs in he is able to view all other views also & its job. How can i hide this?

  26. Unknown User (alex01ves)

    I needed to give users the ability to manually trigger a set of jobs, all of which had a common prefix in their names. I thought I had to tediously modify each of them using the "Project-based matrix authorization strategy".

    But then I ran into your plugin, and set everything up in a matter of minutes. Thanks very much, works great! 

  27. E B

    I set the pattern to any of j* ,  j.*  , j. , "j."  for a job that is named jenkinstest but every time I get an error during login with the user who is assigned to that role. Should you use double quotes when creating the pattern or quotes not needed?

    If I assign the user to admin role then the user can login successfully. I am using the Collabnet plugin for authentication.

    HTTP Status 404 -

    type Status report


    description The requested resource is not available.

    Apache Tomcat/7.0.30

    1. E B

      Resolved this "The requested resource is not available"  issue. Created a readonly role and then needed to give read access in global to Anonymous . 

      But this looks like a bad design or bug to me to have to give read access to Anonymous at global level.

  28. Unknown User (hnain)


    I have configured the plugin and it works well. However, I have noticed that the plugin does a case sensitive match when searching for usernames. 

    I personally think that this search should be case insensitive. Is this a bug or is this how the plugin has been designed to work? This is causing us a lot of grief as we have to add each user twice , once with uppercase username and one with lowercase username.

    Please advise..


    1. Unknown User (oleg_nenashev)


      By default, user names are case-sensitive in Jenkins. Several security plugins (like Active Directory) allow user to connect with any case, which cause such SIDs difference. I'm going to add support of user macros at the some point (https://issues.jenkins-ci.org/browse/JENKINS-19320). Such macros can resolve your issue, but it can significantly affect performance of the plugin.

      BR, Oleg Nenashev

  29. Unknown User (overminddl1)

    Would be nice to give some people access to create their own jobs, and for them to have full access over their own jobs that they created automatically.  Perhaps a way to restrict their job names to always start with a certain prefix, then we could just give permissions to that prefix.

    1. Unknown User (oleg_nenashev)


      https://wiki.jenkins-ci.org/display/JENKINS/Ownership+Plugin implements such functionality w/o any additional prefixes.

      BR, Oleg Nenashev

  30. Unknown User (rakeyshkande)


    we are using this plugin to server our needs for segregating the Job access to users based on the  Job name

    we are having some issues using regex .Manage and Assign Roles-> Manage Roles->Project Roles  is not working. the regex is not working. 

    say we are trying to apply the regex for all job names starting with "test" with ignoring case.( like "(?!)test.*" ). this is not able to filter the jobs. i have tried this using the latest version of the update too. Any suggestions :)

    1. Unknown User (oleg_nenashev)

      Hi Rakesh,

      It is not an issue in the plugin. You should use "(?i)test.*" (i instead of !)

      Useful link: https://blogs.oracle.com/xuemingshen/entry/case_insensitive_matching_in_java

      Best regards, Oleg Nenashev

  31. Unknown User (rakeyshkande)

    Thanks a lot Oleg:) i overlooked the symbol..it working now thanks  alot

  32. Unknown User (vishal_vsh1)

    Thanks a lot, This is really a great plugin. I have a doubt and requirement.

    I am using ldap authentication for the jenkins and using role-based-stategy plugin for authorization.

    My problem is that i can not put the list of user in the global roles because

    1. there is huge list.

    2. Even i don't know the complete list because users are being added and deleted in ldap.

    I would like to have something like "*" which should include all users, so that users added or deleted will not be manual task in jenkins.



    1. Unknown User (oleg_nenashev)

      Hello Vishal,

      You can use "authenticated" User/group to assign all authenticated users to a global role. Does it resolve your issue?

      Best regards, Oleg Nenashev

      1. Unknown User (vishal_vsh1)

        Hi Oleg, Your are superb.

        Yes, this solves my problem.

        I can't tell you how useful this feature is for me.

        once again, great plugin .



  33. Unknown User (angelosphere)

    I'm wondering:

    "It should be noted that the Global Roles override anything you specify in the Project Roles. That is, when you give a role the right to Job-Read in the Global Roles, then this role is allowed to read all Jobs, no matter what you specify in the Project Roles."

    What is the rational behind this? It is very counterintuitive and IMHO makes no sense at all. Everyone I know would assume exactly the opposite. I guess it is now to late to change that ... but I wonder why it came to that decission.

    1. Unknown User (oleg_nenashev)

      It a common approach for multi-role/group authorization systems. Most of them provide cumulative permissions like role-strategy does. If you assign an user to any role, he will get its permissions.

      Global roles just affect all jobs. You can just consider them as project roles with ".*" pattern.

  34. Unknown User (eszasll)


    Could you please add a bit more detailed description of the slave roles to this wiki? Unfortunately the help is not available for the pattern variable of the slave role section at the Manage Roles page. And how will these Slave Roles work against Global Roles. If I want to restrict a group of user to be able to build only a group of slaves in Jenkins I have to leave the Build right empty on global level for these users?


    1. Unknown User (oleg_nenashev)

      I'll add such info to the Wiki. Just a short answer to your question...

      • The approach is similar to project roles
      • Pattern is a regexp expression, which will be used to check the slave's name
      • Permissions in global and slave roles are cumulative, so you cannot restrict global "Build" permissions.
      • I recommend to create separate roles for general-availability slaves and for private ones
      1. Unknown User (eszasll)

        Thanks for the quick answer Oleg!

        1. Unknown User (eszasll)


          Just one more issue, I also use Project roles for users in Jenkins. Slave roles will be cumulative with these also? The problem is with the build permissions, which are already restricted by the project roles. And I also wan't to have a filter not just on the project but on the nodes also for users in our Jenkins.


          1. Unknown User (eszasll)

            Sorry and one more thing in addition. If I remove the build permission of a user for a node abortion of jobs running on that will be also disallowed for that user? I hope that it works like that. :)

            1. Unknown User (oleg_nenashev)

              Seems I've missed the Wiki update notification...

              • All roles are cumulative between global and specific (Project/Slave) roles
              • Job.Build and Slave.Build are different permissions, so they are not cumulative
              • The second one just prohibits the execution on a node for the build's authenticated user if you have an enabled QueueItemAuthenticator extension (e.g. "Authorize Project Plugin").
              • AFAIK, the Slave.Build permission does not do anything on default configurations
              1. Unknown User (jazzabi)


                Thanks, is it possible to add cancel right for a user on a job(s), but just on a group of slaves, not on both?

                1. Unknown User (oleg_nenashev)

                  AFAIK, it is not possible now. Such permission type should be provided by Jenkins core. "Computer.Build" is a new permission, other slave-specific permissions have not been implemented yet.

                  Please create a feature request on JIRA (component=core) if you need such functionality.

                  1. Unknown User (jazzabi)

                    OK, thanks for your help!

  35. Unknown User (benjamintodd)

    Can you expand on this note for the 2.2.0 release?

    Support of Create Job permissions since jenkins-1.566 (issue #19934)
       - The permission requires the specific item name validation strategy, which should be selected in Jenkins global configuration

    I'm trying to understand what is meant by "The permission requires the specific item name validation strategy".


    1. Unknown User (oleg_nenashev)

      1. Go to JENKINS_URL/configure
      2. Click on the "Restrict project naming" checkbox
      3. Select the "Role Strategy" validation strategy
  36. Unknown User (nglasser)

    Is there a role provided to allow users to edit their own profile? I'd like to allow users to access /user/[username]/configure without granting all users administrative rights.

    1. Unknown User (oleg_nenashev)

      This functionality is available out-of-the-box

      BTW, it may be prohibited by your Security realm

      1. Unknown User (nglasser)

        How would I configure this? I can edit my own and other users as an admin. Other users cannot edit their own account unless I add the overall administer role.

        1. Unknown User (oleg_nenashev)

          What Jenkins version do you use? There's no such problems on 1.509.4

          1. Unknown User (nglasser)

            Turns out this was a case-sensitivity issue. My LDAP users can log in successfully using lowercase, but only if they log in using uppercase do they have the option to configure their account.

  37. Unknown User (sysadmin2062364230)

    I've been trying to get the ?i case insensitivity switch to work on Assign Roles/Global Roles so it works the same way as Active Directory but I can't seem to make it work.  Is it possible?

    1. Unknown User (oleg_nenashev)

      What switches do you mean?

      1. Unknown User (sysadmin2062364230)

        When I add users to Global Roles on the Assign Roles page at the moment I have to add two, 'user.name' and 'User.Name' - if I only add 'user.name' then when they log in to Jenkins with 'User.Name' they don't get the right features as per their assigned role.

        However having looked at the link you gave it seems you are already working on this one.  I shall wait for the update...  :)

        1. Unknown User (oleg_nenashev)

          I'm not sure If the PR will be merged.

          New versions of Jenkins core provide the similar functionality since 1.566. See https://issues.jenkins-ci.org/browse/JENKINS-22247

  38. Unknown User (beauclr)

    Is it possible to require a user to be part of two groups to access certain builds? Like say I have ldapGroupA and ldapGroupB, and I want to require that the logged in user has access to both groups to have role N.

    1. Unknown User (oleg_nenashev)

      Currently, the plugin does not support specific permissions on the builds level. This case is very rare.

      Feel free to contribute to the plugin or to submit a feature request on Jenkins JIRA

  39. Unknown User (beauclr)

    Hello again! So I think maybe I miss spoke when I said "certain builds". I mean to continue using the plugin as it is used now, by assigning groups to roles in order for them to have access to a project. It's just that I would need to be able to specify that the current user be part of two groups to be granted that role. If that is not possible I'm more than happy to try and contribute to the plugin, I'm just a little uncertain on where to start.

  40. Unknown User (spikerjenk2)

    Great plugin!  Is it (yet) possible to update projects / assign roles via means outside of check boxes?  I would like to do so from a groovy script.  For example, I'd like to pull redmine groups / permissions and apply them to Jenkins.  Thanks!

    1. Unknown User (oleg_nenashev)

      Yes, it is possible.

      Groovy system scripts have full access to all public and private (not recommended) methods of plugin classes. For example, we use Groovy scripts to temporary grant ADMINISTER permissions (sudo mode).

      1. Unknown User (spikerjenk2)

        Awesome! Thank you.  If it's not too much to ask, can you show an example?  As much as I've tried, I can't figure out how to access plugin methods from a groovy script.  Thanks!

        1. Unknown User (oleg_nenashev)

          I've posted an example to Gist. Please note it's internal hack implementation from a Jenkins job, hence it takes some info from the environment.


          1. Unknown User (spikerjenk2)

            Ah, you just made my week!  Thank you so much.

  41. Unknown User (crnkyadmin)

    Hello. I'm trying to use this plugin to restrict access to a jenkins slave. The setup that I am working with has only a single slave. My slave role has a pattern of ^.*$ and all of the permissions are enabled. I then assign this role to an LDAP group and members outside that group are still able to run jobs on the slave with the slave being specified in the job using the "Restrict where this project can be run" setting. I have tried various things like creating a role with no permissions and the slave node as the pattern and assigning that role to the group that should not be allowed to run things on the slave, but nothing seems to have any effect on the job being able to run on the slave. The test user I have in the LDAP group is always able to run the job on the slave. 

    Any suggestions?

    1. Unknown User (oleg_nenashev)

      Computer.BUILD permission elaborates the internal authentication of jobs, which should performed by Jenkins extensions. This permissions won't take affect on a default Jenkins installation.

      See https://wiki.jenkins-ci.org/display/JENKINS/Authorize+Project+plugin . It provides a relevant user definition for the project.

      You can also use https://wiki.jenkins-ci.org/display/JENKINS/Job+Restrictions+Plugin in order to get the required functionality outside the Permission Matrix

      1. Unknown User (csms)

        Hi. I don't quite understand your answer(sorry :-) and I have the same type of challenge as Joshua but more generic.

        Is it possible to use the node label and parametrized build plugins to allow the user to select a node to run a job on. But then check wether that user is allowed to run jobs on a specific slave?

        I've tried back and forth with the job restrictions plugin only to realize that I misunderstood "Jobs owner must belong to the list". 

        So basically person A but not B should be allowed to run job x on slave Y, while person A and B should be able to run job x on slave Z. Slaves are listed as parameters (node labels) when starting the build. Or are you saying

        that the only way to achieve that is to add the authorize project plugin to properly be able to pick up the user when evaluating slave roles?

        1. Unknown User (oleg_nenashev)


          Job Restrictions Plugin may be updated for the case. I suppose that "Started by a user" may help (https://issues.jenkins-ci.org/browse/JENKINS-25726).

    2. Unknown User (cafeliker)

      @Joshua Coughlan, did you make it work? I am using this role based strategy plugin with Kubernetes plugin on Jenkins 2.150.1, and I want do the similar thing you were trying, control who can build the jobs on specific nodes based on the labels, but people are always able to build on any node.

  42. Unknown User (kdmult)

    Hi Oleg,

    We have a custom UI on top of Jenkins and I would like to get a role of a user.

    Please advise how can I get the user role using the REST API?

    If it is not implemented do you have some plan to do this?



    1. Unknown User (oleg_nenashev)

      Hi Dmitry,

      REST API is not available for the plugin. There's no such feature requests in JIRA, so it would be useful if you create such one. In any case, I don't have enough resources to implement this feature in the short-term perspective. If you want to implement this feature on your own, I'm ready to review pull requests, etc. So feel free to contribute ;)

      To emulate REST API you can do the following:

      1. Implement required methods using Scriptler Plugin
      2. Use Scriptler Plugin's built-in support of REST API

      BR, Oleg Nenashev

  43. Unknown User (ripm)

    Hi guys,

    I'm trying to configure a restrict permissions using this plugin for users and groups on my AD based on our internal policy on Jenkins.

    The scenario that I'm working on is:

    -jenkins 1.579
    -role strategy plugin 2.2.0
    -AD win 2k8

    The "configuration to be expect" should be:

    (Role) "Role 1" -> assigned to ->(Group) Group A ->that contains ->(Group) Group B ->that contains -> users.

    The workaround that we have implemented is:

    (Role) "Role 1" ->assigned to ->(Group) Group B ->that contains -> users.

    The issue seems due to nested group on AD that doesn't works correctly with the plugin.

    Any suggestion would be appreciated.

    Thank in advance for your help.

    Best Regards.


    1. Unknown User (oleg_nenashev)

      Hi Michele,

      Please create an issue in JIRA for your case.

  44. Unknown User (gdameron)

    I would like to create a setup in which:

    • The ability to run builds on slaves is restricted by LDAP group membership. Essentially, users in a certain group can run builds on their own slave, but not on a slave "belonging" to another group.
    • A project's configuration is completely agnostic to slave restrictions. So, there would be no "job ownership" or "project roles" involved, and no need to name projects any particular way.

    Is such a capability available now, or in the pipeline?

    (Currently running: Core 1.565.1, v2.2.0 of Role Strategy plugin, v0.3 of Job Restrictions plugin, v0.5.1 of Ownership plugin)

    1. Unknown User (hbockelmann)

      I have the same problem. user authenticate via LDAP and they should only use slaves that are allowed for their group.

      Using the following plugins with core 1.580.2 (LTS)

      • authorize project v 1.0.3
      • role strategy v 2.2.0
      • LDAP v 1.11
      • Ownership plugin v 0.5.1
      • job restriction v 0.3

      the slave-role permission "slave/build" should do the check whether a user is allowed to run a job on a specified slave - but it is not working!

      If you define a slave-role with the "slave/configure" permission given and assign this role to an LDAP group, all users in this group are allowed to configure every node/slave that matches the pattern of the role.

      But if I activate the "slave/build" permission for this slave-role, the user cannot run a job on any slave that matches the pattern ?!?!? The job would idle forever waiting for the slave.

      I suppose that this is a bug in the plugin, since the role-based access to configure a slave works perfectly, but not the permission to build on a slave - maybe the plugin developer could comment on this?

      BTW: I need a global role "authenticated" with overall/read permission in order to view the dashboard for an authenticated user. One might activate the slave/build permission for the global role, but than every authenticated user can use every slave ...

      1. Unknown User (oleg_nenashev)

        1. Unknown User (hbockelmann)

          Hi Oleg,

          I have now updated to

          • job restriction v 0.4
          • ownership plugin v 0.6

          and restricted job execution on dedicated slaves to some LDAP groups only. This is working as intended only if I am giving "slave/build" permission to the authenticated user in the global role! Interestingly this is eg. not needed for the "slave/connect" permission ...

          Another remark: if a user tries to start a job on a slave for which his LDAP group does not have the permission, the job idles forever in the build queue. It would be nice to reject such a job already when it is submitted, such that the user gets to know about his "error". Do you know of any easy way to achieve this?

          1. Unknown User (oleg_nenashev)

            > This is working as intended only if I am giving "slave/build" permission to the authenticated user in the global role!

            The permission has been introduced in relatively new Jenkins versions, so there could be an issue within the plugin. Please create an JIRA issue and attach the info about your job. I'll check it and create appropriate tests.

            > if a user tries to start a job on a slave for which his LDAP group does not have the permission, the job idles forever in the build queue. It would be nice to reject such a job already when it is submitted, such that the user gets to know about his "error". Do you know of any easy way to achieve this?

            AFAIK Unknown User (csms) is working on such feature for job-restrictions. I'll review changes and release the new version when he creates a pull request.

            1. Unknown User (hbockelmann)

              I just created the issue #26485 - thank you for having a look at this

  45. Unknown User (vishal_vsh1)

    Hi Oleg,

          We had ldap integration and "authenticated" user bit was working fine to assign role for the logged in user.
    However after SAML integration for SSO, "authenticated" user role stopped working without throwing any error.
    Role based strategy plugin is working fine for individual users but it is not working for authenticated users.

    Any idea where could be the problem?

    I already raised a ticket https://issues.jenkins-ci.org/browse/JENKINS-27829

  46. Unknown User (perun)

    Why overall read necessity is a stupid idea

    Because I don't want anyone to see all the jobs! I want testers to see jobs that are related to them. I want administrators to have their playground that is not visible to others. Maybe I want testers to give authorization to build all the jobs, so that authorization plugin don't have problems to run them as testers, but I don't want them to be able to run them directly. Well tell me just what is it good for and I'll shut my mouth.

    If it is necessary somehow because of the code, wouldn't it be possible to decline some read authorization at least? Just get me rid of that stuff. Please.

    1. Unknown User (oleg_nenashev)

      Seems you misinterpret meanings of Overall.READ, Item.READ and Item.DISCOVER.

      Overall read is not necessary in Jenkins core and plugins. Role Strategy allows to configure the behavior without a global read, so I don't get your complain at all. 

      1. Unknown User (perun)

        Well OK, I just wanted to show you how it was always showing all the jobs to tester accounts. But it suddenly started to work the way I was expecting it the whole time. I feel like complete idiot, sorry. Is there any delay between when I change the policy and when it actually starts working? I just don't know what was happening.

        1. Unknown User (oleg_nenashev)

          > Is there any delay between when I change the policy and when it actually starts working?

          No, there is no delay. Make sure that item discovery is set up correctly. If yes, create an issue on Jenkins JIRA, specify the aux data according to https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue and also provide a configuration of Roles and assignments

          1. Unknown User (perun)

            Well ... somehow it works now. If it behaves strangly again, i'll report it.

          2. Unknown User (perun)

            Well ... somehow it works now. If it behaves strangly again, i'll report it.

  47. Unknown User (sunderkonda007)

    I'm trying to use this plugin but it got me all confused but not sure if its working.

    I've created few roles like DevManager with privileges like only Read for builds and DevLead with create/delete jobs.

    and I created users for both roles and assigned users for both roles. but when I login as user of both roles i see the same

    screens and privileges. Even the DevManager is able to create/delete jobs and users which I've haven't given them.

    I've only created Global roles, no project level roles. But nothing seems to be working unless I missed something.

    Is there anything I missed other than creating the users and roles and assigning users to the roles?



    1. Unknown User (oleg_nenashev)

      Sorry, missed the comment due to the vacation. This Wiki page is not a support portal BTW. Use Jenkins JIRA, IRC or jenkinsci-users list to ask questions.

      The description seems to be correct, but it should work (it's a very basic case). If the issue still exists, it would be helpful if you crate a JIRA issue and attach your security configs there.

  48. Unknown User (chriss745)

    Could you please update the documentation in terms of project based credentials? I would like to set up project based credentials, but it is not clear how is it working. If I add a global read credential permission to my user, it can see all the credentials, if I remove the global read permission, it cannot see anything. I am unable to see how the project based credentials affect the global visibility of the credentials.

    Could you please advise?

    Thank you!


    1. Unknown User (oleg_nenashev)

      Hi Chris,

      "Credentials" term may be quite confusing, because it's another security mechanism in Jenkins. I'm not sure what you mean under "project based credentials", because there is no such feature in Jenkins IIRC. Could you clarify the question or probably attach several screenshots? 

  49. Unknown User (catonyx)

    We have numbers as our usernames. I am wondering if this plug-in could be enhanced to allow a text column to the far right or left for each User/group (in Assign Roles). We could then add a user and use the description for their real names.

    1. Unknown User (oleg_nenashev)

      It could be enhanced in such way. Feel free to submit a pull request or to create a JIRA issue.

  50. Unknown User (gaborv)


    what if I lock myself out on a project/job level? I enabled the auth for a job, added some user, after some time I removed everyone and - accidentally - pressed save button. After that I can not see the config and noone else can. 

    I have updated the job's config.xml, but it did not help. I removed the whole security section from there, still not ok. 

    I can not copy the job. 

    Any ideas?



    1. Unknown User (oleg_nenashev)

      Hi. Role Strategy plugin has no configuration options on the job/project level.

      I suppose you use another plugin like Matrix-based security or RBAC (the second one is a proprietary one from CloudBees)

      1. Unknown User (gaborv)

        You're right, thanks. I hope they reply (Matrix guys). I don't see too much activity on their page...

        1. Unknown User (oleg_nenashev)

          Wiki is not a QA channel, so all activity there is pretty random. Response is not guaranteed. The right way to ask questions is to use Jenkins IRC or jenkinsci-users mailing list.

          Regarding your issue, most probably you need to setup an admin account having global Jenkins.ADMINISTER permissions. Then this user will be able to open any job and fix permissions there.

          1. Unknown User (gaborv)

            I already have admin account, it can't see that job config neither. Stange, isn't it. I tried to remove the security stuff from config.xml, reloaded the confg from disk, still the same. 

  51. Unknown User (bennettbrian_58)


    OS: Windows Server 2012 64-bit

    Jenkins: 2.7

    Role-based Authorization Strategy: 2.2.0

    Folders plugin: 5.11

    We have a top-level folder called Technical_Support and one job in this folder: Test1. I've created the following project roles and patterns:

    Developer_A: ^Technical_Support/.*

    Developer_A2: ^Technical_Support.*

    Developer_A3: ^Technical_Support\/.*

    and I've created the following global roles and permissions:

    Overall_Read: Overall/Read and Job/Discover

    In roles assignments, I have the following roles/assignments:

    Global: authenticated: Overall_Read

    Project: brbennett: Developer_A, Developer_A3

    Issue: This configuration does not give user brbennett any permissions to jobs in folder Technical_Support. We have to use role Developer_A2 in order to get permissions so it would appear that I'm not coding the pattern for the folder correctly. However, that pattern does not include the '/' delimiter so it could match Technical_Support/testjob1 and Technical_Support2/testjob2 and job Technical_Support_job in the root. Is there a coding method I can use to specifically have it apply to only folder Technical_Support?

    1. Unknown User (oleg_nenashev)

      ^Technical_Support$ ?

      1. Unknown User (bennettbrian_58)

        If I change role Developer_A to pattern ^Technical_Support$.*, then user brbennett has rights to Technical_Support2/... jobs, so that isn't the fix.

        1. Unknown User (bennettbrian_58)

          I apologize as I didn't take your suggestion literally and I added '.*' at the end of it. Now I've modified role Developer_A to ^Technical_Support$ and am now having success. My unit test is that I've created folders Technical_Support and Technical_Support2 and user brbennett (still in role Developer_A) is not even seeing Technical_Support2. I'll do some further testing, but wanted to thank you in the interim.

          1. Unknown User (bennettbrian_58)

            But pattern ^Technical_Support$  in role Developer_A is not allowing user brbennett the ability to create new items under folder Technical_Support. Is there an accompanying pattern I would have to enter to allow that?

            1. Unknown User (bennettbrian_58)

              OK, I now have a working model:

              Global role Overall_Read gives Overall/Read right.

              Two folders in root level: Technical_Support and Technical_Support2.

              Role Developer_A has pattern ^Technical_Support$ and all project rights.

              Role Developer_A4 has pattern ^Technical_Support/.* and all project rights.

              User brbennett is in roles Developer_A and Developer_A4 and can only see folder Technical_Support (not Technical_Support2) and is able to add, modify and delete jobs in Technical_Support.

              1. Unknown User (bennettbrian_58)

                Just completed my testing and I am ecstatic! This allows me to setup my Jenkins environment and share it with multiple groups. Thanks again for your help and support.

  52. Unknown User (halfpastjohn)

    Is it necessary to enable "Role-based Strategy" in order to see the Manage Jenkins >> Manage Roles section? I was hoping to configure the roles while using the existing strategy so as not to affect production, and let flip it over when ready.


    1. Unknown User (oleg_nenashev)

      Yes, it's required in the current implementation. Feel free to create an enhancement issue in JIRA.

      On the other hand, my recommendation would be to create and test the strategy on a test server. Then you will be able to safily propagate the new strategy to the master

  53. Unknown User (rajmeghraj)

    Hi All,

    I am using Role-based Authorization Strategy in my organization for managing and assigning roles to users. In my Manage and Assign Roles -> Assign roles tab, I have 160 users for Global Roles and 160 users for Project Roles. When I tried to add 161th user to the Project Roles, it threw a "FormContentSize" error. But I was able to add when I removed an existing inactive user. So my question here is does this plugin has the limitation of users to 160/320, if yes how can we bump the number of users. 
    Any help would be highly appreciated. 

    1. Unknown User (oleg_nenashev)


      There is no limitation in the plugin, but Jenkins web container has a limited form size by default. This size limit can be configured via the System Property (see http://stackoverflow.com/questions/3861455/form-too-large-exception).

      Regarding the number of users, maybe such straightforward user adding is not a perfect approach in any case. Role strategy extensions like https://wiki.jenkins-ci.org/display/JENKINS/Ownership-Based+security may simplify the configuration and administration sometimes.

  54. Unknown User (cliff_houzz)


    Similarly to "Project roles" and "Slave roles", is it possible to also add "View roles" to better control permission for view reading/editing? Thanks a lot!

    1. Unknown User (oleg_nenashev)

  55. Unknown User (uhp)

    Is it possible to use roles to provide them as "submitter" argument for the pipeline "input" step?

    1. Unknown User (oleg_nenashev)

      AFAIK no, but you can get address some Pipeline use-cases by using Ownership integration, which provides Ownership global variables. If you need something specific, please create a JIRA ticket with details


  56. Unknown User (mojo_jojo)

    I have a question to the Project Roles. The text states that: "...First, assign that user/ group to read/ discover permissions with pattern " ^foo.* ", then assign that same user/ group to the more particular permissions with pattern " ^foo/bar.* "...". I tried to do this. But as soon as I try to add my Role "SystemEngineering" a second time, with a different pattern, i get the error "Entry for 'SystemEngineering' already exists". What am I doing wrong?

    1. Unknown User (oleg_nenashev)

      Role names must be unique. But you can edit their patterns in the configuration after the creation. I am pretty sure it's what the text says


      1. Unknown User (mojo_jojo)

        Ah, I see. "assign that same user/ group to the more particular permissions" means, add a second role, with a different pattern and add this role to the user/group. Not add the same role with a different pattern. My bad. Clearly 'user/group' does not mean 'role'. Thanks for the explanation!

  57. Unknown User (sstevenson72)

    So I seem to be having an issue.   I use LDAP for authentication and want to restrict the users abilities to build on given nodes.  I installed this plugin along with Authorize Project plugin.   I have configured the project to run as the user that triggered the build.   In the roles I have setup two different levels of permissions, one set should be allowed to run all their jobs on one slave and not the other and vice versa.  So I have left all AGENT permissions in the Global Permission unchecked.  I then configure those permissions as all enabled for the node that matches the name based on the regular expression pattern defined.  I assign the specific user one of the global roles and then the appropriate node specific role.  I even made a very generic .* rule so that any node name would match.   Seems that the rules are not even checked and I get a 'pending—Waiting for next available executor'  in jenkins.  Has anyone else seen this issue?   

    1. Unknown User (oleg_nenashev)

      If the the authenticated user has no Computer.BUILD permission, the job will not be accepted. With your setup the user will be anonymous if the job is started by the Periodic Trigger. Maybe it is the root cause

      It is hard to say your plugin is configured properly, you can find a configuration sample here: https://github.com/oleg-nenashev/demo-jenkins-config-as-code

      1. Unknown User (sstevenson72)

        This may be my problem.  I misunderstood the Computer.BUILD Permission.   I had just installed the plugin through the Jenkins interface, along with the Authorize Project plugin.  From a read I did above I thought that was all that needed to be done outside of setting the patterns properly in the node permissions.  I will look at the at the sample and if I have any questions I will let you know.

  58. Unknown User (mig82)

    Hi, can anyone tell me how to do a subtraction/exception with the project role patterns? For instance, I want to specify anything starting with a capital letter, except for a folder called "Admin". So I want to say [A-Z].*(except)Admin

    Now, the (except) is the bit I don't know how to write. I've tried ^ and !. Also, what regex specification does this use? Doesn't seem to be Java because in Java ^ is the the exception operator.

    1. Unknown User (danielbeck)

      Also, what regex specification does this use? Doesn't seem to be Java because in Java ^ is the the exception operator.

      Only within character classes. You're looking for negative lookahead/lookbehind, just google for that.

      1. Unknown User (mig82)

        Thanks Daniel, I'm now using (?!Admin)[A-Z].* and it did the trick (smile)

  59. Unknown User (mig82)

    Hi, I'm trying to allow a user to create credentials in the Jenkins root, but not inside any other folders.

    I'm trying to do this by specifying a pattern regex for anything not containing a forward slash (/):


    but for some reason it's allowing the user to do exactly the opposite, to create credentials within folders and not in the root.

    I also tried specifying that the user may create credentials so long as they're names are completely alphanumeric:


    Which implies that there are no forward slashes in the path. But I still get the opposite behavior.

    Can anyone please help?

    1. Unknown User (mig82)

      Small update. What I'm getting is not "the opposite behavior" and it's not happening just for credentials.

      What's happening is that whatever pattern I use to try grant the create job or create credentials privileges to a user, it doesn't apply to the Jenkins root. Even if I use .* to assign create credentials or create job permissions, the user can then create jobs and credentials in any folder, but not in the root.

      I'm starting to think this is an edge case that's not covered by this plugin.

  60. Unknown User (vishnuvpotty)

    This is an amazing plugin and I have been using it for some time.

    One feature I can think of for this plugin is "Redirecting Jenkins Home Folder based on Project" . 

    We can have one more option while configuring the permissions and set Home folder for each project.

    So if a user having access to a particular project access Jenkins, then he should be redirected to the project folder directly.

    Eg - Instead of http://localhost:8080/jenkins/, it will be nice to redirect to http://localhost:8080/jenkins/job/[FolderName].



    1. Unknown User (oleg_nenashev)

      Such redirects are not the part of this plugin. You could write a new plugin for it. Probably it could be done using the existing DefaultView user property and a system script, which just assigns them to users

  61. Unknown User (sewmiur)


    I am new to curl and JENKINS as well. I am trying to list the roles as shown in the example provided: 

    • List roles: curl -X GET localhost:8080/role-strategy/strategy/allRoles

    However, this page is not found. Could someone kindly tell me the URL I should be using. I am also unable to create and assign roles using the provided examples..

    curl -X GET https://jenkins.xxx.xxx/role-strategy/allRoles --user xxx:xxxx



    <body><h2> HTTP ERROR 404</h2>

    <p> Problem accessing /role-strategy/allRoles. Reason:

    <pre> Not found </pre></p>...



    1. Unknown User (ryan_donahoe)

  62. Unknown User (jeroenimoo0)


    Recently it's been happening a lot that some users get a 'USER is missing the Overall/Read permission' error. They do have this permission, and all I have to do is restart in order to fix the problem.

    Any idea what could be causing this or how I could fix it?

    Kind Regards,


  63. Unknown User (dracorp)


    Is it possible to create a role manager which will be allowed to manage role for a folder/project? I'm just explaining what's going on.

    I keep jobs grouped in folders. One folder per project. Folder contains some jobs. In global roles authenticated group can only build or cancel job. It cannot create a new item or configure existing ones.

    In Project roles I've created a new role Test jobs which matches to ^Test jobs(/.*)? and can create, configure or delete a job. And I've assigned authenticated to Test jobs in Item Roles and it works. But I would like to create local admin or manager role which will be able to assign any user to Test jobs role.

    King Regards, Piotr

    1. Unknown User (mig82)

      I had a similar requirement and managed to cover it by combining this Role Strategy with the Ownership Plugin. I recommend you look into that.

      1. Unknown User (dracorp)

        Thx, I'll check it and I let you know.

        1. Unknown User (dracorp)

          Unknown User (mig82) It works great, thx again.

          1. Unknown User (oleg_nenashev)

            Do not hesitate to update the page if there are mistake. It's Wiki for a reason. Thanks!

  64. Unknown User (ashoksri)


    Can you please advise me on how to input the project role pattern for the project role type via CURL ?

    Thanks in advance.



    Ashok Kumar Srinivas

  65. Unknown User (ryan_donahoe)

    would like a way to add a sid without assigning to a role (for automation reasons)

  66. Unknown User (lavnish)

    JENKINS-37856 - Getting issue details... STATUS  Facing this issue , can someone help me understand if this is a LDAP Plugin isue or Role Strategy Plugin Issue

  67. Unknown User (mig82)

    I've asked this question before but had no luck so I'm rephrasing and posting it again. I'm trying to write a regex to refer to the Jenkins root. To allow a user to create credentials globally, but not inside any folders. I've tried these:

    • Anything not containing a slash: [^/]*
    • Empty: ^$

    I've had no luck with either. Is it possible to do this?

  68. Unknown User (sc1478)

    Here is a feature request:  On the "Assign Roles" page would it be possible to show the Full Name field for each user (assuming they have entered it on the Profile configure page)?  The reason I ask is that ours is a part of a large organization which assigns userid's that are not indicative of the person's real name, making administrative management of the Assign Roles page more difficult than it needs to be as more users are added to the system.

    1. Unknown User (oleg_nenashev)

      Please file your request in JIRA. Pull requests are welcome

  69. Unknown User (qiuyuwutong1987)

    First thank you for your good job!

    Your plugin is powerful, and easy to use, but still I have some difficulties, about your plugin, and about Jenkins, hope you can help me.

    1. Jenkins can manages users, but I cannot create group to put some users in it so I can easily assign permissions as a whole. Suppose when I use Jenkins in a large organization with 200 engineers, I have 20 projects, every project has 10 people with the same permissions , in fact I would like to manage 20 groups, not 200 users. But now I use your plugin, I have to deal with 200 users, a huge authorization matrix, it's a terrible thing. Maybe I use Jenkins and your product improperly? 
    2.Your plugin maybe provide the functions like backup and import? Once a colleague uninstalled your plugin without my agreement, this made me lose my configuration data.

    Hope you well, thank you!

    1. Unknown User (oleg_nenashev)

      1. Consider using something https://github.com/jenkinsci/ownership-plugin/blob/master/doc/OwnershipBasedSecurity.md
      2. There are plugins for backup management on the Jenkins-level (e.g. PeriodicBackup Plugin or JobConfigHistory Plugin). There are no plans to implement something plugin-specific though I am ready to consider pull requests
    2. Unknown User (mig82)

      Hi Unknown User (qiuyuwutong1987),

      About item 1, you first have understand that the Jenkins extension point to define authentication is a SecurityRealm and the extension point to define authorization is an AuthorizationStrategy. This plugin implements the latter –extremely well I might add-- but not the former. What you're asking for in terms of being able to define user groups must be provided by a plugin that implements a SecurityRealm, so that based on your own custom rules you can assign GrantedAuthorities to a user, which are roughly equivalent to user groups. The Jenkins SAML plugin is a good example of this. Of course this also means you'd be delegating authentication to an external Identity Provider.

      About item 2, look for the config.xml file in your Jenkins home folder. There you'll find an element called authorizationStrategy which nests a bunch of roleMap elements, each one being a role and the user/group that's that have it assigned. Back up this file and restore whenever needed. That will fix your problem. If you've been periodically backing up your Jenkins home folder as you should then this is your solution.


  70. Unknown User (kiranj22)

    I have a parameter called Environment with values "dev, test and prod". Is there a way that I can restrict some users not to display the prod option at all. else do we have option not to build when demo is selected for some users. 

    Can some one help me with example

  71. Unknown User (godsad)

    Assign Role api can not assing multi user when the type is projectrole
    It's may be a bug. I call many times the Assign Role api at the same projectrole only assign the last user.The global role not like this

  72. Unknown User (afontana)

    Hi Guys, today i try to use this plugin, but i have some problem.

    i try to assign two different Project Roles like:

    Developer Dev*    with Any JOB,Run,SCM grants     

     Tester      Test*          with Any JOB,Run,SCM grants


    and at Global level both user are member of "Employee" roles and have grant to read OverAll and any grant to View

    but when i try to login i received message like :


    Access Denied

    devuser is missing the Overall/Read permission


    I install all on selfinstaller for Windows on Win2k12, try using firefox and explorer

    have someone find the same problem?

  73. Unknown User (balous)


    I am trying to use this plugin to control ability to execute a job and observe different behavior for GUI access and Gitlab webhook trigger.

    I have a user having two project roles - first granting 'Job/Read' for all jobs and the second granting Job/Build just for some subset of jobs.

    I the global role, the Job/Build permission is NOT granted.


    When I log into Jenkins and browse the web GUI the behavior is correct. I see all builds and can trigger just some.


    And now gitlab - I use Gitlab plugin and have enabled /project end-point authentication (no checking would have been performed otherwise). In Gitlab I've located some project and a set up two webhooks - one for the job that is permitted to be triggered and the second to job that should be denied to trigger.


    When testing the webhooks, I always observe the same behavior - both are denied. When I enable Job/Build in the global role, than both are permitted.


    Have anyone tried the same?


    Of course, I can't tell whether this is a problem in this plugin or in Gitlab plugin.

  74. Unknown User (rrhhll99)

    How to freeze the grid header for the entier table in assgin role ?

  75. Unknown User (andreas_schoenfeld)

    Hi, is it possible to define a role that can only configure the jenkins but is not able to build or configure jobs?

    Thanks and regards


  76. Unknown User (saurabh29)



    For me even after installing the plugin "Enable Security" and "Manage Roles" does not appear. I am running Jenkins in docker.




    1. Unknown User (saurabh29)

      1. Unknown User (openjenkins)

        Do you have already restart Jenkins and Delete your Browser Cache ?

  77. Unknown User (openjenkins)


    I have another BUG. When I add Windows AD users to Role Based Strategy, the user must pay attention to upper and lower case. For example, if I create the user TestUser in RoleBasedStrategy, the user has no authorization if he logs in with testuser (lowercase). If I add the user testuser(lowercase), I must also give him the rights. Is it possible that the plugin is case-insensitive? Otherwise I would have to add each user 2 times( Once upper and lower case)
    Thank You

    1. Unknown User (oleg_nenashev)

      Please see Jenkins JIRA. there is an issue reported for that. So far there is no plan to change that due to the performance concerns

    2. Unknown User (mig82)

      This is hardly a bug. The evaluation of the user name is case sensitive. That's all. Have you tried using a regex with a case-insensitive switch?

      P.S.: The word "bug" is not an acronym, so there's no need for capslock. It just comes across as yelling.

      1. Unknown User (openjenkins)

        Thank you. Sorry i would't like to yelling. Can you explain me where i can find the  regex case-insensitive switch Sir ?

        1. Unknown User (mig82)

          Under "Project Roles" you can create a role to be applied to any folder or job that matches a regex pattern, and this pattern can be made case insensitive. E.g.: This expression will match any job with a name that starts with "FOO", "foo", "fOo", etc.

          1. Unknown User (openjenkins)

            Can i use regex pattern also for Manage and Assign Roles  → Global Roles ? I have a few User something like    "max.hilton" and i would like to say that the User "max.hilton" get the same permission as well as "Max.Hilton" (uppercases)


  78. Unknown User (amiditex)

    Hi, I'm encountering a slight problem, I have a user with 2 roles assigned. One is a global role allowing him only to have the global.read permission, the other is an item role, which grants the user the ability to see and control only one project on Jenkins using the regex. My user can successfuly see the project on the dashboard, but when clicked, the project seems completely empty, even though the configuration is present, but there's nothing to build ("This folder is empty error"). For the user to actually be able to see the content of the project and start to make builds, I need to give it the Job.Read permission on the global role it is assigned to. But why is the plugin handling it like that ? My user already had the Job.Read permission from its item role, why does it need the same permission on the global role ? Why aren't the permissions doing the exact same thing ? It causes me trouble because with the Job.Read permission enabled on a global level, that user is capable of seeing all the other projects registered on Jenkins, though it can't modify them nor launch builds or anything. But still, I would like my user to be able to see and modify and launch builds ONLY on the build I assigned it to. Is there a way to do that ? Thank you

  79. Unknown User (technologyhacking)

    Hi, firends!


    I need to block all the sections of a task, in such a way that it should only shows me, "the origin of the source code" 

    could you help me? please!



    Kind Regards!!

  80. Unknown User (3psilon)

    I can use the REST API to get all roles and assign them to users.

    But I don't see how to create a projectRole with pattern, I can't find such api in the docs.


    1. Unknown User (dw_zhangweiqiang)

      hi, Adnane SAGHIR!

      You can create projectRole with  curl -X POST localhost:8080/role-strategy/strategy/addRole --data "type=projectRoles&amp;roleName=ADM&amp;permissionIds=hudson.model.Item.Discover,hudson.model.Item.ExtendedRead&amp;overwrite=true&amp;pattern=xxx.*".

      Release note of  Version 2.5.0 (Jun 02, 2017) has example, but for globalRoles.

  81. Unknown User (nforbes)


    I'm trying to use this plugin in combination with the Github organisation plugin and get the following error:

    1. Create a project role which limits to pattern myproject*
    2. Create a global role with overall readonly writes (without this I get error "user X doesn't have overall readonly rights").
    3. Assign the user to the global readonly role and the "myproject" item role.
    4. When a user logs in they cannot see any projects.

    Does the role strategy plugin support this functionality and, if so, how do I need to configure it?  I've also found a similar Stackoverflow question (currently unanswered).


    Many thanks.

  82. Unknown User (sakshisood)

    I am trying write a regex which supports only folder creation at the root level of jenkins for each role and inside the folder any folder/job can be created. No regex pattern seems to work for this case.

    1. Unknown User (dracorp)

      As I remember  I'm using following regexp:


      Owners can modify, create jobs only inside top-level folders  ( only administrators and a few users, another role, can create a top-level job).

  83. Unknown User (zhaoluping)

    hi~ I have a question when use this plugin.

    I have set the user's permission in [administrative permission], and I have the following problems:

    1. I logged in with an ordinary user and showed that I did not have overall read permission

    2. In "assign permissions", I was prompted that I could not find the user or group

    3. In [item roles], how do I set up the user's roles?Shouldn't the column show the project name?Why do group names appear?How should I configure it?

    Is this a Bug?I spent a whole day for this, read a lot of articles and finally did not solve!!!

    1. Unknown User (zhaoluping)

      It was resolved.
  84. Unknown User (yamazakei321)


    Thanks for the plugin。As we use this plugin for many years,There are thousands of lines configuration in Item roles 。Every time del/add  Item role need lots of time to load。Could you add REST API for Item role add/del?

  85. Unknown User (vinayp87)

    Good plugin and very helpful for our requirement.

    I was able to consume REST API in our automation for adding the roles (Global, Project) but there is no API for Item role which require manual efforts.

    Kindly provide the REST API for Item role at the earliest which will benefit us to go with full automation instead of half automation and half manual changes, this will save lot of efforts and time.

    1. Unknown User (mig82)

      Sorry, but this statement:

      Kindly provide the REST API for Item role at the earliest

      Tells me you don't understand how Open Source works, so allow me to clarify.

      1. If you find a bug, you can report it as an issue in the Git repository of the project in question. This one is hosted here. Or even better, you can fork the repo, fix the bug and create a Pull Request.
      2. If you need a new feature, you're welcome to fork the repo, implement it and create a Pull Request, in order to contribute it yourself.

      So, in your case, which appears to fall into the latter of the two options above, you can start by reading the Jenkins Plugin Tutorial. You can ask the project's maintainers or the community at large for advice while you're implementing the new feature, but you should avoid asking the community to provide features for you "at the earliest".

  86. Unknown User (aday12345)

    ok, i have set up role based access so you cannot see anything without logging in and that works great.

    The issues i have now is i cannot get our post-commit hook in svn to trigger builds anymore what an i missing?? id worked before i locked everything down.

    The token i use was generated under my account and i have full access.

    Please any help would be appreciated

  87. Unknown User (rafaelfonte)

    I was playing around with the plugin a bit, and could not specify read access to a particular folder inside another folder (i.e. a nested folder use-case).

    What I did:

    • Created a folder called foo, and a folder inside it called bar
    • Created a freestyle job inside bar, named baz
    • Created a project role with read access to the pattern "^foo/bar.*"
      • If I click on top of the pattern, it shows me as matching project: foo/bar/baz
    • Assigned that role to a specific user, say john-doe

    With this setup, john-doe could not see any foo or bar folders in Jenkins. If I change the pattern to "^foo.*", however, then john-doe sees foo as well as everything inside it.

    I also saw the same behavior even when replacing bar with a freestyle job.

    My interest is in allowing access only to particular items inside a given folder to users. Is that level of access granularity supported by the plugin?