The Role Strategy plugin is meant to be used from Jenkins to add a new role-based mechanism to manage users' permissions. Supported features
- Creating global roles, such as admin, job creator, anonymous, etc., allowing to set Overall, Agent, Job, Run, View and SCM permissions on a global basis.
- Creating item roles, allowing to set item specific permissions (e.g Job, Run or Credentials) on Jobs, Pipelines and Folders.
- Creating agent roles, allowing to set agent specific permissions.
- Assigning these roles to users and user groups
- Extending roles and permissions matching via Macro extensions
The Role Strategy plugin can be installed from any Jenkins installation connected to the Internet using the Plugin Manager screen. Activate the Role-Based Strategy by using the standard Manage Jenkins > Configure Global Security screen:
After the installation, the plugin can be configured using the Manage and Assign Roles screen accessible from Manage Jenkins .
You can define roles by using the Manages Roles screen. It is possible to define global, item and agent specific roles.
- Global roles apply to any item in Jenkins and override anything you specify in the Item Roles. That is, when you give a role the right
Job/Readin the Global Roles, then this role is allowed to read all Jobs, no matter what you specify in the Item Roles. Giving
Job/Createin a global role will allow to create jobs of any name.
- For item and agent roles you can set a regular expression pattern for matching items. The regular expression aimes at matching the full item name.
- For example, if you set the field to
Roger-.*, then the role will match all jobs which name starts with
- Patterns are case-sensitive. To perform a case-insensitive match, use
- Folders can be matched using expressions like
^foo/bar.*. To access jobs inside a folder, the folder itself must also be accessible to the user. This can be achieved with a single pattern like
(?i)folder($|/.*)when the permissions on the folder can be the same as for the jobs. If different permissions need to be configured 2 different roles need to be created, e.g.
(?i)folder/.*. Note that job names inside folders are case-sensitive, though this is probably a bug in the folders plugin JENKINS-67695. Case sensitivity can be enabled with
- Create permissions on item level can only reliably work when the
Naming Strategyis set to
Role-Based strategyin the global configuration for
Restrict project naming. You should see a warning in the administrative monitors if it is not enabled. Only jobs matching the pattern can be created. When granting
Job/Createyou should also grant
Job/Readotherwise you will be able to create new jobs but you will not be able to configure them. Global Permissions are not required.
- For example, if you set the field to
You can assign roles to users and user groups using the Assign Roles screen
- User groups represent authorities provided by the Security Realm (e.g. Active Directory or LDAP plugin can provide groups)
- There are also two built-in groups:
authenticated(users who logged in) and
anonymous(any user, including ones who have not logged in)
- Hovering over the header row will show a tooltip with the permissions associated to the role and the pattern.
- Hovering over a checkbox will show a tooltip with role, user/group and pattern.
The Rest API allows to query the current roles and assignments and to do changes to them. Please see the javadoc for details and examples.
import jenkins.model.Jenkins import hudson.security.PermissionGroup import hudson.security.Permission import com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy import com.michelin.cio.hudson.plugins.rolestrategy.Role import com.synopsys.arc.jenkins.plugins.rolestrategy.RoleType import org.jenkinsci.plugins.rolestrategy.permissions.PermissionHelper Jenkins jenkins = Jenkins.get() def rbas = new RoleBasedAuthorizationStrategy() /* create admin role */ Set<Permission> permissions = new HashSet<>(); def groups = new ArrayList<>(PermissionGroup.getAll()); groups.remove(PermissionGroup.get(Permission.class)); Role adminRole = new Role("admin",permissions) /* assign admin role to admin user */ globalRoleMap = rbas.getRoleMaps()[RoleType.Global] globalRoleMap.addRole(adminRole) globalRoleMap.assignRole(adminRole, 'admin') jenkins.setAuthorizationStrategy(rbas) jenkins.save()