Jenkins Role-Based Access Control: Managing Users, Groups, and Project-Specific Permissions


4 views

When implementing role-based security in Jenkins with the built-in user database, you're dealing with a hierarchical permission system. The global roles (like Administrator or Read-Only) define baseline permissions, while project roles (like prod_a_developer) provide granular access control.

Yes, you typically need to assign both global and project-specific roles. The global role establishes fundamental permissions, while project roles add context-specific access. Here's how this works:

Global Roles → Baseline permissions (system-wide)
Project Roles → Fine-grained access (per job/folder)

Jenkins doesn't natively support groups in its user database (unlike LDAP). However, you can simulate groups using the Role Strategy plugin's pattern matching:

1. Create roles with naming patterns (e.g., "dev-team-.*")
2. Assign users matching the pattern to these roles
3. Configure folder/project permissions accordingly

For your prod_a_developer scenario, here's how to set it up programmatically using Jenkins Script Console:

import jenkins.model.*
import com.michelin.cio.hudson.plugins.rolestrategy.*

def instance = Jenkins.get()
def strategy = new RoleBasedAuthorizationStrategy()

// Create global role
def globalRole = new Role("developer", ".*", 
  ["hudson.model.Item.Discover", "hudson.model.Item.Read"], true)
strategy.addRole(RoleBasedAuthorizationStrategy.GLOBAL, globalRole)

// Create project-specific role
def prodARole = new Role("prod_a_developer", "prod_a/.*", 
  ["hudson.model.Item.Build", "hudson.model.Item.Workspace"], true)
strategy.addRole(RoleBasedAuthorizationStrategy.PROJECT, prodARole)

// Assign roles to user
strategy.assignRole(RoleBasedAuthorizationStrategy.GLOBAL, 
  globalRole, "username")
strategy.assignRole(RoleBasedAuthorizationStrategy.PROJECT, 
  prodARole, "username")

instance.setAuthorizationStrategy(strategy)
instance.save()
  • Always assign minimal required permissions
  • Use naming conventions for roles (team-project-function)
  • Document role assignments in Jenkins system documentation
  • Consider using Folders to better organize project permissions

If you frequently manage large teams, consider these alternatives:

  1. Matrix Authorization Strategy for simpler cases
  2. LDAP integration for enterprise environments
  3. Jenkins Configuration as Code (JCasC) for declarative setup

When implementing security in Jenkins, the Role Strategy Plugin provides a flexible way to manage permissions through role-based access control. Many administrators struggle with the proper configuration of global versus project-specific roles, especially when working with Jenkins' internal user database.

In Jenkins' security configuration (Manage Jenkins > Configure Global Security), you need to:

  1. Select "Jenkins' own user database" as the security realm
  2. Enable "Matrix-based security" or "Role-based strategy"

// Example of programmatic role assignment (Jenkins Script Console)
import com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy
import com.michelin.cio.hudson.plugins.rolestrategy.Role

def strategy = new RoleBasedAuthorizationStrategy()
def globalRole = new Role("developer", ".*", "hudson.model.Hudson.Read")
strategy.addRole(RoleBasedAuthorizationStrategy.GLOBAL, globalRole)
Jenkins.instance.setAuthorizationStrategy(strategy)

For each user, you typically need to assign both:

  • A global role (defines system-wide permissions)
  • Project-specific roles (controls job/build access)

To assign roles to groups instead of individual users:

  1. Navigate to Manage Jenkins > Manage and Assign Roles
  2. In "Manage Roles", create group-level roles
  3. In "Assign Roles", prefix group names with "ROLE_" (e.g., "ROLE_developers")

Here's a recommended approach for structuring roles:


Global Roles:
- admin (all permissions)
- reader (read-only access)
- executor (build/abort permissions)

Project Roles:
- ${project}_admin (full project control)
- ${project}_dev (build/configure access)
- ${project}_view (read-only access)

If users can't see projects after role assignment:

  1. Verify both global and project roles are assigned
  2. Check for pattern matching in project roles (e.g., "prod_.*")
  3. Ensure no conflicting permissions from other security realms

For auditing current permissions:


// List all assigned roles (Script Console)
def strategy = Jenkins.instance.getAuthorizationStrategy()
if(strategy instanceof RoleBasedAuthorizationStrategy) {
    strategy.getRoleMaps().each { type, roleMap ->
        println "Role type: ${type}"
        roleMap.each { role, sid -> println "${role.name}: ${sid}" }
    }
}