Issue
-
When trying to delete a user from an RBAC group using the UI button
Remove from group(see screenshot below), or using the endpoint/removeUserfrom the RBAC API, the user is not removed and no error message is shown.
-
When trying to disambiguate a member from an RBAC group using the UI buttons
migrate as a user/migrate as a group(see screenshot below) as indicated in Migrating from versions prior to 5.65, a new user/group row is created but the yellow member row is still present.
Resolution
If you cannot remove a given user using the UI or the API endpoint, or you encounter the problem described above when trying to disambiguate a member from an RBAC group, that means that the original Jenkins ID for the user has changed. One potential cause for this change to happen is, for example, an IDP migration.
To check the actual user’s Jenkins ID, you can do the following:
-
If the affected RBAC group is configured at the root level of the controller: check the
$JENKINS_HOME/nectar-rbac.xmlfile in the filesystem. -
If the affected RBAC group is configured at some given job level: check the
$JENKINS_HOME/jobs/$JOB_NAME/nectar-rbac.xmlfile in the filesystem.
Once the corresponding nectar-rbac.xml file is open, check the user’s Jenkins ID in the tag <user> (or <member> if the user was added before RBAC release 5.65)
After spotting which is the real used Jenkins ID, you have to pass it as a parameter for the endpoint /removeUser from the RBAC API, and the user should not be present after a UI reload of the page.