Backup jobs fails: User is missing the Overall RunScripts permission

Issue

The following stacktrace -or a similar one - appears on the build console logs after running a backup job.

Started by user ajones
Building in workspace /Users/fbelzunc/cloudbees/plugins/infradna-backup-plugin/work/jobs/backup-job/workspace
This job was last saved by a user without the right level of permission.
Please, configure the backup job with an user with the right permission.
ERROR: Build step failed with exception
hudson.security.AccessDeniedException2: ajones is missing the Overall/RunScripts permission
	at hudson.security.ACL.checkPermission(ACL.java:63)
	at hudson.model.Node.checkPermission(Node.java:441)
	at com.infradna.hudson.plugins.backup.store.LocalFileStore.create(LocalFileStore.java:59)
	at com.infradna.hudson.plugins.backup.BackupBuilder.doPerform(BackupBuilder.java:156)
	at com.infradna.hudson.plugins.backup.BackupBuilder.perform(BackupBuilder.java:143)
	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:785)
	at hudson.model.Build$BuildExecution.build(Build.java:205)
	at hudson.model.Build$BuildExecution.doRun(Build.java:162)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537)
	at hudson.model.Run.execute(Run.java:1741)
	at hudson.model.Build.run(Build.java:113)
	at hudson.model.ResourceController.execute(ResourceController.java:98)
	at hudson.model.Executor.run(Executor.java:408)
Build step 'Take backup' marked build as failure
Finished: FAILURE

Environment

CloudBees CI on modern cloud platforms - operations center
CloudBees CI on modern cloud platforms - managed controller
CloudBees CI on traditional platforms - operations center
CloudBees CI on traditional platforms - client controller
CloudBees Backup Plugin
Any of the Matrix-based Authorization strategies including: Matrix-based security, Project-based Matrix Authorization or Role-based matrix authorization (CloudBees RBAC plugin)

Resolution

This is usually the result of either a permission or an authentication issue.

Permission issue

Backup jobs need to be saved by an user with current Overall/RunScripts permission. If this job was saved by an user with this permission and now you are getting this stack trace, this user probably lacks the Overall/RunScripts permission.

Save this Backup job with an user with Overall/RunScripts permission. To achieve this:

Log in the instance with a user with Overall/RunScripts permission
Go to this Backup job and click Configure Save. Optionally, you could edit the current configuration as you wish.
Run this Backup job.

Authentication issue

The issue could might happen as well when the user who saved the job is mapped with a Jenkins external group on the Security realm - and this group is not correctly configured. To workaround the issue you can map the user with the corresponding Jenkins group instead of using an external group.

In case you are sure that the backup job was saved by an user with the right permission, then this issue might be that the Security Realm is not correctly configured. Even if whoAmI is reporting that this user is a member of the groups, it might happen that the authentication plugin you are using is not reporting correctly the groups: i.e LDAP plugin is configured with Group membership attribute= memberOf but this configuration is wrong.

A logger for com.infradna.hudson.plugins.backup can be created to check the GrantedAuthorities for the user who is trying to build the backup job.

User example was found on the BackupBuilder descriptor. Authentication details are: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@c1671d8b: Username: example; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_EXAMPLE