How do I limit users access to the folders to which they belong to?

Article ID:204173600
2 minute readKnowledge base


  • I only want certain group of users to have access to the folders to which they belong.

  • How to isolate folder from certain group of users?


  • CloudBees Jenkins Enterprise (CJE) or CloudBees Jenkins Operations Centre (CJOC)

  • Role-Based Access Control Plugin (RBAC)

  • Folder plugin or Folder Plus Plugin


The Role-Based Access Control plugin combines with the Folders plugin to give a powerful solution for managing a Jenkins which is shared by multiple teams of users. The Jenkins administrator can create folders for each of the teams and then create groups in those folders for each of the roles that team members can have. By delegating the management of the group membership (but not the management of the roles assigned to groups) to the team leaders, the Jenkins administrator can empower the team leads to manage the permissions of their team while reducing their own administrative overhead.

We are resolving this issue by the following scenario:


Let’s say we have three different user’s groups in Jenkins:

  • admin (group) -> admin (user)

  • Team-A (group) -> user1 (user)

  • Team-B (group) -> user2 (user)


  • admin users will be allowed to access everywhere but…​

  • Users which belong to Team-A group will only have access to folder-team-a, and users which belongs to Team-B group will only have access to folder-team-b.


1 .- Just for this Proof of Concept, we are using the Mock Security Plugin as Authorization Strategy. However, for real environment other Authorization Strategy plugin should be configured, for instance Active Directory, LDAP or SAML


2 .- Rol Definition: Roles for each of these groups are created


3 .- Group Definition: Group Team-A (role teamA) at folder level [older-team-a] and group Team-B (role teamB) at folder level [older-team-b]. So, going inside a folder and clicking on Groups, it can been seen:


So, if you click on the folder->Groups->Name of your Group [configure], it can be seen teamA role granted at current level with the propagation option.


So now, logging in as `user1`, it only has access to folder-team-a.