How to Grant Folder Access to Group Intersections with RBAC?

Article ID:217725618
2 minute readKnowledge base

Issue

I want to restrict access to a folder for GroupA and for GroupB but I want to give access to users that are in GroupA AND in GroupB

Environment

  • CloudBees Jenkins Enterprise

  • CloudBees Jenkins Operations Center

  • Role-Based Access Control Plugin (RBAC)

Resolution

To have a full understanding of the concepts applied in the article, please review Restricting access and delegating administration with Role-Based Access Control.

Scenario

I have:

  • GroupA is a group that contains A users

  • GroupB is a group that contains B users

  • A Roles are roles assigned to GroupA

  • B Roles are roles assigned to GroupB

  • FolderAB is a the folder for which we want to restrict access to users of GroupA that are also in GroupB

  • GroupA and GroupB are defined above FolderAB in the Folder Hierarchy

Solutions

In the following solutions:

  • GroupAB is a group that contains users of GroupA that are also users of GroupB

  • AB Role is a role that combine permission of A Roles and B Roles

1. Solution

In the documentation of RBAC about Roles filter, there is an important concept: When a role is filtered, then the role is not available on that object to users unless there is a group defined within that object which the user is a member of and which has been assigned that role.

This is exactly what needs to be done to achieve our goal here: We need to restrict a folder and create a Group in that restricted folder to grant access to users that are in GroupA AND in GroupB. Hence we need to create a GroupAB containing users of GroupA that are also users of GroupB.

This solution is directly related to this concept: we filter A Roles and B Roles for FolderAB and we create GroupAB on that folder which joins A Roles and B Roles and contains user that are in GroupA as well as in GroupB:

In FolderAB:

  • Filter the A roles and the B roles

  • Create the group GroupAB that should:

    • Contain users of GroupA that are also users of Group B

    • Be configured with A roles and B roles

solution-1
RBAC groups can be added to a Group just like normal users and therefore:

  • If the requirement is for several folder, you can create GroupAB at the root level and use that Group within the folder.

  • If the requirement is for only one folder or only a few, I would recommend to create the GroupAB within the folder

2. Solution with a Joined Role

Based on the fact that users that are in GroupA and also in GroupB have the joined set of permissions granted by both groups (A Roles and B Roles), you can create an AB Role that combines these permissions and assigns it to a GroupAB that contains the users of GroupA that are also users of Group B.

At root level (or any level above FolderAB):

  • Create a the AB Role which combine A+B permissions

  • Create a group GroupAB that should

    • Contains users of GroupA that are also users of GroupB

    • Be configured with AB Role

In FolderAB:

  • Filter A roles and B roles

solution-2