Issue
After migrating my Identity Provider (IdP):
-
Users can successfully log in to CloudBees CI but they do not have the permissions they were previously granted.
-
Users who were added to RBAC groups cannot exercise those permissions, receiving "permission denied" errors when attempting to perform actions they should be able to do.
-
Folders and resources that users should have access to are not visible in the dashboard.
Resolution
When migrating to a new Identity Provider (IdP), the Jenkins® User IDs for your users may change. If the RBAC configuration still references the old User IDs from the previous IdP, users logging in via the new IdP with their new User IDs will not match the configured RBAC group memberships, resulting in missing permissions.
| To avoid this issue during IdP migrations, refer to Can I migrate my IDP and preserve the same users on Jenkins. |
Follow these steps to identify and fix the User ID mismatch:
-
Have the affected user log in to Jenkins®.
-
Ask the user to click their username in the top-right corner, then click their username again to navigate to the
Profilesection. -
In the
Profilepage, locate and copy theJenkins User IDvalue. -
Navigate to the RBAC group where the user should have permissions using the
Groupsicon at the root level of the controller, or within the specific folder or job where the group is defined. -
Compare the
Jenkins User IDfrom step 3 with the User ID configured in the RBAC group membership. -
If the User IDs do not match, update the RBAC group membership with the correct Jenkins® User ID from step 3.
-
Click
Saveto apply the changes.
The user’s permissions and folder visibility should be immediately restored.
Tested product/plugin versions
-
CloudBees CI on traditional platforms - 2.479.3.1