Issue
-
You want to limit folder access to specific groups using the Role-Based Access Control plugin
-
You have multiple groups that should only have access to their own folder
Resolution
You have the following groups imported from LDAP/AD or Mock Security Realm on your Jenkins instance. You also have two folders called team-A-folder
and team-B-folder
along with a Freestyle project called root-folder-job
at the root Jenkins level.
| ------------ | ---------------- | | **User** | **Group** | | admin | admin-group-ext | | developer-a1 | team-A-group-ext | | developer-b1 | team-B-group-ext |
1. Allow admin users access to the full folder structure
Navigate to Roles->Manage
from the root Jenkins dashboard. Create an admin
role with the Overall/Administer
permission. Click Save
.
![admin-manage-roles.png](../_images/RBAC-Limit-Folder-Access/admin-manage-roles.128a61b.png)
Navigate to Groups->New Group
from the root Jenkins dashboard. Name the group admin-group-int
and click OK
to create a group internal to Jenkins for role assignment. Check the Granted
checkbox for the admin
role, leave Propagates
checked, and click Save
.
![configuring-admin-group-int.png](../_images/RBAC-Limit-Folder-Access/configuring-admin-group-int.f88a663.png)
Assign admin-group-ext
as a member of this internal group.
![admin-group-int.png](../_images/RBAC-Limit-Folder-Access/admin-group-int.4646c04.png)
2. Allow read access to the root folder for all authenticated users, but restrict their view to only items which they have been given explicit permission to see
Navigate to Roles->Manage
from the root Jenkins dashboard. Create a read
role with the Overall/Read
and the Job/Read
permission. Remove all permissions from the authenticated
role. Click Save
.
![read-manage-roles.png](../_images/RBAC-Limit-Folder-Access/read-manage-roles.184440a.png)
Navigate to Groups->New Group
from the root Jenkins dashboard. Name the group auth-group
and click OK
. Check the Granted
checkbox for the read
role, uncheck the Propagates
checkbox, and click Save
.
![configuring-auth-group.png](../_images/RBAC-Limit-Folder-Access/configuring-auth-group.0eb813f.png)
Assign authenticated
as a member of this internal group.
![auth-group.png](../_images/RBAC-Limit-Folder-Access/auth-group.b613fef.png)
Your root level groups will now look like:
![root-groups.png](../_images/RBAC-Limit-Folder-Access/root-groups.f34d92a.png)
3. Give team-A-group-ext
access to the team-A-folder
Navigate to Groups->New Group
from within the team-A-folder
. Name the group team-A-folder-group-int
and click OK
. Check the Granted
checkbox for the read
role, leave Propagates
checked, and click Save
.
![configuring-team-a-folder-group-int.png](../_images/RBAC-Limit-Folder-Access/configuring-team-a-folder-group-int.0344925.png)
Assign team-A-group-ext
as a member of this internal group.
![team-a-folder-group-int.png](../_images/RBAC-Limit-Folder-Access/team-a-folder-group-int.fa68549.png)
Your team-A-folder
groups will now look like:
![team-a-folder-groups.png](../_images/RBAC-Limit-Folder-Access/team-a-folder-groups.9711fdc.png)
4. Give team-B-group-ext
access to the team-B-folder
Navigate to Groups->New Group
from within the team-B-folder
. Name the group team-B-folder-group-int
and click OK
. Check the Granted
checkbox for the read
role, leave Propagates
checked, and click Save
.
![configuring-team-b-folder-group-int.png](../_images/RBAC-Limit-Folder-Access/configuring-team-b-folder-group-int.6750239.png)
Assign team-B-group-ext
as a member of this internal group.
![team-b-folder-group-int.png](../_images/RBAC-Limit-Folder-Access/team-b-folder-group-int.4c52843.png)
Your team-B-folder
groups will now look like:
![team-b-folder-groups.png](../_images/RBAC-Limit-Folder-Access/team-b-folder-groups.cbe378f.png)
5. Verify folder permissions
Log in as admin
. Your dashboard will now look like:
![admin-dashboard.png](../_images/RBAC-Limit-Folder-Access/admin-dashboard.d740d33.png)
Log in as developer-a1
. Your dashboard will now look like:
![tdeveloper-a1-dashboard.png](../_images/RBAC-Limit-Folder-Access/developer-a1-dashboard.3f9c5b1.png)
Log in as developer-b1
. Your dashboard will now look like:
![developer-b1-dashboard.png](../_images/RBAC-Limit-Folder-Access/developer-b1-dashboard.1bb4719.png)