RBAC: Limit the access in subfolders

Article ID:204502474
2 minute readKnowledge base

Issue

  • Yo want to limit the access in sub-folders

  • You have a folder structure similar to parent-folder->folder-child-1->folder-child-2 and you want some users to have access to all the folders but only some of them access to folder-child-1->folder-child-2.

Environment

  • CloudBees Jenkins Enterprise

  • RBAC plugin

Resolution

Let’s say your folder structure looks like parent-folder->folder-child-1->folder-child-2 and you have the following groups imported from LDAP/AD or MockSecurity realm on your Jenkins instance.

| ------------ | ------------ |
| **User**     | **Group**    |
| admin        | admin-group  |
| developer-a1 | team-A-group |
| developer-b1 | team-B-group |

1. Allow admin users access to the full folder structure

For this firstly we will create an admin role with admin permission so admin-group can access everywhere in the instance. You can do it by clicking in Roles->Manage once you are in the main Jenkins dashboard so outside of any job of folder.

manage-roles-add-admin.png

And then we will give admin permission to this role.

manage-roles-permission-admin.png

Now, it is time to create an internal admin group and assign this role. So we need to click on Groups -→ New Group from there main Jenkins dashboard. We create an internal group called admin-group-internal to map admin-group.

create-admin-group-internal.png

You will need to assign the admin role we created before at current level propagating.

admin-group-internal-add-admin-role.png

You will assign admin-group as a member to this internal group

admin-group-internal-add-members.png

So finally you should have a group configuration like the snapshot below:

admin-group-internal.png
  1. Allow only read access to sub-folders folder-child-1 and folder-child-2.

The first thing we need to do is a team-A role which has Overall/Read and Job/Read access.

manage-roles-add-all.png

After this, at folder-parent level we need to create a team-A-group-internal to map team-A-group. For this, you need to click on Groups once you are situated at folder-parent level.

create-team-A-group-internal.png

Assign the role team-A-group current level but not propagated.

team-A-group-internal-add1-role.png

You will assign admin-group as a member to this internal group

team-A-group-internal-add-members.png

So at the end the team-A-group-internal configuration should look like:

team-A-group-internal.png

Doing this you allow to access to the parent-folder but without watching anything inside. For this reasons, we need know to grant permission at folder-child-1 level.

So at folder-child-1 you need again to map team-A-group-internal with team-A-group.

create-team-A-group-internal-folder-child1.png

However, in this case we will granted the permission propagating at current level.

team-A-group-internal-folder-add-child1-role.png

You will assign admin-group as a member to this internal group

team-A-group-internal-folder-child1-add-members.png

So at the end the team-A-group-internal configuration should look like:

team-A-group-internal-folder-child1.png

Doing this, members of team-A-group will have only access to parent-folder to access to folder-child-1 and folder-child-2, but they will not be able to see any job inside parent folder. Here is the overall group setting

overall-group-setting.png