RBAC: Limit the access in subfolders

Article ID:204502474
2 minute readKnowledge base


  • Yo want to limit the access in sub-folders

  • You have a folder structure similar to parent-folder->folder-child-1->folder-child-2 and you want some users to have access to all the folders but only some of them access to folder-child-1->folder-child-2.


  • CloudBees Jenkins Enterprise

  • RBAC plugin


Let’s say your folder structure looks like parent-folder->folder-child-1->folder-child-2 and you have the following groups imported from LDAP/AD or MockSecurity realm on your Jenkins instance.

| ------------ | ------------ |
| **User**     | **Group**    |
| admin        | admin-group  |
| developer-a1 | team-A-group |
| developer-b1 | team-B-group |

1. Allow admin users access to the full folder structure

For this firstly we will create an admin role with admin permission so admin-group can access everywhere in the instance. You can do it by clicking in Roles->Manage once you are in the main Jenkins dashboard so outside of any job of folder.


And then we will give admin permission to this role.


Now, it is time to create an internal admin group and assign this role. So we need to click on Groups -→ New Group from there main Jenkins dashboard. We create an internal group called admin-group-internal to map admin-group.


You will need to assign the admin role we created before at current level propagating.


You will assign admin-group as a member to this internal group


So finally you should have a group configuration like the snapshot below:

  1. Allow only read access to sub-folders folder-child-1 and folder-child-2.

The first thing we need to do is a team-A role which has Overall/Read and Job/Read access.


After this, at folder-parent level we need to create a team-A-group-internal to map team-A-group. For this, you need to click on Groups once you are situated at folder-parent level.


Assign the role team-A-group current level but not propagated.


You will assign admin-group as a member to this internal group


So at the end the team-A-group-internal configuration should look like:


Doing this you allow to access to the parent-folder but without watching anything inside. For this reasons, we need know to grant permission at folder-child-1 level.

So at folder-child-1 you need again to map team-A-group-internal with team-A-group.


However, in this case we will granted the permission propagating at current level.


You will assign admin-group as a member to this internal group


So at the end the team-A-group-internal configuration should look like:


Doing this, members of team-A-group will have only access to parent-folder to access to folder-child-1 and folder-child-2, but they will not be able to see any job inside parent folder. Here is the overall group setting