Environment
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
-
CloudBees CI (CloudBees Core) on traditional platforms - Client controller
-
CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
Resolution
One of the most important things to keep in mind in this type of scenarios is to create roles as granular as possible. As an example for restricting user access to specific jobs at folders' and sub-folders' level We have created a main folder Folder1
that contains two different subfolders Folder1/FolderA
and Folder1/FolderB
along with two Freestyle projects called job1
and job2
at Folder1/FolderA/job1
and Foldera/FolderB/job2
.
-
Main folder Name:
Folder1
-
Sub-folder Names:
Folder1/FolderA
andFolder1/FolderB
Ideally after completing the configuration steps we would like to make sure that one of our users has access Folder1/FolderA/joba
the other one to Folder1/FolderB/job2
The following table summarizes the role settings used in this example
| User | Roles | Patterns | | --- |--- |--- | | admin | admin | | | Folder1View_user | Folder1View | Folder1 | | Folder1_FolderA_user | Folder1FolderA | Folder1/FolderA.* | | Folder1_FolderB_user | Folder1FolderB | Folder1/FolderB.* |
1. Manage Roles
First of all, we must create new roles
, to do so, navigate to Jenkins->Manage Jenkins->Manage and Assign Roles->Manage Roles
from the root Jenkins dashboard. Create an admin
role with the Overall/Administer
permission. Click Save
.
Furthermore, create three new Project Roles
, namely: Folder1View
, Folder1FolderA
, Folder1FolderB
. The first role, Folder1View
grants read access only to Folder1
, while Folder1FolderA
and Folder1FolderB
gives both Read and Build permissions to Folder1/FolderA
and Folder1/FolderB
respectively. For project and agent roles you can set a regular expression pattern for matching items. The regular expression aimed at matching the full item name. In this particular case, since we want our users to have access to all jobs within a specific sub-folder Folder1/FolderA
, we use the following regular expression as pattern Folder1/FolderA.*
. Click Save
.

2. Assign Roles
To assign roles please navigate to Jenkins->Manage Jenkins->Manage and Assign Roles->Assign Roles
During the assign role process, keep in mind that:
-
User groups represent authorities provided by the Security Realm (e.g. LDAP plugin can provide groups)
-
There are also two built-in groups: authenticated (users who logged in) and anonymous (any users, including ones who have not logged in)
First of all, we must make sure all users have OverallRead
selected as global role. This will allow every user to see the contents of the top folder when they login in Jenkins.
Finally, define the item roles
as shown in the picture. As it was mentioned before the key is to create roles as granularly as possible, this is actually reflected in the picture below, under item roles
. As you can see, Folder1FolderA_user
needs not only Folder1FolderA
item role but also Folder1View
, without the later that user would not be able to navigate into FolderA
.
Your assign roles screen should now look like:
