How to save RBAC configuration when a Client controller needs to be renamed?

Article ID:217098388
2 minute readKnowledge base


  • I need to rename a Jenkins controller but I have RBAC setup on the controller that needs to be deleted

  • I want to backup RBAC configuration of my client controller


  • CloudBees Jenkins Operations Center

  • CloudBees Jenkins Enterprise



  • The RBAC configuration of the root of a Jenkins instance is defined in the $JENKINS_HOME/nectar-rbac.xml file.

  • The RBAC configuration of items of a Jenkins instance is defined in the config.xml of the corresponding item.

Client controllers

If the Jenkins instance is attached to an Operations Center that enforces the Authorization Strategy, the nectar-rbac.xml is maintained by the CJOC. In that case the RBAC settings are actually defined in the config.xml of the Client controller item on CJOC. CJOC pushes the configuration by overriding the Client controller’s nectar-rbac.xml whenever changes are detected.

So in order to backup the RBAC settings of a Client controller with RBAC managed by CJOC, what is important is the config.xml of the Client controller item in CJOC.

Rename a Client controller

You need to purge the CJOC configuration attached to your CJE instance and recreate the client controller from scratch following these steps:

  1. Take backup of the config.xml file of the Client controller item (for example $CJOC_HOME/jobs/old-client-master/config.xml)

  2. Release and Delete the Client controller item from CJOC

  3. Stop CJE instance

  4. Delete the following files for CJE (client controller) to entirely remove the link to CJOC:

    • $JENKINS_HOME/license.xml

    • $JENKINS_HOME/operations-center-cloud*

    • $JENKINS_HOME/operations-center-client*

    • $JENKINS_HOME/com.cloudbees.opscenter.client.plugin.OperationsCenterRootAction.xml

  5. Disable Security in CJE by editing the $CJE_HOME/config.xml file.

    Locate this line:


    And changing it to


  6. Start the CJE instance

  7. From CJOC, create a new Client controller item

  8. Configure the Licensing strategy that you want to use

  9. Connect the client controller either by push configuration from CJOC or manually from CJE

  10. After the two are connected again, copy the ConnectedMasterProxyGroupContainer property of the backup config.xml:

    <!--Start: We copy the following property -->
    <com.cloudbees.opscenter.server.rbac.ConnectedMasterProxyGroupContainer plugin="operations-center-rbac@">
    <!--End: We copy the following property -->

    Paste it in the config.xml of the new Client controller item:

    <com.cloudbees.opscenter.server.model.ClientMaster plugin="operations-center-server@">
      <properties class="com.cloudbees.opscenter.server.model.ConnectedMaster$PropertyList">
        < plugin="operations-center-monitoring@">
        <!-- Start: We copy from here -->
        <com.cloudbees.opscenter.server.rbac.ConnectedMasterProxyGroupContainer plugin="operations-center-rbac@">
        <!-- End -->
  11. Reload the Client controller item by appending /reload to the new Client controller item URL (for example $CJOC_URL/job/new-client-master/reload)

  12. Click on Try Posting. This should result in a blank page (sign that the reload worked).

It might take few seconds until the RBAC config is push to the controller.