Delegating Administration

4 minute readSecurity

In some medium to large scale organizations, roles and responsibilities in software management and maintenance are distinct and well established. Because of the larger employee base and increased volume of work per area, tasks are separated and delegated to employees with specific expertise and understanding in a single area. For instance, some people may be in charge of the system administration, some of the security configuration, and others of the software configuration. While this separation of duties is necessary for medium to larger organizations to thrive, it can create complications when attempting to assign permissions securely and efficiently.

To reflect the needs of medium to larger organizations, two new permissions have been introduced with Jenkins v2.222 which enable a CloudBees CI administrator to delegate some parts of administration to a user without having to grant them the powerful Overall/Administrator permission.

The two new permissions include:

  • Overall/Manage: safely grant a user the ability to manage a subset of CloudBees CI configuration options.

  • Overall/SystemRead: grant a user the ability to view most of CloudBees CI configuration options, but in read only mode.

These new permissions are currently “Experimental” and disabled by default. When using the Role-based matrix authorization strategy in CloudBees CI, the administrator can grant a user/group the Overall/Manage and/or Overall/SystemRead permission to enable this functionality.


The Overall/Manage permission allows a user to modify non-security related configuration settings. Examples of non-security settings include project naming restrictions, the system message, updating a CasC bundle, and managing nodes/clouds. Security related configuration, which is not accessible to a user with the Overall/Manage permission, includes items such as the script console, changing the security realm, and managing plugins.

Being able to delegate the ability to modify non-security related configuration settings is valuable, for instance in the case of a large enterprise environment where team leads are in charge of their team’s controller, but should not have the same admin access as the overall enterprise admin.

Figure 1. Top-level configuration settings available to a user with Overall/Manage

Overall/System Read

The Overall/System Read permission gives the user the ability to view, but not modify, the configuration of a CloudBees CI instance, including logs and monitoring information. There are a number of situations where being able to view the configuration is very valuable, such as:

  • To allow non-administrator users to see what configuration options are available to a plugin.

    Given the increased use of Configuration as Code (CasC) for Controllers, a lot of CloudBees CI instances are fully managed as code; therefore, changes are not allowed through the UI. In this situation you cannot know when new plugin versions are available, unless you have the Overall/Administer permission.

  • To allow non-administrator users to debug issues with their builds easier.

    In other words, given a CloudBees CI error message in a build the user can check which plugins are installed, and the version of the plugin. This situation allows the user to solve their issue themselves and makes it easier for the user to report an issue with a plugin directly to the maintainers.

A user with the Overall/SystemRead permission will notice some UX abnormalities, such as form fields being shown as disabled. Additionally, some fields will appear to be editable but there are no Save or Apply buttons, which prevent those changes from being persisted.

Enabling the new permissions

The new permissions are not enabled by default and must be manually enabled to use them in your instance.


To enable the Overall/Manage permission, do one of the following:

  • Install the Overall/Manage Permission Enabler plugin, which will enable the new permission by default.

  • Pass the system property when starting CloudBees CI.

    java -jar jenkins.war
  • Use the script console to set the system property.

    This setting will be lost after restarting Jenkins.

Overall/System Read

To enable the Overall/System Read permission, do one of the following:

  • Install the Extended Read Permission plugin, which will enable the new permission by default

  • Pass the system property when starting Jenkins

    java -jar jenkins.war
  • Use the script console to set the system property.

    This setting will be lost after restarting CloudBees CI.

Configuring the new permissions

Once the new permissions are enabled, you can assign them to a user or group when using Role-based matrix authorization as your Global Security Authorization Strategy provided by the CloudBees Role-Based Access Control plugin.

For the Overall/Manage permission to be functional, it must be assigned with the Overall/Read permission as illustrated in the image above.
It is possible to give both Overall/Manage and Overall/System Read permissions to the same user/group, allowing that user to view the CloudBees CI configuration allowed by Overall/System Read, but only persist changes to those things specifically allowed by Overall/Manage. In some cases, there will be form fields that appear editable, but are not currently allowed to be changed by a user with Overall/Manage. Attempts to save such settings will be safely ignored.