Restricting job triggers

1 minute readSecurityAudit and compliance

Pipeline jobs run as the SYSTEM user by default, and this practice can be problematic when a pipeline is triggered by a specific user. For instance, with the SYSTEM user permissions, Pipeline builds are able to trigger any job in Jenkins, even if the user that triggered the original build does not have access to the downstream (triggered) job (for example, if it is protected using Restricting access and delegating administration with Role-Based Access Control).

The best practice is to restrict job triggers. For more information, refer to Trigger restrictions

If restricting job triggers is not possible, refer to the knowledge base article Restricting jobs to run as a specific user using Role-Based Access Control and Authorize Project plugin.