Creating secure folders with Role-Based Access Control Auto Configurer

2 minute readSecurityAudit and compliance

The Role-Based Access Control Auto-Configurer plugin extends the Role-Based Access Control plugin. It automatically creates a secure folder per user and a secure folder per group containing that user.

  • Personal folder access is restricted to the owner

  • Group folder access is restricted to group members

Using the Role-Based Access Control Auto Configurer plugin

  • When a user logs in, the Role-Based Access Control Auto Configurer plugin will automatically create:

  • A top level folder named according to the username of the authenticated user

  • A top level folder for each group to which the user belongs to (the groups "authenticated" and "admin" are ignored by default)

Each created folder is secured with groups defined at the folder level so that additional users can be granted access to the created folders:

  • "Folder Administrators":

  • Assigned the role "administer-folder"

  • The authenticated user is added to this group

  • "Folder Developers"

  • Assigned the role "develop"

  • "Folder Browsers"

  • Assigned the role "browse-folder"

The roles "administer-folder", "develop" and "browse-folder" must have been defined before users authenticate to the system. These roles can be automatically created using the "Import Strategy: Initial setup for RBAC Auto Configurer (ignoring existing authorization strategy)" as described below.

Configuring the Role-Based Access Control Auto Configurer plugin

  • Install the Role-Based Access Control plugin and the CloudBees RBAC Auto Configurer plugin

  • Navigate to "Manage Jenkins / Configure Global Security"

  • Select the Authorization "Role-based matrix authorization strategy" Select the "Import Strategy: Initial setup for RBAC Auto Configurer (ignoring existing authorization strategy)"

  • Save

  • Navigate to "Roles" screen and verify that the following roles have been created:

  • administer-folder

  • Name of the role assigned to the group 'Folder Administrators'.

  • browse-folder

  • Name of the role assigned to the group 'Folder Browsers'.

  • develop

  • Name of the role assigned to the group 'Folder Developers'.

  • Logout and login with a new user (e.g. "john", member of the "api" group) , the top level folders will be created (for example "john" and "api").

Advanced configuration of the Role-Based Access Control Auto Configurer plugin

The roles can be manually configured instead of relying on the "Import Strategy: Initial setup for RBAC Auto Configurer (ignoring existing authorization strategy)".

  • administer-folder

  • Name of the role assigned to the group 'Folder Administrators'.

  • browse-folder

  • Name of the role assigned to the group 'Folder Browsers'.

  • develop

  • Name of the role assigned to the group 'Folder Developers'.