Sunday, September 16, 2018

Jenkins - How To Configure Role-Based Security Model

Jenkins Configuration and OS:
OS: CentOS 7.2
Versio: v2.121.3

I was trying to follow the Jenkins "Role Strategy Plugin" documentation ( to setup folder level security access control for our Jenkins instance, but the instruction wasn't very clear and took me a while to figure it out. So I've decided to make a better one with latest screenshots.

Isolate folders from certain groups of users and only allow users to access folders that they own in Jenkins.

Role-Based Strategy Plugin (
Folder plugin or Folder Plus Plugin

The "Role-Based Strategy Plugin" combine with "Folder Plugin" to give a powerful solution for managing a Jenkins which is shared by
multiple teams of users. The Jenkins administrator can create folders for each of the teams and then create groups in those folders for each of the roles that
team members can have. By delegating the management of the group membership (but not the management of the roles assigned to groups) to the team
leaders, the Jenkins administrator can empower the team leads to manage the permissions of their team while reducing their own administrative overhead.

Let's say we have three different user's groups in Jenkins:
• admin (group) → lxu1 (user)
• team-a (group) → usera (user)
• team-b (group) → userb (user)
"admin" group users will be allowed to access everywhere. Users which belongs to "teama" group will only have access to folder "teama", and users which
belongs to "teamb" will only have access to folder "teamb".

Configuration Steps:
1. Configure "Active Directory" in "Manage Jenkins" → "Configure Global Security"

2. Enable "Role-Based Strategy"

3.  Define and assign roles by using the Manages and Assign Roles item which appears in the Manage Jenkins screen:

4. Define Global Roles:

5. Define Project Roles:
The only tricky field is the Pattern one. This field consists in a regular expression aimed at matching the full name (including the folder name, if you're using Cloudbees Folders Plugin) of the jobs which the role will apply to. For example, if you set the field to "Roger-.*", then the role will match all jobs which name starts with "Roger-". Note that the pattern is case-sensitive. To perform a case-insensitive match, use (?i) notation: upper, "Roger-.*" vs. lower, "roger-.*" vs. case-insensitive, "(?i)roger-.*" (Not work at job level however, for example "ROGER-A/roger-a-job1" will not be displayed). If you have a nested folder structure where you want to provide the particular access to the second folder (or deeper), consider having a two-level security structure as well (Say you want to provide exclusive write/ modify type access to foo/bar and not everything else under "foo": First, assign that user/ group to read/ discover permissions with pattern " ^foo.* ", then assign that same user/ group to the more particular permissions with pattern " ^foo/bar.* " - Similar to what you'd do in a Unix/ Linux environment.

6. Go to Assign Roles:

7. Assign the following roles:

Note: You should add "usera" and "userb" to "overall-read" and team's corresponding Item Roles

8. Predefine two folders "teama" and "teamb", also define two random jobs inside each folder.

9. Now log into Jenkins instance as "usera" and "userb", after login, "usera" can only see folder "teama" and jobs defined inside "teama", and "userb" can only see folder "teamb" and jobs inside it.

No comments: