- When I use a Pipeline Input Step, I can define the users that can submit the “Proceed” message, but any user can abort the pipeline by clicking on “Abort” Button.
- Is there an option or a way to prevent selected users from cancelling these jobs?
- CloudBees Jenkins Enterprise
- CloudBees Role Based Access Control (RBAC)
- Pipeline: Input Step
There is a simple way to prevent that from happening, and that is by removing the Cancel permission for a user or a group of users from a given Job.
Nevertheless, we will detail some steps that you can use to have more control on the way that this “removal” takes place.
In an Input Step once that the buttons appears and can be clicked, the only way to prevent that any user can cancel the job is by removing the permission for those users on that job or within that folder.
In order to have that done, there is a basic approach which consists on creating two roles for the users.
- An Executor role, which holds the main permissions related to a job.
- Another role that we have called users that will only had permissions on Job Read, Overall Read, Job Discovery and Job/Workspace.
- Once that you have done that, you can set a group of users or a user to belong to both roles. This way the user will have all the required permissions over jobs.
The key point here is that, in order to prevent a user to be able to abort the input step, we can filter for that job the Executor role. This will leave users without the required permission to be able to abort the job, the Job/Cancel permission.
This way even if the user is able to access to the input link, if the user tries to abort the build:
Will get the error below:
You can filter the role even at job level, if you need to restrict the permissions with the maximum granularity.