How do I limit users access to the folders to which they belong to?

Issue

  • I only want certain group of users to have access to the folders to which they belong.
  • How to isolate folder from certain group of users?

Environment

  • CloudBees Jenkins Enterprise (CJE) or CloudBees Jenkins Operations Centre (CJOC)
  • Role-Based Access Control Plugin (RBAC)
  • Folder plugin or Folder Plus Plugin

Resolution

The Role-Based Access Control plugin combines with the Folders plugin to give a powerful solution for managing a Jenkins which is shared by multiple teams of users. The Jenkins administrator can create folders for each of the teams and then create groups in those folders for each of the roles that team members can have. By delegating the management of the group membership (but not the management of the roles assigned to groups) to the team leaders, the Jenkins administrator can empower the team leads to manage the permissions of their team while reducing their own administrative overhead.

We are resolving this issue by the following scenario:

Scenario

Let’s say we have three different user’s groups in Jenkins:

  • admin (group) -> admin (user)
  • Team-A (group) -> user1 (user)
  • Team-B (group) -> user2 (user)

Then:

  • admin users will be allowed to access everywhere but…
  • Users which belong to Team-A group will only have access to folder-team-a, and users which belongs to Team-B group will only have access to folder-team-b.

Resolution

1 .- Just for this Prove of Concept, we are using the Mock Security Plugin as Authorization Strategy. However, for real environment other Authorization Strategy plugin should be configured, for instance Active Directory, LDAP o SAML

rbac-dashboard.png

2 .- Rol Definition: Roles for each of these groups are created

rbac-roles.png

3 .- Group Definition: Group Team-A (role teamA) at folder level [older-team-a] and group Team-B (role teamB) at folder level [older-team-b]. So, going inside a folder and clicking on Groups, it can been seen:

rbac-folder-groups.png

So, if you click on the folder->Groups->Name of your Group [configure], it can be seen teamA role granted at current level with the propagation option.

rbac-folder-roles.png

So now, logging in as user1, it only has access to ** folder-team-a** .

user1-dashboard.png

Reference

Have more questions? Submit a request

1 Comments

  • 0
    Avatar
    Andrew Ross

    All the images 404 and they're needed to follow the document :(

Please sign in to leave a comment.