How to Grant Folder Access to Group Intersections with RBAC?

Issue

I want to restrict access to a folder for GroupA and for GroupB but I want to give access to users that are in GroupA AND in GroupB

Environment

  • CloudBees Jenkins Enterprise
  • CloudBees Jenkins Operations Center
  • Role-Based Access Control Plugin (RBAC)

Resolution

To have a full understanding of the concepts applied in the article, please have a look at the documentation of the RBAC Plugin.

Scenario

I have:

  • GroupA is a group that contains A users
  • GroupB is a group that contains B users
  • A Roles are roles assigned to GroupA
  • B Roles are roles assigned to GroupB
  • FolderAB is a the folder for which we want to restrict access to users of GroupA that are also in GroupB
  • GroupA and GroupB are defined above FolderAB in the Folder Hierarchy

scenario

Solutions

In the following solutions:

  • GroupAB is a group that contains users of GroupA that are also users of GroupB
  • AB Role is a role that combine permission of A Roles and B Roles

1. Solution

In the documentation of RBAC about Roles filter, there is an important concept: When a role is filtered, then the role is not available on that object to users unless there is a group defined within that object which the user is a member of and which has been assigned that role.

This is exactly what needs to be done to achieve our goal here: We need to restrict a folder and create a Group in that restricted folder to grant access to users that are in GroupA AND in GroupB. Hence we need to create a GroupAB containing users of GroupA that are also users of GroupB.

This solution is directly related to this concept: we filter A Roles and B Roles for FolderAB and we create GroupAB on that folder which joins A Roles and B Roles and contains user that are in GroupA as well as in GroupB:

In FolderAB:

  • Filter the A roles and the B roles
  • Create the group GroupAB that should:
    • Contain users of GroupA that are also users of Group B
    • Be configured with A roles and B roles

solution-1

Note: RBAC groups can be added to a Group just like normal users and therefore:

  • If the requirement is for several folder, you can create GroupAB at the root level and use that Group within the folder.
  • If the requirement is for only one folder or only a few, I would recommend to create the GroupAB within the folder

2. Solution with a Joined Role

Based on the fact that users that are in GroupA and also in GroupB have the joined set of permissions granted by both groups (*A Roles* and B Roles), you can create an AB Role that combines these permissions and assigns it to a GroupAB that contains the users of GroupA that are also users of Group B.

At root level (or any level above FolderAB):

  • Create a the AB Role which combine A+B permissions
  • Create a group GroupAB that should
    • Contains users of GroupA that are also users of GroupB
    • Be configured with AB Role

In FolderAB:

  • Filter A roles and B roles

solution-2

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.