I want to restrict access to a folder for GroupA and for GroupB but I want to give access to users that are in GroupA AND in GroupB
- CloudBees Jenkins Enterprise
- CloudBees Jenkins Operations Center
- Role-Based Access Control Plugin (RBAC)
To have a full understanding of the concepts applied in the article, please have a look at the documentation of the RBAC Plugin.
- GroupA is a group that contains A users
- GroupB is a group that contains B users
- A Roles are roles assigned to GroupA
- B Roles are roles assigned to GroupB
- FolderAB is a the folder for which we want to restrict access to users of GroupA that are also in GroupB
- GroupA and GroupB are defined above FolderAB in the Folder Hierarchy
In the following solutions:
- GroupAB is a group that contains users of GroupA that are also users of GroupB
- AB Role is a role that combine permission of A Roles and B Roles
In the documentation of RBAC about Roles filter, there is an important concept: When a role is filtered, then the role is not available on that object to users unless there is a group defined within that object which the user is a member of and which has been assigned that role.
This is exactly what needs to be done to achieve our goal here: We need to restrict a folder and create a Group in that restricted folder to grant access to users that are in GroupA AND in GroupB. Hence we need to create a GroupAB containing users of GroupA that are also users of GroupB.
This solution is directly related to this concept: we filter A Roles and B Roles for FolderAB and we create GroupAB on that folder which joins A Roles and B Roles and contains user that are in GroupA as well as in GroupB:
- Filter the A roles and the B roles
- Create the group GroupAB that should:
- Contain users of GroupA that are also users of Group B
- Be configured with A roles and B roles
Note: RBAC groups can be added to a Group just like normal users and therefore:
- If the requirement is for several folder, you can create GroupAB at the root level and use that Group within the folder.
- If the requirement is for only one folder or only a few, I would recommend to create the GroupAB within the folder
Based on the fact that users that are in GroupA and also in GroupB have the joined set of permissions granted by both groups (A Roles and B Roles), you can create an AB Role that combines these permissions and assigns it to a GroupAB that contains the users of GroupA that are also users of Group B.
At root level (or any level above FolderAB):
- Create a the AB Role which combine A+B permissions
- Create a group GroupAB that should
- Contains users of GroupA that are also users of GroupB
- Be configured with AB Role
- Filter A roles and B roles