I want to restrict access to a folder for GroupA and for GroupB but I want to give access to users that are in GroupA AND in GroupB
- CloudBees Jenkins Enterprise
- CloudBees Jenkins Operations Center
- Role-Based Access Control Plugin (RBAC)
To have a full understanding of the concepts applied in the article, please have a look at the documentation of the RBAC Plugin.
- GroupA is a group that contains A users
- GroupB is a group that contains B users
- A Roles are roles assigned to GroupA
- B Roles are roles assigned to GroupB
- FolderAB is a the folder for which we want to restrict access to users of GroupA that are also in GroupB
- GroupA and GroupB are defined above FolderAB in the Folder Hierarchy
In the following solutions:
- GroupAB is a group that contains users of GroupA that are also users of GroupB
- AB Role is a role that combine permission of A Roles and B Roles
In the documentation of RBAC about Roles filter, there is an important concept: When a role is filtered, then the role is not available on that object to users unless there is a group defined within that object which the user is a member of and which has been assigned that role.
This is exactly what needs to be done to achieve our goal here: We need to restrict a folder and create a Group in that restricted folder to grant access to users that are in GroupA AND in GroupB. Hence we need to create a GroupAB containing users of GroupA that are also users of GroupB.
This solution is directly related to this concept: we filter A Roles and B Roles for FolderAB and we create GroupAB on that folder which joins A Roles and B Roles and contains user that are in GroupA as well as in GroupB:
- Filter the A roles and the B roles
- Create the group GroupAB that should:
- Contain users of GroupA that are also users of Group B
- Be configured with A roles and B roles
Note: RBAC groups can be added to a Group just like normal users and therefore:
- If the requirement is for several folder, you can create GroupAB at the root level and use that Group within the folder.
- If the requirement is for only one folder or only a few, I would recommend to create the GroupAB within the folder
2. Solution with a Joined Role
Based on the fact that users that are in GroupA and also in GroupB have the joined set of permissions granted by both groups (*A Roles* and B Roles), you can create an AB Role that combines these permissions and assigns it to a GroupAB that contains the users of GroupA that are also users of Group B.
At root level (or any level above FolderAB):
- Create a the AB Role which combine A+B permissions
- Create a group GroupAB that should
- Contains users of GroupA that are also users of GroupB
- Be configured with AB Role
- Filter A roles and B roles