Role-Based Authorization Strategy: Limit folder access

Issue

  • We want to restrict the user access to specific jobs under sub-folder level.

Environment

Resolution

One of the most important things to keep in mind in this type of scenarios is to create roles as granular as possible. As an example for restricting user access to specific jobs at folders’ and sub-folders’ level We have created a main folder Folder1 that contains two different subfolders Folder1/FolderA and Folder1/FolderB along with two Freestyle projects called job1 and job2 at Folder1/FolderA/job1 and Foldera/FolderB/job2.

  • Main folder Name: Folder1
  • Sub-folder Names: Folder1/FolderA and Folder1/FolderB

Ideally after completing the configuration steps we would like to make sure that one of our users has access Folder1/FolderA/joba the other one to Folder1/FolderB/job2

The following table summarizes the role settings used in this example

  | User                 | Roles             | Patterns          |
  | ---                  |---                |---                |
  | admin                | admin             |                   |
  | Folder1View_user     | Folder1View       | Folder1           |
  | Folder1_FolderA_user | Folder1FolderA    | Folder1/FolderA.* |
  | Folder1_FolderB_user | Folder1FolderB    | Folder1/FolderB.* |

1. Manage Roles

First of all, we must create new roles, to do so, navigate to Jenkins->Manage Jenkins->Manage and Assign Roles->Manage Roles from the root Jenkins dashboard. Create an admin role with the Overall/Administer permission. Click Save.

Furthermore, create three new Project Roles, namely: Folder1View, Folder1FolderA, Folder1FolderB. The first role, Folder1View grants read access only to Folder1, while Folder1FolderA and Folder1FolderB gives both Read and Build permissions to Folder1/FolderA and Folder1/FolderB respectively. For project and agent roles you can set a regular expression pattern for matching items. The regular expression aimed at matching the full item name. In this particular case, since we want our users to have access to all jobs within a specific sub-folder Folder1/FolderA, we use the following regular expression as pattern Folder1/FolderA.*. Click Save.

ManageRoles1.png

2. Assign Roles

To assign roles please navigate to Jenkins->Manage Jenkins->Manage and Assign Roles->Assign Roles

During the assign role process, keep in mind that:

  • User groups represent authorities provided by the Security Realm (e.g. LDAP plugin can provide groups)
  • There are also two built-in groups: authenticated (users who logged in) and anonymous (any users, including ones who have not logged in)

First of all, we must make sure all users have OverallRead selected as global role. This will allow every user to see the contents of the top folder when they login in Jenkins.

Finally, define the item roles as shown in the picture. As it was mentioned before the key is to create roles as granularly as possible, this is actually reflected in the picture below, under item roles. As you can see, Folder1FolderA_user needs not only Folder1FolderA item role but also Folder1View, without the later that user would not be able to navigate into FolderA.

Your assign roles screen should now look like:

AssignRoles.png

References

Role Strategy Plugin

Have more questions?

0 Comments

Please sign in to leave a comment.