Sunday, August 27, 2017

Jenkins – Role based Strategy

Jenkins provides its own user database to login but it does not have the facility to create groups/roles for the users.
If we want groups in Jenkins, we have few options
1.    Use Open LDAP with Jenkins
2.    Use Active Directory with Jenkins
3.    Use Role-based authorization strategy plugin in Jenkins
The default behavior (i.e. Can’t create group) is because it uses Jenkins user database for the security realm.

To verify this, login to Jenkins as admin, go to “Manage Jenkins”, click on “Configure Global Security”, and under the “Access Control” section, for the “Security Realm”, if you’ve selected “Jenkins’ own user database”, then you can only create users, and not groups.

There are 2 ways by which we can implement the project based authentication.
1.Project based matrix authorization strategy
2.Role based strategy
Project-based Matrix Authorization Strategy" is pre-installed  and more easy to use for individual projects. "Role-based strategy"  is preferred when number of projects in Jenkins is very large. It uses pattern to match project names.

Install the Role based authorization strategy plugin
Login to Jenkins with your admin account -> Click on “Manage Jenkins” -> Click on “Manage Plugins” -> Click on “Available” tab -> Search for “role” in the Filter text box.

You’ll see “Role-based Authorization Strategy” in the results. Click on the “check-box” infront of it to select this item. Click on “Install without restart” button at the bottom

Change the Jenkins Authorization method
Once the plugin is installed, next step is to change the default Jenkins authorization method to use the role based plugin.

For this, go to “Manage Jenkins”, click on “Configure Global Security”, under the “Access Control” section, for the “Authorization”, click on “Role-Based Strategy”.

Manage and Assign Role Options

Now ,if we go to the “Manage Jenkins”, we will see a “Manage and assign Roles”.
Create a new global role - 
Click on the “Manage roles”, from where we can create global roles that will be applicable to objects in Jenkins. The roles can be “admin”,” developer” and “Devops” etc. To add a global role, enter the role name in the “Role to add” text field and add. Once added provide the permissions to the role as below. The permissions for agents, jobs ,views are also available. Provide the correct permissions to use to give full control
The following are the permissions available to be assigned to your new global role. 
Overall – Administer, ConfigureUpdateCenter, Read, RunScripts, UploadPlugins 
Credentials – Create, Delete, ManageDomains, Update, View 
Agent – Build, Configure, Connect, Create, Delete, Disconnect, Provision 
Job – Build, Cancel, Configure, Create, Delete, Discover, Move, Read, Workspace 
Run – Delete, Replay, Update 
View – Configure, Create, Delete, Read SCM – Tag 

Project Roles Besides roles, we can also create roles for projects that will be applied to certain projects (jobs). For example we can create a project roles “web” which will apply only to all projects that start with the keyword “web*”. We can create project with matching pattern so that we can allow certain users to check the jobs.

Some of the notable points regarding Project roles are The regular expression “web*” will match all the Jenkins jobs that start with “web”. If you want case-insensitive, add “(?i)” to the pattern. For example (?i)web* will match jobs starting with both “web” and “Web”. Once the project role are added, select the permissions that you want to assign for the project role. 
Below are the permissions available 
Credentials – Create, Delete, ManageDomains, Update, View 
Job – Build, Cancel, Configure, Create, Delete, Discover, Move, Read, Workspace 
Run – Delete, Replay, Update 
SCM – Tag

Assigning Users to the Roles Or Groups After creating roles with permissions we need to assign roles to users. Click the “Assign Roles” in “Manage and Assign Roles” link under “Manage Jenkins” Assign the users the appropriate roles based on their 
In the item roles section , add the users who can access the projects that are created in the Project roles.
Even within those matched projects, users can only perform certain activities based on the permissions that we assigned for that particular project role.


  1. Please let me know if you're looking for a article writer for your blog.
    You have some really great articles and I think I would be a good asset.

    If you ever want to take some of the load off, I'd really like to write some material for your
    blog in exchange for a link back to mine. Please send me an e-mail
    if interested. Many thanks!

  2. Whoa! This blog looks just like my old one! It's on a completely different topic but it has
    pretty much the same page layout and design. Superb
    choice of colors!