Jenkins – Role based Strategy

Jenkins provides its own user database to login but it does not have the facility to create groups/roles for the users.

If we want groups in Jenkins, we have few options

1.    Use Open LDAP with Jenkins

2.    Use Active Directory with Jenkins

3.    Use Role-based authorization strategy plugin in Jenkins

The default behavior (i.e. Can’t create group) is because it uses Jenkins user database for the security realm.

To verify this, login to Jenkins as admin, go to “Manage Jenkins”, click on “Configure Global Security”, and under the “Access Control” section, for the “Security Realm”, if you’ve selected “Jenkins’ own user database”, then you can only create users, and not groups.

There are 2 ways by which we can implement the project based authentication.

1.Project based matrix authorization strategy

2.Role based strategy

Project-based Matrix Authorization Strategy" is pre-installed  and more easy to use for individual projects. "Role-based strategy"  is preferred when number of projects in Jenkins is very large. It uses pattern to match project names.

Install the Role based authorization strategy plugin

Login to Jenkins with your admin account -> Click on “Manage Jenkins” -> Click on “Manage Plugins” -> Click on “Available” tab -> Search for “role” in the Filter text box.

You’ll see “Role-based Authorization Strategy” in the results. Click on the “check-box” infront of it to select this item. Click on “Install without restart” button at the bottom

Change the Jenkins Authorization method

Once the plugin is installed, next step is to change the default Jenkins authorization method to use the role based plugin.

For this, go to “Manage Jenkins”, click on “Configure Global Security”, under the “Access Control” section, for the “Authorization”, click on “Role-Based Strategy”.

Manage and Assign Role Options

Now ,if we go to the “Manage Jenkins”, we will see a “Manage and assign Roles”.

Create a new global role - 

Click on the “Manage roles”, from where we can create global roles that will be applicable to objects in Jenkins. The roles can be “admin”,” developer” and “Devops” etc. To add a global role, enter the role name in the “Role to add” text field and add. Once added provide the permissions to the role as below. The permissions for agents, jobs ,views are also available. Provide the correct permissions to use to give full control

The following are the permissions available to be assigned to your new global role. 

Overall – Administer, ConfigureUpdateCenter, Read, RunScripts, UploadPlugins 

Credentials – Create, Delete, ManageDomains, Update, View 

Agent – Build, Configure, Connect, Create, Delete, Disconnect, Provision 

Job – Build, Cancel, Configure, Create, Delete, Discover, Move, Read, Workspace 

Run – Delete, Replay, Update 

View – Configure, Create, Delete, Read SCM – Tag 

Project Roles Besides roles, we can also create roles for projects that will be applied to certain projects (jobs). For example we can create a project roles “web” which will apply only to all projects that start with the keyword “web*”. We can create project with matching pattern so that we can allow certain users to check the jobs.

Some of the notable points regarding Project roles are The regular expression “web*” will match all the Jenkins jobs that start with “web”. If you want case-insensitive, add “(?i)” to the pattern. For example (?i)web* will match jobs starting with both “web” and “Web”. Once the project role are added, select the permissions that you want to assign for the project role. 
Below are the permissions available 
Credentials – Create, Delete, ManageDomains, Update, View 
Job – Build, Cancel, Configure, Create, Delete, Discover, Move, Read, Workspace 
Run – Delete, Replay, Update 
SCM – Tag

Assigning Users to the Roles Or Groups After creating roles with permissions we need to assign roles to users. Click the “Assign Roles” in “Manage and Assign Roles” link under “Manage Jenkins” Assign the users the appropriate roles based on their 

In the item roles section , add the users who can access the projects that are created in the Project roles.

Even within those matched projects, users can only perform certain activities based on the permissions that we assigned for that particular project role.