The goal is to lock this down so that:<\/p>\n
- \n
- Onshore developers can work on all pipelines but can\u2019t delete or create new ones.<\/li>\n
- Offshore developers can only see and work on -dev and -uat pipelines.<\/li>\n
- The DevOps Team can manage everything except jobs ending in -prod.<\/li>\n
- The Support Team can only view and build jobs ending in -helper.<\/li>\n
- Admins have unlimited power.<\/li>\n<\/ul>\n
The Tool for the Job: Role-Based Strategy
\n<\/strong>Jenkins offers a few ways to manage security, but “Matrix-Based Security” can become a huge, unreadable table with many users.<\/p>\nThe Role-Based Authorization Strategy plugin gives us more wiggle room. Its real strength is using name patterns to control who can touch which jobs, like a rule for everything ending in -dev.<\/p>\n
Time to set it all up<\/h2>\n
1. Check and Install the plugin if not done already<\/h3>\n
If you don’t see the “Role-Based Authorization Strategy”\u00a0 under Authorization in Configure Global Security then,<\/p>\n
- \n
- Go to Manage Jenkins > Plugins.<\/li>\n
- Click the Available tab and search for “Role-Based Authorization Strategy”.<\/li>\n<\/ol>\n
Install it and restart Jenkins if it asks.<\/p>\n
2. Next, we enable it in security.<\/h3>\n
Go to Manage Jenkins > Global Security.
\nIn the Authorization section, select Role-Based Strategy and save it<\/p>\nWe are now able to see Manage and Assign Roles under Manage Jenkins.<\/p>\n
Overview of Role management.<\/strong><\/h2>\n
1. Manage Roles : <\/strong><\/h3>\n
You create and manage roles here.<\/p>\n
![\"ManageRoles](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/03\/Manageroles-1024x716.png\")
Manage Roles<\/p><\/div>\n
2. Assign Roles<\/h3>\n
This section is used to assign predefined roles to specific users.<\/p>\n
![\"Assign](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/03\/assign-role-global-view-1-1024x449.png\")
Assign role – global role<\/p><\/div>\n
<\/p>\n
![\"Assign](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/03\/Screenshot-from-2025-03-27-16-00-05-1024x284.png\")
Assign role – Item role<\/p><\/div>\n
Planning, Managing and Assigning Roles<\/h2>\n
1. Planning the Roles<\/h3>\n
Before we start actually doing it, a simple plan can save us a lot of time.<\/p>\n
As you can see we need two kinds of roles:<\/p>\n
- \n
- Global roles<\/strong>: More Broad things and control fall under it. We need to make sure that we only assign the least permission possible in the Global role for any user, then use item roles for the detailed permissions.<\/li>\n
- Item roles<\/strong>: Control access to specific jobs using patterns that match job names, and more fine-tuned permission is assign using Item roles<\/li>\n<\/ol>\n
2. Roles and Permissions for Users<\/h3>\n
Here\u2019s what we are aiming for:<\/p>\n
- \n
- User Category: Onshore Developers<\/strong><\/li>\n<\/ol>\n
- \n
- Global Role: onshore-developer<\/li>\n
- Item Role: None<\/li>\n<\/ul>\n
Key Permissions: Full access to the jobs, but no Create or Delete permission.<\/p>\n
2. User Category: Offshore Developers<\/strong><\/p>\n
- \n
- Global Role: offshore-developer<\/li>\n
- Item Role: offshore-devs<\/li>\n
- Item Role Pattern: .*-(uat | dev)<\/li>\n<\/ul>\n
Key Permissions: Scoped access to matching jobs, no admin stuff.<\/p>\n
3. User Category: DevOps Team<\/strong><\/p>\n
- \n
- Global Role: devops<\/li>\n
- Item Role: devops-team<\/li>\n
- Item Role Pattern: ^(?!.*-prod$).+$<\/li>\n<\/ul>\n
Key Permissions: Full access to everything except -prod jobs.<\/p>\n
4. User Category: Support Team<\/strong><\/p>\n
- \n
- Global Role: support<\/li>\n
- Item Role: support-team<\/li>\n
- Item Role Pattern: .*-helper<\/li>\n<\/ul>\n
Key Permissions: Can only view and build -helper jobs.<\/p>\n
User Category: Admins<\/p>\n
Global Role: admin<\/p>\n
Item Role: (None)<\/p>\n
Key Permissions: Full control over everything.<\/p>\n
Personally, I like to start with the global roles first, then add item roles with a simple pattern, test, and tighten it up if needed. It’s little bit more tedious at first, but it saves time later when someone says, \u201cHey, I can\u2019t see my UAT job,\u201d and you can point to the pattern.<\/p>\n
Overview Table<\/strong><\/h3>\n
\n\n
\n User Category<\/strong><\/span><\/td>\n Global Role<\/strong><\/span><\/td>\n Item Role<\/strong><\/span><\/td>\n Role Pattern<\/strong><\/span><\/td>\n Permissions<\/strong><\/span><\/td>\n<\/tr>\n \n Permissions<\/strong><\/span>
\nOnshore Developers<\/strong><\/span><\/td>\nonshore-developer<\/span><\/td>\n No Item Role<\/span><\/td>\n –<\/span><\/td>\n Full access except delete\/create<\/span><\/td>\n<\/tr>\n \n Offshore Developers<\/strong><\/span><\/td>\n offshore-developer<\/span><\/td>\n offshore-devs<\/span><\/td>\n `.*-(uat|dev)<\/span><\/td>\n Can only see -uat and -dev pipelines<\/span><\/td>\n<\/tr>\n \n DevOps<\/strong><\/span><\/td>\n devops<\/span><\/td>\n devops-team<\/span><\/td>\n ^(?!.*-Prod$).+$<\/span><\/td>\n Full access except -Prod pipelines<\/span><\/td>\n<\/tr>\n \n Support Team<\/strong><\/span><\/td>\n support<\/span><\/td>\n support-team<\/span><\/td>\n .*-helper<\/span><\/td>\n Can only view and build -helper pipelines<\/span><\/td>\n<\/tr>\n \n Admins<\/strong><\/span><\/td>\n admin<\/span><\/td>\n No Item Role<\/span><\/td>\n –<\/span><\/td>\n Full access<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n 3: Creating the Roles<\/h3>\n
Navigate to Manage Jenkins > Manage and Assign Roles.
\nWe will start in the Manage Roles section.<\/p>\nCreate Global Roles<\/strong>
\nUnder Global Roles, we will add a role for each team.<\/p>\n- \n
- In the “Role to add” box, type admin and click Add.
\nCheck the box at the top of the admin column to give this role all permissions.<\/li>\n - Add the other global roles: onshore-developer, offshore-developer, devops, and support.
\nFor these new roles, grant only the Overall\/Read permission.<\/li>\n - For onshore-developer role, grant all Job permissions except for Create and Delete.<\/li>\n<\/ol>\n
Starting with low permissions is a security best practice. It prevents accidentally giving someone too much power.<\/p>\n
Creating Item Roles<\/strong>
\nNext, we\u2019ll create item roles to control access to jobs by name.<\/p>\nScroll down to the Item Roles section.<\/p>\n
- \n
- In the “role to add” box, type offshore-devs and click Add.
\na. In the “Pattern” box for this role, enter .*-(uat|dev).
\nb. Why this pattern? It matches any job name that ends with -uat or -dev.
\nc. Grant the Build, Configure, Read, and Workspace permissions.<\/li>\n - Add the devops role with the pattern ^(?!.*-prod$).+$.
\na. This one matches any job name that does not contain -prod.
\nb. Grant all Job permissions for this role.<\/li>\n - At the end let’s add the support-helpers role with pattern .*-helper.
\na. This matches with any job name that has suffix -helper.
\nb. Grant only the Job\/Read and Job\/Build permissions.<\/li>\n<\/ol>\nOur roles are set, with global roles for basic access and item roles for specific job control.<\/p>\n
![\"Global](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/03\/Manage-role-view-1024x459.png\")
ManageRole View<\/p><\/div>\n
4.\u00a0Assign Roles to Users<\/strong><\/h3>\n
1. Go to Manage Jenkins > Manage and Assign Roles > Assign Roles.
\n2. Under Global Roles, assign each user to their corresponding global role.
\n3. Under Item Roles, assign users to relevant item roles.<\/p>\nHighlights<\/h2>\n
- \n
- You must have noticed that we are providing the minimum required permissions in the global role. This is done so that we can have more control over the user using the Item role.<\/li>\n
- In item roles, we are using patterns. This is a powerful feature that enables us to fine-tune what that role can see and do based on regex patterns.<\/li>\n
- We are not creating item roles for the Onshore team and Admin. This is because we don’t need to exclude or include specific jobs; we just need to manage permissions, and that option is available in global roles.<\/li>\n<\/ul>\n
<\/p>\n
Let’s see with an example<\/strong><\/h3>\n
Let’s assign Role to a member of Devops team.<\/strong><\/p>\n
Focus on the relevant Devops Global Role and Devops-team Item role of this user<\/p>\n
- \n
- Global Role:<\/strong> DevOps (Grants overall read access and agent access to Devops).<\/li>\n<\/ol>\n
![\"Global](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/03\/grole-1024x338.png\")
Global Role for Devops<\/p><\/div>\n
2. Item Role:<\/strong> For example devops-team (Can access all jobs except those ending with -Prod).<\/p>\n
![\"Item](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/03\/Irole-1024x338.png\")
Item role for devops-team<\/p><\/div>\n
Now the devops team user can only access all the jobs except those ending with -Prod.<\/p>\n
Notice we don’t assign item roles to the admin or onshore developer. Their permissions are fully defined by their powerful global roles.<\/p>\n
Key Takeaways<\/h2>\n
1. Global roles provide overall access control.
\n2. Item roles fine-tune permissions using regex patterns.
\n3. Assigning the minimum required permissions in Global Roles helps avoid conflicts.
\n4. Pattern-based control allows flexible and secure access management.<\/p>\nHelpful Resources
\n<\/strong><\/h3>\nRegex for Pattern Matching: https:\/\/regex101.com\/<\/p>\n
Conclusion<\/h2>\n
By implementing Role-Based Authorization Strategy, we achieved better security and organization within Jenkins, ensuring that users had only the access they needed.<\/p>\n
This method is scalable, easy to maintain, and enhances Jenkins security significantly.<\/p>\n
The Role-Based Authorization Strategy plugin is an essential tool for managing access control in Jenkins, especially in environments with multiple users and varying levels of access needs.<\/p>\n
- Global Role:<\/strong> DevOps (Grants overall read access and agent access to Devops).<\/li>\n<\/ol>\n
- In the “role to add” box, type offshore-devs and click Add.
- In the “Role to add” box, type admin and click Add.
- Item roles<\/strong>: Control access to specific jobs using patterns that match job names, and more fine-tuned permission is assign using Item roles<\/li>\n<\/ol>\n
- Global roles<\/strong>: More Broad things and control fall under it. We need to make sure that we only assign the least permission possible in the Global role for any user, then use item roles for the detailed permissions.<\/li>\n