BestHub
Sign in
Operations 9 min read

Jenkins System Permission Management Using Role-based Authorization Strategy

This article explains how to secure Jenkins by installing the Role-based Authorization Strategy plugin, defining global, item, and node roles, assigning users to those roles, handling common issues, and automating permission management with a Groovy pipeline script.

DevOps Cloud Academy
DevOps Cloud Academy
DevOps Cloud Academy
Jenkins System Permission Management Using Role-based Authorization Strategy

After installing Jenkins, the default security setting allows any logged‑in user to perform any action, which poses a security risk.

To address this, install the Role-based Authorization Strategy plugin via the plugin manager and restart Jenkins. The plugin provides two main functions: Manage Roles and Assign Roles .

1.1 Role and Permission Division

1.1.1 Global Roles apply to all Jenkins projects and override any item‑level permissions. For example, granting the Job Read permission in Global Roles allows reading all jobs regardless of item‑level settings. The default admin user has all permissions.

Permissions are grouped as follows:

All: full management and read permissions for all objects.

Credentials: create, delete, manage domains, update, and browse credentials.

Nodes: build, configure, connect, create, delete, and disconnect nodes.

Jobs: build, cancel, configure, create, delete, discover, read, move, and workspace permissions.

Run: delete, replay, and update builds.

Views: configure, create, delete, and read view permissions.

Platform roles can be categorized as Administrator ( admin ), Secondary Administrator ( itemadmin ), and Regular User ( users ).

1.1.2 Item Roles allow permission assignment to jobs matching a regular expression. For example, jobs prefixed with test- (e.g., test-pipeline-service ) can be grouped under an Item Role named test with a pattern test-.* . Permissions such as Job Build/Cancel/Discover/Read/Workspace can then be granted to this role.

1.1.3 Node Roles can also be configured via Item Roles using regular expressions, though in most pipelines node permissions are managed through agent labels.

1.2 Assigning Roles to Users

Create a user and assign global roles (e.g., itemadmin for job administrators). After saving, the user can fully manage jobs but cannot modify system settings or nodes. Reassigning the user to the users role restricts access, and adding an appropriate Item Role restores build permissions for specific project groups.

1.3 FAQ

If a user lacks the Overall/Read permission in Global Roles, they may be unable to log in. In such cases, edit config.xml to set <useSecurity>false</useSecurity> and restart Jenkins.

For large‑scale permission management, use the plugin’s REST API to create and assign roles programmatically. The following Groovy pipeline demonstrates how to wrap HTTP requests and invoke the API to create roles and assign them to users.

def HttpReq(reqType, reqUrl, reqBody) {
    def apiServer = "http://localhost:8080/role-strategy/strategy"
    result = httpRequest authentication: 'jenkins-admin-user',
        httpMode: reqType,
        contentType: "APPLICATION_JSON",
        consoleLogResponseBody: true,
        ignoreSslErrors: true,
        requestBody: reqBody,
        url: "${apiServer}/${reqUrl}"
    return result
}

def CreateRole(roleType, roleName, permissionIds='', overwrite='true', pattern='') {
    if (roleType == "globalRoles") {
        reqUrl = "addRole?type=${roleType}&roleName=${roleName}&permissionIds=${permissionIds}&overwrite=${overwrite}"
    } else {
        reqUrl = "addRole?type=${roleType}&roleName=${roleName}&permissionIds=${permissionIds}&overwrite=${overwrite}&pattern=${pattern}"
    }
    result = HttpReq("POST", reqUrl, '')
    return result
}

def AssignRole(roleType, roleName, username) {
    reqUrl = "assignRole?type=${roleType}&roleName=${roleName}&sid=${username}"
    result = HttpReq("POST", reqUrl, '')
    return result
}

pipeline {
    agent any
    parameters {
        choice choices: ['', 'CreateRole', 'AssignRole'], name: 'runOpts'
        choice choices: ['', 'globalRoles', 'projectRole'], name: 'roleType'
        string name: 'roleName'
        string name: 'userName'
    }
    stages {
        stage('Run') {
            steps {
                script {
                    switch (params.runOpts) {
                        case 'CreateRole':
                            CreateRole(params.roleType, params.roleName, 'hudson.model.Item.Discover,hudson.model.Item.ExtendedRead', true, "${params.roleName}-.*")
                            break
                        case 'AssignRole':
                            AssignRole(params.roleType, params.roleName, params.userName)
                            break
                        default:
                            println('error')
                    }
                }
            }
        }
    }
}

This pipeline can be used to automate role creation and assignment directly from Jenkins.

ci/cddevopsJenkinsPermissionsRole-based Authorization
DevOps Cloud Academy
Written by

DevOps Cloud Academy

Exploring industry DevOps practices and technical expertise.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment