Restricting access in Jenkins

The scenario for this document is to provide 2 users, one in each team with access to an isolated sandbox environment on a Jenkins master.

Do you want to be able to manage granular access to areas in Jenkins that a user has permissions to view. To do this with Jenkins isn't straight forward but we this this pattern works really well.  

• restrict access to credentials
• prevent users from being able to access repositories they don't have access to in your source code manager
• provide adequate privileges for users within their Jenkins folder

The scenario for this document is to provide 2 users, one in each team with access to an isolated sandbox environment in Jenkins. The example we used is one IOS team and one Android team.

We preload the Role Strategy Plugin for you which enables us to implement role-based access controls. This coupled with Folder plugin and the matrix plugin we are able to generate detailed privileges.

Inside your identity manager create a role. 

Stage 2

Next create a group. 

Assign the role to the group.

Create a user and/or assign the user to the Group.

This is the initial stage complete, the next step is to login to Jenkins and setup the necessary permissions there. 

In Jenkins navigate to Manage Jenkins / Manage and Assign Roles.

Click Manage Roles.

Create 2 roles correlating to the roles created in the Identity manager in this case they are android-dev and ios-dev.

In the image we are creating a wanting to isolate the team to the folders called android and ios. When each team logs in they will only see a single folder. We use the Item roles section for this. In the global roles it is safe to exclude any permissions that overlap with Item roles or they override the item role and in a way exclude the whole Item role.

In the Item roles section add the name for the role. You don't need to use a regex but we test to favour this because it enables us more flexibility when naming pipelines and jobs. You can use a regular expression like this ios.* as well to lock the user to any jobs and resources in the ios root folder.

In the last stage we map the role to our users Identity role. Navigate to Manage and Assign Roles / Assign Roles

Assign the Item Roles.

If we login with this user account we get access denied. You need to create the ios or android folder or a series of home directories for the different teams.

With the admin user create a ios and android folder. 

Login with the android user.

Login with the ios user.

Now within the folder we add a credential domain specifically for this folder. In the domain add credentials for your source code repo. 

Click the Folder and the Add Domain. 

Add the Credentials above.

• Credentials in Folders are scoped and they won't be accessible outside the Folders.
• This access control strategy works best when you are consistent about creating this strategy.

More documentation here.

https://support.cloudbees.com/hc/en-us/articles/360036425292-Role-Based-Authorization-Strategy-Limit-folder-access

1. When you log in you see nothing and you have done everything we did here. 

In the global roles it is best to exclude any permissions that overlap with Item roles or they override the item role and exclude the whole Item role. This means a user will login and see no folders.