Jenkins : Matrix-based security

Matrix-based security is one of the authorization strategies available for securing Jenkins.  It allows you to grant specific permissions to users and groups.  The available permissions are listed below with their descriptions, and are also available by hovering over the permission heading in the Jenkins UI.

Note: These are the most common permissions available.  Other plugins may add their own permissions.

Overall

Several of these permissions are at least as powerful as Administer, but for historical reasons are implied by the Administer permission (i.e. everyone with Administer can also perform the actions associated with these other permissions):

  • RunScripts allows executing arbitrary code in the context of any (Jenkins internal) user, including the internal SYSTEM user.
  • UploadPlugins allows uploading plugins, which in turn can execute arbitrary code in the context of any (Jenkins internal) user.
  • ConfigureUpdateCenter can configure proxy settings and thereby control the update site metadata and plugin files downloaded by the Jenkins plugin manager, which in turn can be used to execute arbitrary code.

Permission

Description

Administer

Make system-wide configuration changes.  Perform highly sensitive operations that amounts to full local system access (within the scope granted by the underlying OS).

Read

View almost all pages within Jenkins.

RunScripts

Run groovy scripts via the groovy console or groovy cli command.

UploadPlugins

Upload arbitrary plugins.

ConfigureUpdateCenter

Configure update sites and proxy settings.

Slave

Permission

Description

Configure

Configure existing slaves.

Delete

Delete existing slaves.

Create

Create new slaves.

Disconnect

Disconnect slaves or mark slaves as temporarily offline.

Connect

Connect slaves or mark slaves as online.

Job

Permission

Description

Create

Create a new job.

Delete

Delete an existing job.

Configure

Update the configuration of an existing job.

Read

Grants read-only access to project configurations.

Discover

Redirect anonymous users to a login form rather than presenting an error message if they don't have permission to view jobs.

Build

Start a new build and cancel a running build.

Workspace

Retrieve the contents of a workspace that Jenkins has checked out for performing a build.

Cancel

Cancel a running build.

Run

Permission

Description

Delete

Delete specific builds from a build's history.

Update

Update the description and other properties of a build.  (For example, to leave notes about the cause of a build failure.)

View

Permission

Description

Create

Create new views.

Delete

Delete existing views.

Configure

Update the configuration of existing views.

Read

See any existing views.

SCM

Permission

Description

Tag

Create a new tag in the source code repository for a given build.

Attachments:

grants_cancel.JPG (image/jpeg)