Role Strategy Plugin

Skip to end of metadata
Go to start of metadata

Adds a new role-based strategy to manage users' permissions.

Plugin Information

Plugin ID role-strategy Changes In Latest Release
Since Latest Release
Latest Release
Latest Release Date
Required Core
2.2.0 (archives)
Jun 28, 2014
Source Code
Issue Tracking
Pull Requests
Open Issues
Pull Requests
Thomas Maurel (id: tmaurel)
Romain Seguy (id: rseguy)
Oleg Nenashev (id: oleg_nenashev)
Usage Installations 2014-Nov 7481
2014-Dec 7756
2015-Jan 8288
2015-Feb 8569
2015-Mar 9312
2015-Apr 9618
2015-May 9917
2015-Jun 10500
2015-Jul 11080
2015-Aug 11189
2015-Sep 11800
2015-Oct 12189

About this plugin

This plugin adds a new role-based strategy to ease and fasten users management. This strategy allows:

  • Creating global roles, such as admin, job creator, anonymous, etc., allowing to set Overall, Slave, Job, Run, View and SCM permissions on a global basis.
  • Creating project roles, allowing to set only Job and Run permissions on a project basis.
  • Creating slave roles, allowing to set node-related permissions.
  • Assigning these roles to users.

Table of contents

User guide

Getting started

Using the plugin is fairly simple:

  1. Activate the Role-Based Strategy by using the standard Manage Jenkins > Configure System screen:
  2. Define and assign roles by using the Manages Roles item which appears in the Manage Jenkins screen:

    You then get following options:
    #* Manage Roles is the place where to set up roles:

    There's nothing much to say here, this is self-explanatory. The only tricky field is the Pattern one. This field consists in a regular expression aimed at matching the full name (including the folder name, if you're using Cloudbees Folders Plugin) of the jobs which the role will apply to. For example, if you set the field to "Roger-.*", then the role will match all jobs which name starts with "Roger-". Note that the pattern is case-sensitive. To perform a case-insensitive match, use (?i) notation: upper, "Roger-.*" vs. lower, "roger-.*" vs. case-insensitive, "(?i)roger-.*". If you have a nested folder structure where you want to provide the particular access to the second folder (or deeper), consider having a two-level security structure as well (Say you want to provide exclusive write/ modify type access to foo/bar and not everything else under "foo": First, assign that user/ group to read/ discover permissions with pattern " ^foo.* ", then assign that same user/ group to the more particular permissions with pattern " ^foo/bar.* " - Similar to what you'd do in a Unix/ Linux environment.
  1. #* Assign Roles is the place where to assign the defined roles to users:

Global Roles vs. Project Roles

It should be noted that the Global Roles override anything you specify in the Project Roles. That is, when you give a role the right to Job-Read in the Global Roles, then this role is allowed to read all Jobs, no matter what you specify in the Project Roles.

It may therefore be advisable to leave most (all) options unchecked in Job, Run and SCM in the Global Roles section for normal users.

Built-in Roles

There are two built-in roles:

*Anonymous* — Users who have not logged in

authenticated — Logged in users

Macros support (since 2.1.0)

Macros allow to extend analysis of user's access rights (see @RoleMacroExtension). If user's sid meets criteria in Roles and Assignments, then analysis will be propagated to extension, which makes decisions according to instance and parameters.

Available macros

You can get list of available macros and theirs descriptions at the JENKINS_URL/role-strategy/list-macros page. At the current state, plugin has minimal set of available macros, but they can be added by extensions from plugins.

Known macros:

  • Built-in: @BuildableJob
  • Ownership plugin: Ownership-based roles: @Owner and @CoOwner (will be released in ownership-0.2)

Macro usage

Macros can be used in the following fields:

  • RoleMacros - name of the role
  • UserMacros - Not supported yet
    Macro format: @macroName[:id][(parameter1, parameter2, ...)]>
  • macroName - name of the macro (see available macros in the table below)
  • id - identifier of the macro. Technical parameter, which allows to use same macros for multiple patterns
  • parameter - additional parameters. At the current state, they don't support variables or TokenMacros

Macro string examples:

  • @BuildableJob - Primitive macro invocation. Such invocation can be used only once in each roles category.
  • @BuildableJob:1 - Macro with id
  • @ParameterizedMacro(param1) - Invokes macro with one parameter
  • @ParameterizedMacro:2(param1,param2) - Invokes macro with two parameters. Id prevents naming conflicts

External add-ons

The management interface becomes difficult to use with a large number of users and/or roles. Several Greasemonkey userscripts exist to make the UI easier to use (Jira issue):

Jenkins Role Strategy UI enhancer
This userscript adds a tooltip to the checkboxes indicating the row (e.g. user name) and column (e.g. permission).

Jenkins Role Strategy Role Management Enhancer and Jenkins Role Strategy Role Assignment Enhancer
These userscripts rotate the text in the column title cells on the Role Strategy configuration pages by 90 degrees so they use less horizontal space. Additionally, the first (header) column is repeated at the end of the table.

Version history

Version 2.2.0 (06/29/2014)

  • Support of Create Job permissions since jenkins-1.566 (JENKINS-19934)
    • The permission requires the specific item name validation strategy, which should be selected in Jenkins global configuration
  • Fixed help links in manage-roles pages (JENKINS-15030)
  • Slave permissions: Allow assignment of permissions, which don't belong to "Slave" group (JENKINS-18978)

Version 2.1.0 (07/20/2013)

Version 1.1.3 (07/10/2013)

  • Prevented exceptions in case of missing roles (JENKINS-18648)
  • Prevented exceptions in case of deleted Permissions
  • Support of folders plugin (JENKINS-17482)
  • Upgraded to Jenkins 1.424

Version 1.1.2 (10/14/2011)

  • Implemented JENKINS-9325: Permissions contributed by plugins can now be managed at the project roles level
  • Upgraded to Jenkins 1.409

Version 1.1.1 (09/19/2011)

  • Fixed JENKINS-8058: "<" and ">" characters were not supported in regular expression patterns

Version 1.1 (06/08/2011)

  • SCM permissions (e.g. Tag) can now be handled at the project roles level
  • Improved UI to handle large installations:
    • Deletion buttons are now also displayed on the left of each table
    • When having table with more than 20 entries, a footer is now added which repeats header
    • It is now possible to edit already defined patterns by double-clicking on them in the Project roles table
  • Fixed some typos
  • Fixed some image display issues

Version 1.0 (09/20/2010)

  • Initial release


plugin-user plugin-user Delete
plugin-security plugin-security Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Add Comment