I think it would be helpful for the JEP to have a lot more color in the Motivation section. From the three short paragraphs given there it is hard to tell what the real use cases for this change are. You are saying something about a “large enterprise”, but
· Who typically is going to be granted `CONFIGURE` without `ADMINISTER`, and who `ADMINISTER`? What would their job roles be called? · What are the archetypal things you would want to “configure” that cannot be accomplished via Pipeline-as-code and which today are available only with full administer privilege? · What is the threat model of the “administrator”—intruders? Disgruntled ex-employees? Accidental system destruction? Lazy shortcuts by well-meaning developers? > You can make a fine grained permission into a coarser scheme You _could_, though for the most part Jenkins does not do so. Setting aside global-scope permissions, there are a ton of confusing and overly detailed permissions at other scopes today, all of which are exposed in the common authorization strategies. This is basically punting on real product design and just expecting the administrator to assemble a meaningful high-level role on their own or by copying examples. Most other systems I have used offer just a very short list of comprehensible roles (e.g.: owner, writer, reader). Jenkins does have the `impliedBy` system, so you can at least grant `ADMINISTER` easily, though the UX is poor. > you cannot effectively break a coarse permission into finer ones (as the > whole RUN_SCRIPTS / Administer shows) Indeed you cannot, though `RUN_SCRIPTS` vs. `ADMINISTER` was not a good example of this—rather it was a case of the `impliesBy` relationship between these two permissions being nonsensical. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2kCeH%2BgvAfwsFJgNNvrnVOadqX1mink5H8wua1o4sLbw%40mail.gmail.com.
