These permissions have been effectively hidden (unless specifically enabled) since 2017-4-10 see -> SECURITY-410 <https://jenkins.io/security/advisory/2017-04-10/#matrix-authorization-strategy-plugin-allowed-configuring-dangerous-permissions>). Work is underway to introduce a more sensible permission segregation that allows the delegation of limited administrative capabilities in a secure manner (see https://github.com/jenkinsci/jep/pull/249), and it seems reasonable to officially begin to phase out the usage of these permissions.
A WIP PR is available for review (https://github.com/jenkinsci/jenkins/pull/4365), as well as an associated issues (https://issues.jenkins-ci.org/browse/JENKINS-60406). If this PR is accepted, I expect to create an additional PR against the matrix-auth plugin that removes support for enabling the legacy behavior described in SECURITY-410 <https://jenkins.io/security/advisory/2017-04-10/#matrix-authorization-strategy-plugin-allowed-configuring-dangerous-permissions> : If you want to retain the old, unsafe behavior, set the system property > hudson.security.GlobalMatrixAuthorizationStrategy.dangerousPermissions to > true. > The plugin retains permissions configured before upgrading, so there > should be no changes in behavior afterwards. > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c6fcc542-4300-400d-8516-a97f2a877868%40googlegroups.com.
