Hi Stephen, Thanks for the reply! I made a lot of progress on this, somehow, where I never was making progress before... since posting to the group. Figures.
It turns out that because the users could see "Credentials" as an option always at left, they were selecting that and blindly choosing the "Global" domain to add their credentials. They could see the "Credentials" item at left because I'd given authenticated users CRUD rights for that under "Manage Roles". Turns out that's a mistake for any Jenkins environment where sensitive information needs to remain protected from other users. I've directed the ~10 people to move their credentials to their personal credential store. One everything has been moved, I'll disable the CRUD privileges related to "Credentials" for authenticated users. The Jenkins permissions matrix in the UI is very vague, to say the least. One is left to guess at what exactly the real-world effect of those checkboxes will be. The simplistic "Credentials" column header in the permissions matrix is very misleading :( NOW... > > Storing them in the per-user store will likely not be much use to you > without the Authorize Projects plugin that lets you run builds as a > user other than ACL.SYSTEM... so this will require some thinking for > you. > > Another option is to use the per-folder credentials store and restrict > access to folders (of course you might need a auth strategy that was > designed for use with folders to be able to carve up the permissions > correctly) > Ugh. I guess I'll start researching that now. Thank you again. Jeff -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/dc32f563-e70c-4f34-89b1-9a1d7a81a2f7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
