I'm guessing you use the Role Strategy <https://plugins.jenkins.io/role-strategy> plugin. We use it with the Active Directory <https://plugins.jenkins.io/active-directory> plugin for authentication. To make a long story short I don't think there's a way, at least with Role Strategy, to set up an ACL hierarchy. We have had to set up multiple roles (ACLs) on the folders and then on jobs.
The one labor-saving grace is that via AD groups we've been able to assign roles to groups instead of individual users. Sometimes we do give individual users special privileges and in that sense we get some small bit of hierarchical effect. But by virtue of user membership in AD groups, not via some relationship between the the roles targeting folders and jobs. If you come across a solution I'd be curious to learn of it. Good luck. On Wednesday, January 16, 2019 at 5:33:01 AM UTC-8, [email protected] wrote: > > Hello > any suggestion to move forward on this topic? > Thanks in advance > > On Thursday, 20 December 2018 18:13:18 UTC+1, [email protected] wrote: >> >> Hello >> >> i'm a bit struggling for one use case i have, maybe someone could share >> its experience on such scenario. >> >> *Jobs structure:* >> >> - FolderA >> - SubFolderA >> - jobA1 >> - jobA2 >> - SubFolderB >> - jobB1 >> >> >> *Use caseq:* >> >> 1. user1 has read access to all jobs >> 2. user2 has only read access to jobA2 >> >> >> By default, authorizations are inherited from parent ACL. It is very >> handy to avoid redefining all authorizations for each item level. >> However, i am not able to find a way to keep this inherited behavior >> while granting some authorizations at lower (job) level. >> >> - If i configure user1 authorization at FolderA level, then with >> inheritance it will have access to everything >> - If i configure user2 authorization at jobA2 level, then it cannot >> access jobA2 because upper-level authorizations are not defined (ie. >> user2 >> does not have access to FolderA & SubFolderA) >> >> Is there a way to address those 2 scenarios while still relying on >> inheritance to ease authorization definitions? If not, does it means i have >> to redefine at each level all authorizations (ie. no parent ACL >> inheritance) to achieve that? >> >> What about an implicit "Folder PassThrough" authorization that would be >> automatically granted to all parents items when authorizing a user to >> access a lower-level item? >> In that case, if i configure user2 authorization at jobA2 level, then it >> could "PassThrough" FolderA and SubFolderA and eventually get access to >> jobA2 on the UI. >> >> Not sure if it is clear, anyway any help will be appreciated ;) >> BR >> > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/e1cecde5-ea39-4f9b-99ef-0212488cb20f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
