My tired eyes. I just re-read the subject line mentioning Matrix Auth. I do recommend "upgrading" from Matrix Auth to Role Strategy. That eliminated a lot of pain for us we accumulated more folders, jobs, and users. And that could eliminate at least one bit of complexity in your use case. Though beware, you still need to create read-access roles to the folders and separate roles to the jobs inside the folders.
The advantage is twofold though: 1) You tailor ACLs to roles instead of individual users. 2) The pattern-matching nature of the roles can give you the ability to apply the role to multiple folders and jobs. On Sunday, March 24, 2019 at 9:05:25 AM UTC-7, Brian Ray wrote: > > I'm guessing you use the Role Strategy > <https://plugins.jenkins.io/role-strategy> plugin. We use it with the Active > Directory <https://plugins.jenkins.io/active-directory> plugin for > authentication. To make a long story short I don't think there's a way, at > least with Role Strategy, to set up an ACL hierarchy. We have had to set up > multiple roles (ACLs) on the folders and then on jobs. > > The one labor-saving grace is that via AD groups we've been able to assign > roles to groups instead of individual users. Sometimes we do give > individual users special privileges and in that sense we get some small bit > of hierarchical effect. But by virtue of user membership in AD groups, not > via some relationship between the the roles targeting folders and jobs. > > If you come across a solution I'd be curious to learn of it. > > Good luck. > > On Wednesday, January 16, 2019 at 5:33:01 AM UTC-8, [email protected] > wrote: >> >> Hello >> any suggestion to move forward on this topic? >> Thanks in advance >> >> On Thursday, 20 December 2018 18:13:18 UTC+1, [email protected] >> wrote: >>> >>> Hello >>> >>> i'm a bit struggling for one use case i have, maybe someone could share >>> its experience on such scenario. >>> >>> *Jobs structure:* >>> >>> - FolderA >>> - SubFolderA >>> - jobA1 >>> - jobA2 >>> - SubFolderB >>> - jobB1 >>> >>> >>> *Use caseq:* >>> >>> 1. user1 has read access to all jobs >>> 2. user2 has only read access to jobA2 >>> >>> >>> By default, authorizations are inherited from parent ACL. It is very >>> handy to avoid redefining all authorizations for each item level. >>> However, i am not able to find a way to keep this inherited behavior >>> while granting some authorizations at lower (job) level. >>> >>> - If i configure user1 authorization at FolderA level, then with >>> inheritance it will have access to everything >>> - If i configure user2 authorization at jobA2 level, then it cannot >>> access jobA2 because upper-level authorizations are not defined (ie. >>> user2 >>> does not have access to FolderA & SubFolderA) >>> >>> Is there a way to address those 2 scenarios while still relying on >>> inheritance to ease authorization definitions? If not, does it means i have >>> to redefine at each level all authorizations (ie. no parent ACL >>> inheritance) to achieve that? >>> >>> What about an implicit "Folder PassThrough" authorization that would be >>> automatically granted to all parents items when authorizing a user to >>> access a lower-level item? >>> In that case, if i configure user2 authorization at jobA2 level, then it >>> could "PassThrough" FolderA and SubFolderA and eventually get access to >>> jobA2 on the UI. >>> >>> Not sure if it is clear, anyway any help will be appreciated ;) >>> BR >>> >> -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/466345a9-886c-4aab-9e8e-cfb8c5c1ca99%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
