Hi James, Thanks for help, it is much appreciated. Based on what you've said and on what else I've read I think we're probably going to move away from Jenkins for at least part of our CI/CD process. We have to have tighter control of permissions. I'll take a look at CloudBees Core, but in other jobs I've used Azure Devops and I think we might go that route. Kind of hate to say that.
Thanks, Nick On Friday, December 13, 2019 at 6:43:25 AM UTC-5, James Nord wrote: > > Hi Nick, > > it's not currently possible with Jenkins. (but even if you could the users > can still do anything including changing security permissions by running a > script in the console or uploading a plugin). > > Part of what you are asking will be addressed by > https://github.com/jenkinsci/jep/pull/249 / > https://github.com/jenkinsci/jenkins/pull/4374 (and a likely follow up to > allow installations of plugins without CONFIG or ADMINISTER). > > The second part "adding plugins" is always dangerous, given an installed > plugin has unlimited access inside Jenkins (and we allow anyone to host a > plugin on request) if you do not lock down your update center then those > users would be again able to run arbitrary code by installing a evil plugin > that they maintain - thus even if a new permission existed you would also > need to have a curated UpdateCenter to only allow those users the ability > to install plugins (and versions) that you have deemed safe/secure if you > want a desire system. > > Finally with regards to editing security of Jobs, I am not sure about > Project-based Matrix Authorization Strategy, or the other open source > alternatives (but I would guess there is a way), if not I know CloudBees > Core <https://www.cloudbees.com/products/core/overview> can provide this > last peice of the puzzle (disclaimer: as you can tell from my email I work > for CloudBees). > > Regards > > /James > > > On Friday, December 13, 2019 at 9:37:41 AM UTC, Nick Howard wrote: >> >> Right now I'm the only developer at the company I work for and I have >> unrestricted access to Jenkins, but we need to tighten down permissions. Is >> there a way to setup a new user that would be able to maintain the users >> and user permissions? That user would then remove my ability to make >> changes in the "Configure Global Security" screen. But I still need other >> admin ability, like adding plugins, or configuring the system. >> >> I suppose I shouldn't be able to edit the project based security settings >> in the job either, but I'm almost certain that isn't possible. >> >> Right now we're using Project-based Matrix Authorization Strategy, if >> that matters. >> >> Is that possible? From what I've tested I don't think it is, but I >> haven't done a ton with Jenkins. >> >> Thanks, >> Nick >> > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/6605e63d-0412-4cf5-9dd2-eafe819e3fa9%40googlegroups.com.
