100 Days of DevOps: Day 76

Jenkins Security Configuration: Project-Based Authorization

Project Summary

This article documents the configuration process to grant fine-grained, job-specific permissions to new developers, sam and rohan, on the Packages job within the xFusionCorp Industries Jenkins instance. The task utilized the Project-based Matrix Authorization Strategy to ensure the Principle of Least Privilege.

Prerequisites

• Users: admin, sam, rohan exist in the Jenkins Security Realm.
• Job: Packages job exists.
• Plugin: Matrix Authorization Strategy Plugin installed and Jenkins restarted.

---

Stage 1: Global Security Configuration (The Parent ACL)

The initial attempt failed because the users lacked the fundamental global permission to view the Jenkins UI. This step rectifies that to ensure successful login.

1.1 Activate Authorization Strategy

1. Log in as admin (Adm!n321).
2. Navigate to Manage Jenkins then Configure Global Security.
3. Under the Authorization section, select Project-based Matrix Authorization Strategy.

1.2 Grant Global Read Access

The Overall/Read permission is the minimum requirement for any user to successfully log in and see the Jenkins dashboard.

1. In the Global permission matrix:
2. Add user sam

3. Add user rohan

4. For both sam and rohan, check only the box for Overall then Read.

5. Click Save.

This configuration ensures the users can log in, thus resolving the "missing the Overall/Read permission" error.

Stage 2: Packages Job Configuration (The Child ACL)

This stage applies the specific job-level permissions as required by the development team.

1. Navigate to the Jenkins dashboard and open the Packages job.
2. Click Configure in the left sidebar.
3. Scroll to the Authorization section and check the box for "Enable project-based security."

2.1 Configure Inheritance Strategy (Requirement A)

Under the Authorization settings, the required inheritance rule was applied:

Select Inheritance Strategy then Inherit permissions from parent ACL.

• This setting correctly combines the global Overall/Read permission with the project-specific permissions defined below.

2.2 Grant Specific Job Permissions (Requirements B & C)

The final, specific permissions were granted in the project-level matrix:

User	Requirement	Job/Read	Job/Build	Job/Configure	Job/Cancel	Job/Update	SCM/Tag
sam	Build, Configure, Read	✓	✓	✓
rohan	Build, Cancel, Configure, Read, Update, Tag	✓	✓	✓	✓	✓	✓

4.Click Save to apply the configuration to the Packages job.

Verification and Conclusion

The configuration is now complete and verified:

• sam can log in and perform read, build, and configure actions on the Packages job.

• rohan can log in and has full control over the Packages job, including the ability to cancel builds and tag SCM revisions.

• Neither user has global administrative access, adhering to security best practices.

The successful implementation demonstrates the correct application of the Project-based Matrix Authorization Strategy for granular access control in the Jenkins environment.