Home/ Questions/Q 8727639
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T08:28:23+00:00

I am writing a plugin for an external app authentication with jenkins. I want

  • 0

I am writing a plugin for an external app authentication with jenkins. I want to delegate authorization logic to the external app. The external app has NONE, VIEW, EDIT and ALL permission for a user.

NONE is straightforward – just allow nothing

ALL is straightforward – allow everything

For EDIT and VIEW, I want these permissions:

VIEW should be able to view all jobs and views, but no configuration and can not change anything

EDIT should be able to view all jobs and views, create new views, create new jobs, edit jobs, but not access jenkins system configuration.

I can see these permissions in jenkins:

[ 0] Permission[class hudson.model.Hudson,Administer]
[ 1] Permission[class hudson.security.Permission,FullControl]
[ 2] Permission[class hudson.security.Permission,GenericRead]
[ 3] Permission[class hudson.security.Permission,GenericWrite]
[ 4] Permission[class hudson.security.Permission,GenericCreate]
[ 5] Permission[class hudson.security.Permission,GenericUpdate]
[ 6] Permission[class hudson.security.Permission,GenericDelete]
[ 7] Permission[class hudson.security.Permission,GenericConfigure]
[ 8] Permission[class hudson.model.Hudson,Read]
[ 9] Permission[class hudson.model.Hudson,RunScripts]
[10] Permission[interface hudson.model.Item,Create]
[11] Permission[interface hudson.model.Item,Delete]
[12] Permission[interface hudson.model.Item,Configure]
[13] Permission[interface hudson.model.Item,Read]
[14] Permission[interface hudson.model.Item,ExtendedRead]
[15] Permission[interface hudson.model.Item,Build]
[16] Permission[interface hudson.model.Item,Workspace]
[17] Permission[interface hudson.model.Item,WipeOut]
[18] Permission[class hudson.model.View,Create]
[19] Permission[class hudson.model.View,Delete]
[20] Permission[class hudson.model.View,Configure]

Which Jenkins permissions from above list should I use for EDIT and VIEW?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Start with conservative rights:

    • no hudson.security.Permission,Generic* for either VIEW or EDIT, also no RunScripts (add for EDIT only if you notice it is needed),
    • other hudson.model.* permissions for EDIT (maybe not deletes, question does not specify),
    • only basic read permissions for VIEW, add ExtendedRead for VIEW only if you don’t get to view all you need without it (that is probably for viewing job configurations, I guess, but try without it first).

    For authoritative answer, check Jenkins source, but trial and error starting from the conservative side should give you optimal answer with just a few iterations.

    I guess you’d like a full list of correct permissions as an answer, but that would really require testing before answering, or careful inspection of source to see where these are checked, and then you would have to test yourself anyway to be safe (since this is security related question on an anonymous forum).

    Related (and only one I know of) link to Jenkins documentation, about actually using permissions, which may help in grepping the source code: https://wiki.jenkins-ci.org/display/JENKINS/Making+your+plugin+behave+in+secured+Jenkins

    • 0