Configuring Jenkins User Access with Project-Based Matrix Authorizatio

Welcome back! 👋 Day 70 of the 100 Days Cloud DevOps Challenge, and today we're implementing Jenkins Role-Based Access Control! This is security best practice - controlling who can access what in your CI/CD platform with granular permissions. Let's secure! 🎯

🎯 The Mission - Configure User Access Control

📋 TASK TICKET #DEV-8070 - Jenkins RBAC Implementation
Priority: HIGH | Type: Security Configuration
Server: Jenkins | Access: Web UI

REQUIREMENT:
- Configure user access for development team
- Implement role-based permissions
- Remove anonymous access
- Secure existing jobs

IMPLEMENTATION:
1. Login to Jenkins
   - Username: admin
   - Password: Adm!n321

2. Create User:
   - Username: javed
   - Password: BruCStnMT5
   - Full Name: Javed

3. Configure Authorization:
   - Strategy: Project-based Matrix Authorization
   - javed: Overall Read permission
   - Anonymous: Remove all permissions
   - admin: Retain Overall Administer

4. Job Permissions:
   - javed: Read permission only
   - No other permissions (Agent, SCM, etc.)

SUCCESS CRITERIA:
- User created successfully
- Matrix authorization configured
- Anonymous access removed
- Job permissions set correctly

This is enterprise security implementation! 🔒

🛠️ Complete Implementation

Step 1: Access Jenkins UI

1. Click "Jenkins" button on top bar

2. Login page appears

3. Enter credentials:
   Username: admin
   Password: Adm!n321

4. Click "Sign in"

Logged in successfully! ✅

Step 2: Create New User

Navigate to User Management:

1. From Dashboard, click "Manage Jenkins" (left sidebar)

2. Click "Manage Users" (or "Users" section)

3. Click "Create User" button (top left)

4. Fill in the form:

Create User form:

┌─────────────────────────────────────────┐
│  Create User                            │
├─────────────────────────────────────────┤
│  Username:    [javed]                   │
│  Password:    [BruCStnMT5]              │
│  Confirm:     [BruCStnMT5]              │
│  Full name:   [Javed]                   │
│  E-mail:      [javed@example.com]       │
│               (optional)                │
│                                         │
│  [Create User]                          │
└─────────────────────────────────────────┘

Enter exactly:

Username: javed
Password: BruCStnMT5
Confirm password: BruCStnMT5
Full name: Javed
E-mail: (can leave blank or add email)

Click "Create User" ✅

User created successfully! You'll see javed in the user list.

Step 3: Install Matrix Authorization Plugin

Before configuring authorization, need to install plugin:

1. Go to "Manage Jenkins"

2. Click "Manage Plugins" (or "Plugins")

3. Click "Available plugins" tab

4. Search for: "Matrix Authorization Strategy Plugin"

5. Check the checkbox: ☑ Matrix Authorization Strategy Plugin

6. Click "Install" button

7. On installation page, check:
   ☑ Restart Jenkins when installation is complete 
      and no jobs are running

8. Wait for installation to complete

9. Jenkins will automatically restart

Plugin installation progress:

┌─────────────────────────────────────────┐
│  Installing Plugins/Upgrades            │
├─────────────────────────────────────────┤
│  ✓ Matrix Authorization Strategy Plugin │
│    installed successfully               │
│                                         │
│  ☑ Restart Jenkins when installation   │
│     is complete and no jobs are running │
│                                         │
│  Status: Restarting Jenkins...          │
└─────────────────────────────────────────┘

Wait for restart (30-60 seconds)

IMPORTANT: Wait for login page to reappear. Don't click "Finish" immediately!

After Jenkins restarts:

1. Login page reappears

2. Login again:
   Username: admin
   Password: Adm!n321

3. Back to Dashboard

Step 5: Configure Global Security Settings

Navigate to Security Configuration:

1. Click "Manage Jenkins"

2. Click "Configure Global Security" 
   (or "Security" → "Configure Global Security")

3. You'll see Security Realm and Authorization sections

Security Configuration page:

┌─────────────────────────────────────────┐
│  Configure Global Security              │
├─────────────────────────────────────────┤
│  Security Realm:                        │
│  ⦿ Jenkins' own user database           │
│  ☐ Allow users to sign up               │
│                                         │
│  Authorization:                         │
│  ⦿ Project-based Matrix Authorization   │
│     Strategy                            │
│                                         │
│  [Configure permissions below]          │
└─────────────────────────────────────────┘

Step 6: Select Authorization Strategy

In Authorization section:

1. Find "Authorization" dropdown/radio buttons

2. Select "Project-based Matrix Authorization Strategy"
   ⦿ Project-based Matrix Authorization Strategy

3. Matrix permission table will appear below

Note: If you don't see this option, verify Matrix Authorization 
      plugin installed successfully

Why Project-based Matrix?

Options:
- Logged-in users can do anything
  (Too permissive)

- Matrix-based security
  (Global only)

- Project-based Matrix Authorization Strategy ✓
  (Global + per-project permissions)

- Role-Based Strategy
  (Requires additional plugin)

Step 7: Configure Admin Permissions

In the permission matrix:

1. You'll see "User/group to add" field

2. Type: admin

3. Click "Add" button

4. Check ALL permissions for admin user:
   ☑ Overall - Administer (this checks all)

   Or manually check all boxes in admin row

5. This ensures admin retains full access

Permission matrix for admin:

┌────────────────────────────────────────────────────────┐
│  User/group    | Overall | Credentials | Agent | Job   │
├────────────────────────────────────────────────────────┤
│  admin         | ☑ Adm   | ☑ All      | ☑ All | ☑ All │
│                | ☑ Cfg   |            |       |       │
│                | ☑ Read  |            |       |       │
└────────────────────────────────────────────────────────┘

Step 8: Add Javed User with Read Permission

Add javed to permission matrix:

1. In "User/group to add" field, type: javed

2. Click "Add" button

3. javed appears as new row in matrix

4. For javed, check ONLY:
   ☑ Overall - Read

5. Leave all other permissions unchecked for javed

IMPORTANT: Only check "Overall > Read" - nothing else!

Permission matrix with javed:

┌────────────────────────────────────────────────────────┐
│  User/group    | Overall           | Credentials | Job │
├────────────────────────────────────────────────────────┤
│  admin         | ☑ Administer      | ☑ All      | ☑ All│
│                | ☑ Configure       |            |      │
│                | ☑ Read            |            |      │
├────────────────────────────────────────────────────────┤
│  javed         | ☐ Administer      | ☐ All      | ☐ All│
│                | ☐ Configure       |            |      │
│                | ☑ Read            |            |      │
└────────────────────────────────────────────────────────┘

Step 9: Remove Anonymous User Permissions

Check for Anonymous user:

1. Look for "Anonymous" row in permission matrix

2. If exists, uncheck ALL permissions:
   ☐ Overall - Administer
   ☐ Overall - Configure  
   ☐ Overall - Read
   ☐ (Uncheck everything)

3. Or click "Delete" (trash icon) to remove Anonymous entirely

This removes anonymous access completely

No anonymous access:

┌────────────────────────────────────────────────────────┐
│  User/group    | Overall           | Credentials | Job │
├────────────────────────────────────────────────────────┤
│  admin         | ☑ Administer      | ☑ All      | ☑ All│
│  javed         | ☑ Read (only)     | ☐ All      | ☐ All│
│  Anonymous     | ☐ (removed/none)  | ☐ All      | ☐ All│
└────────────────────────────────────────────────────────┘

Click "Save" at bottom of page ✅

Step 10: Configure Job-Specific Permissions

For existing job(s):

1. Go to Jenkins Dashboard

2. Click on the existing job name

3. Click "Configure" (left sidebar)

4. Scroll down to find "Enable project-based security" checkbox

5. Check: ☑ Enable project-based security

6. Permission matrix appears for this job

7. Add javed:
   - In "User/group to add": javed
   - Click "Add"

8. For javed, check ONLY:
   ☑ Job - Read

9. Leave unchecked:
   ☐ Job - Build
   ☐ Job - Cancel
   ☐ Job - Configure
   ☐ Job - Delete
   ☐ Job - Discover
   ☐ Job - Move
   ☐ Job - Workspace
   ☐ SCM - Tag
   ☐ Run - Delete
   ☐ Run - Replay
   ☐ Run - Update

10. Click "Save"

Job-specific permissions:

┌────────────────────────────────────────────────────────┐
│  Enable project-based security                         │
│  ☑ Enable project-based security                       │
│                                                        │
│  User/group    | Job                    | SCM  | Run  │
├────────────────────────────────────────────────────────┤
│  admin         | ☑ All                  | ☑ All| ☑ All│
│  javed         | ☑ Read (only)          | ☐    | ☐    │
│                | ☐ Build, Configure...  |      |      │
└────────────────────────────────────────────────────────┘

Step 11: Test User Access

Test javed user login:

1. Logout from admin account
   - Click "admin" (top right)
   - Click "Log out"

2. Login as javed:
   Username: javed
   Password: BruCStnMT5

3. Verify javed can:
   ✓ See Dashboard (Overall Read)
   ✓ View job list
   ✓ Click on job to view (Job Read)

4. Verify javed CANNOT:
   ✗ Access "Manage Jenkins"
   ✗ Create new jobs
   ✗ Build jobs
   ✗ Configure jobs
   ✗ Delete anything

5. Logout and login back as admin

Javed's view (limited):

┌─────────────────────────────────────────┐
│  Jenkins            [javed ▼]           │
├─────────────────────────────────────────┤
│  (No "Manage Jenkins" link)             │
│                                         │
│  Jobs:                                  │
│  └─ existing-job [view only]            │
│                                         │
│  (No "New Item" button)                 │
└─────────────────────────────────────────┘

Step 12: Complete Verification

# SSH to Jenkins server for CLI verification
ssh root@jenkins

# Create verification script
cat > verify-rbac.sh << 'EOF'
#!/bin/bash
echo "=== Jenkins RBAC Configuration Verification ==="
echo ""
echo "1. Jenkins Users:"
if [ -f /var/lib/jenkins/users/users.xml ]; then
    sudo grep '<string>' /var/lib/jenkins/users/users.xml | sed 's/.*<string>\(.*\)<\/string>.*/\1/'
    echo "   ✓ Users file exists"
else
    echo "   ✗ Users file not found"
fi
echo ""
echo "2. User 'javed' Details:"
if sudo ls /var/lib/jenkins/users/javed* >/dev/null 2>&1; then
    echo "   ✓ User 'javed' exists"
    FULL_NAME=$(sudo grep '<fullName>' /var/lib/jenkins/users/javed*/config.xml | sed 's/.*<fullName>\(.*\)<\/fullName>.*/\1/')
    echo "   Full Name: $FULL_NAME"
else
    echo "   ✗ User 'javed' not found"
fi
echo ""
echo "3. Security Configuration:"
if sudo grep -q "ProjectMatrixAuthorizationStrategy" /var/lib/jenkins/config.xml; then
    echo "   ✓ Project-based Matrix Authorization enabled"
else
    echo "   ✗ Matrix Authorization not configured"
fi
echo ""
echo "4. Global Permissions Check:"
if sudo grep -q '<permission>hudson.model.Hudson.Administer:admin</permission>' /var/lib/jenkins/config.xml; then
    echo "   ✓ admin has Administer permission"
fi
if sudo grep -q '<permission>hudson.model.Hudson.Read:javed</permission>' /var/lib/jenkins/config.xml; then
    echo "   ✓ javed has Read permission"
fi
echo ""
echo "5. Anonymous User Check:"
if sudo grep -q 'anonymous' /var/lib/jenkins/config.xml; then
    echo "   ⚠ Anonymous user may have permissions"
else
    echo "   ✓ No anonymous permissions found"
fi
echo ""
echo "6. Installed Authorization Plugin:"
if [ -d /var/lib/jenkins/plugins/matrix-auth ]; then
    echo "   ✓ Matrix Authorization Strategy Plugin installed"
    PLUGIN_VERSION=$(sudo grep 'Plugin-Version' /var/lib/jenkins/plugins/matrix-auth/META-INF/MANIFEST.MF | cut -d' ' -f2)
    echo "   Version: $PLUGIN_VERSION"
else
    echo "   ✗ Matrix Authorization Plugin not found"
fi
echo ""
echo "7. Security Realm:"
if sudo grep -q 'HudsonPrivateSecurityRealm' /var/lib/jenkins/config.xml; then
    echo "   ✓ Jenkins own user database enabled"
fi
echo ""
echo "8. Job Configuration:"
JOB_COUNT=$(sudo ls -1d /var/lib/jenkins/jobs/*/ 2>/dev/null | wc -l)
echo "   Total jobs: $JOB_COUNT"
if [ $JOB_COUNT -gt 0 ]; then
    for job in /var/lib/jenkins/jobs/*/config.xml; do
        if [ -f "$job" ]; then
            JOB_NAME=$(basename $(dirname "$job"))
            if sudo grep -q "project-based security" "$job" 2>/dev/null; then
                echo "   ✓ $JOB_NAME has project-based security"
            fi
        fi
    done
fi
echo ""
echo "✓ VERIFICATION COMPLETE"
EOF

chmod +x verify-rbac.sh
./verify-rbac.sh

Expected output:

=== Jenkins RBAC Configuration Verification ===

1. Jenkins Users:
admin
javed
   ✓ Users file exists

2. User 'javed' Details:
   ✓ User 'javed' exists
   Full Name: Javed

3. Security Configuration:
   ✓ Project-based Matrix Authorization enabled

4. Global Permissions Check:
   ✓ admin has Administer permission
   ✓ javed has Read permission

5. Anonymous User Check:
   ✓ No anonymous permissions found

6. Installed Authorization Plugin:
   ✓ Matrix Authorization Strategy Plugin installed
   Version: 3.2.1

7. Security Realm:
   ✓ Jenkins own user database enabled

8. Job Configuration:
   Total jobs: 1
   ✓ existing-job has project-based security

✓ VERIFICATION COMPLETE

All RBAC configuration verified! 🎊

🔍 Understanding Jenkins Authorization

Authorization Strategies

1. Anyone can do anything:

❌ No security
❌ Anonymous full access
❌ Not production-safe

Use: Never in production

2. Logged-in users can do anything:

⚠️ Basic authentication required
⚠️ No role separation
⚠️ All users have full access

Use: Small trusted teams only

3. Matrix-based security:

✓ Granular permissions
✓ Per-user control
✗ Only global permissions
✗ No per-job control

Use: Simple environments

4. Project-based Matrix Authorization (Our choice):

✓ Granular permissions
✓ Per-user control
✓ Global permissions
✓ Per-job permissions

Use: Enterprise environments ← Best practice

5. Role-Based Strategy:

✓ Role definitions
✓ User assignment to roles
✓ Reusable permissions
✓ Easier management at scale

Use: Large teams with many users

Permission Types

Overall Permissions:

Administer:
- Full system access
- Manage Jenkins
- Install plugins
- Configure security
- Create/delete jobs

Configure:
- Change system settings
- Manage credentials
- Configure tools

Read:
- View dashboard
- See job list
- Access public pages

Job Permissions:

Read:
- View job configuration
- See build history
- Access workspace

Build:
- Trigger builds
- Build with parameters

Configure:
- Modify job settings
- Change pipeline
- Update SCM

Delete:
- Remove job
- Permanent action

Workspace:
- Browse workspace
- View files

Credentials Permissions:

Create:
- Add new credentials

Delete:
- Remove credentials

Manage Domains:
- Organize credentials

Update:
- Modify existing credentials

View:
- See credential metadata (not secrets)

Matrix Authorization Structure

Permission inheritance:

Global Permissions
├── admin (Administer) ← Full access
├── javed (Read) ← Limited access
└── Anonymous (None) ← No access

Job-Specific Permissions (overrides):
├── Project A
│   ├── admin (All)
│   └── javed (Read)
└── Project B
    ├── admin (All)
    └── javed (Read + Build)

Security Best Practices

User Management:

✓ Principle of least privilege
✓ Separate admin accounts
✓ Unique user credentials
✓ Regular access reviews
✓ Disable unused accounts
✓ Enforce strong passwords

Anonymous Access:

❌ Remove all permissions
❌ Disable anonymous browsing
✓ Require authentication
✓ Force login page

Admin Protection:

✓ Limited admin accounts
✓ Separate admin/user accounts
✓ Admin access logging
✓ 2FA for admins (if available)

💡 Key Takeaways

✨ Project-based Matrix enables granular control
✨ Overall Read gives dashboard access only
✨ Job Read allows viewing without modification
✨ Anonymous removal prevents unauthorized access
✨ Admin Administer maintains full control
✨ Per-job security enables project isolation
✨ Least privilege improves security posture
✨ Matrix plugin required for advanced RBAC

🎓 Quick Interview Questions

Q: What's the difference between Matrix-based and Project-based Matrix Authorization? A: Matrix-based: Global permissions only, applied uniformly across Jenkins. Project-based Matrix: Global permissions PLUS per-project permissions, enabling different access levels for different jobs. Project-based provides more granular control.

Q: Why remove anonymous user permissions? A: Security: Prevents unauthorized access to build information, job configurations, and system settings. Anonymous access can expose: source code, credentials, build logs, pipeline definitions. Production Jenkins should require authentication.

Q: What's the risk of granting "Overall Administer" permission? A: Full system control: install plugins, modify security, delete jobs, access all credentials, execute arbitrary code, shut down Jenkins. Only trusted administrators should have this permission. Use separate admin accounts.

Q: Can a user with only "Overall Read" create jobs? A: No. Overall Read allows: view dashboard, see job list, access Jenkins UI. Cannot: create jobs, build, configure, manage Jenkins. Need "Job Create" permission under Overall category for job creation.

Q: What happens if you give "Job Build" but not "Job Read"? A: User can trigger builds but cannot see job details, configuration, or build history. Unusual configuration. Typically: Read < Build < Configure < Delete (progressive permissions).

Q: How do per-project permissions override global permissions? A: Project permissions ADD to global permissions (don't subtract). If user has global "Overall Read" and project "Job Build", they can read globally AND build that specific project. Cannot restrict below global level.

Q: What's the security implication of "Workspace" permission? A: Allows browsing job workspace, viewing checked-out source code, build artifacts, temporary files. May expose: passwords in scripts, API keys in config files, sensitive data in files. Grant carefully.

Q: How do you handle user offboarding in Jenkins? A: (1) Disable user account (don't delete immediately), (2) Remove from all permission matrices, (3) Audit their job history, (4) Review credentials they created, (5) Update shared credentials, (6) Document access removal, (7) Delete account after retention period.

Q: Can you implement role-based access without plugins? A: Limited. Project-based Matrix provides basic RBAC (assign permissions per user/group). For true roles (define role, assign users to role), need Role-Based Authorization Strategy plugin. Matrix requires managing users individually.

Q: What's the purpose of "Configure" permission vs "Administer"? A: Configure: Modify Jenkins settings (tools, clouds, system properties) but cannot change security settings, install plugins, or manage users. Administer: Full unrestricted access including security. Configure is subset of Administer.

Advanced Questions:

Q: How does Jenkins handle permission precedence with multiple groups? A: Additive: User gets union of all permissions from all groups. If user in Group A (Read) and Group B (Build), they have Read + Build. No permission subtraction - always adding. Most permissive wins.

Q: What are the security risks of "Script Console" access? A: Execute arbitrary Groovy code with Jenkins server privileges: access file system, modify running jobs, read all credentials, install malware, disable security, create backdoors. Only admin should access. Equivalent to server root access.

Q: How do you audit permission changes in Jenkins? A: Enable audit trail plugin, review /var/lib/jenkins/config.xml history (version control), check Jenkins system log, monitor security events. Best practice: store config in Git with approval workflow.

Q: Can you implement LDAP/AD integration with Matrix authorization? A: Yes. Configure Security Realm (LDAP) and Authorization Strategy (Matrix) separately. LDAP authenticates users, Matrix controls permissions. Can reference LDAP groups in permission matrix. Best for enterprise environments.

Q: What's the performance impact of complex permission matrices? A: Each permission check queries matrix. Large matrices (hundreds of users/jobs) can slow Jenkins. Solutions: use groups instead of individual users, cache permissions, use Role-Based plugin for better performance, limit permission inheritance depth.

🎉 Final Thoughts

You've successfully implemented Role-Based Access Control in Jenkins! This is enterprise security standard.

What you accomplished: ✅ Created user account (javed)
✅ Installed Matrix Authorization plugin
✅ Configured Project-based Matrix Authorization
✅ Set Overall Read permission for javed
✅ Removed Anonymous access completely
✅ Retained admin Administer permissions
✅ Configured job-specific Read permission
✅ Tested access control

Security configuration:

Users:
├── admin (Administer - Full access)
├── javed (Read - Limited access)
└── Anonymous (Removed - No access)

Global Permissions:
├── admin: Overall Administer ✓
├── javed: Overall Read ✓
└── Anonymous: None ✓

Job Permissions:
├── admin: All permissions ✓
└── javed: Read only ✓

Real-world impact:

Least privilege (users have minimum needed access)
Audit trail (know who did what)
Compliance (meet security requirements)
Risk reduction (limit blast radius)
Team collaboration (safe delegated access)

Skills acquired:

User management
RBAC implementation
Matrix authorization
Permission configuration
Security best practices
Access control testing

Next steps:

Create more user roles
Implement LDAP integration
Enable audit logging
Setup credential management
Configure folder-level permissions

This is enterprise security excellence! 💪

Day: 70/100
Challenge: KodeKloud Cloud DevOps
Date: January 14, 2026
Topic: Jenkins User Management & Authorization

How do you handle access control in your CI/CD? Share your RBAC strategies! 🔐

Day 70: Jenkins User Management & Authorization - Role-Based Access Control 🔐

🎯 The Mission - Configure User Access Control

🛠️ Complete Implementation

Step 1: Access Jenkins UI

Step 2: Create New User

Step 3: Install Matrix Authorization Plugin

Step 5: Configure Global Security Settings

Step 6: Select Authorization Strategy

Step 7: Configure Admin Permissions

Step 8: Add Javed User with Read Permission

Step 9: Remove Anonymous User Permissions

Step 10: Configure Job-Specific Permissions

Step 11: Test User Access

Step 12: Complete Verification

🔍 Understanding Jenkins Authorization

Authorization Strategies

Permission Types

Matrix Authorization Structure

Security Best Practices

💡 Key Takeaways

🎓 Quick Interview Questions

🎉 Final Thoughts

Comments

More from this blog

Day 73: Jenkins Job for Automated Log Collection - CI/CD Pipeline Basics 🔄

Day 72: Jenkins Multiple Parameter Types - Advanced Parameterized Jobs 🎛️

Day 71: Jenkins Parameterized Jobs - Automated Package Installation 📦

Day 69: Jenkins Plugin Installation - Git & GitLab Integration 🔌

Command Palette

🎯 The Mission - Configure User Access Control

🛠️ Complete Implementation

Step 1: Access Jenkins UI

Step 2: Create New User

Step 3: Install Matrix Authorization Plugin

Step 4: Login After Restart

Step 5: Configure Global Security Settings

Step 6: Select Authorization Strategy

Step 7: Configure Admin Permissions

Step 8: Add Javed User with Read Permission

Step 9: Remove Anonymous User Permissions

Step 10: Configure Job-Specific Permissions

Step 11: Test User Access

Step 12: Complete Verification

🔍 Understanding Jenkins Authorization

Authorization Strategies

Permission Types

Matrix Authorization Structure

Security Best Practices

💡 Key Takeaways

🎓 Quick Interview Questions

🎉 Final Thoughts

Comments

More from this blog