I am new to the group and have been asked as part of our project to add / update the global security settings of a folder using an API Call.
I am able to add, modify, delete using the config.xml for a folder using the following URL via postman : <<jenkins_url>>/job/<>/config.xml
using the permission in the XML file as :
permission USER:com.cloudbees.plugins.credentials.CredentialsProvider.Create:User permission
Or, would it be possible to provide the global security settings in the config.xml while creating the folder. I can see in the config.xml the following
globalSettings class=“jenkins.mvn.DefaultGlobalSettingsProvider”
is it possible to provide permissions within this global settings?
globalSettings has nothing to do with permissions. I think this is related to maven global settings.
You can provide permissions also while creating a job/folder by posting the config.xml to .../createItem?name=<name of job/folder>
Yes got it, its for maven global settings and not for permissions.
Have the config.xml and it is used on post for creation and modification of folders.
For clarity, have added the Project based Authorization Matrix Strategy image below and this is available in - (JenkinsbaseURL)/configureSecurity/ and want to provide permissions to users / groups (Active directory) a permission of say Metrics - View, what should be the permission value.
For instance, for Credentials Provider, for create permission, it is set as -
USER:com.cloudbees.plugins.credentials.CredentialsProvider.Create:(user or group name)
Similarly for Metrics what should be set
USER:com.cloudbees…Metrics.(User or group name). I need to know the package and class name for Metrics, couldn’t find the correct details for the same.
You can look them up when you check them and save in your JENKINS_HOME/config.xml
The classes for Metrics are jenkins.metrics.api.Metrics.View, jenkins.metrics.api.Metrics.ThreadDump and jenkins.metrics.api.Metrics.HealthCheck.
But these can only be applied globally and not on folder level.
Thanks for the information. I don’t have access, unable to get the config.xml. I use the API’s to get the config.xml.
Relating to this question, you mentioned that “it can only be applied globally” have two questions relating to the above. We are using a functional ID for creating folders and giving permissions to the new user ID’s and groups. This functional ID has only create Job permission
Can this functional ID give permissions to users and groups created by this functional ID, for global permission like Metrics View. I know it will not be possible just a confirmation
To give global permissions it would need administrator access is that correct?
If the functional user has only job create permission it will not be able to modify global permissions. But as folder permissions are managed by the folder config.xml that user can grant any permission that can be managed on folder to any user.
Earlier you mentioned you’re using Active Directory. I would check it it is possible to have a group in AD, that you grant the metrics permissions in Jenkins. Then to grant access to the metrics you just need to add the user to the group in AD.