Adding user into AzureAd Matrix AuthorizationStrategy via jenkins job

Hi Everyone, Trying to add user with permission. Using AzureAD auth strategy. So far used below -

 stage('Update Jenkins Security Matrix') {
            steps {
                script {
                    def userId = env.userObjectId
                    def permission = hudson.model.Hudson.Administer 
                    def azureStrategy = Jenkins.instance.getAuthorizationStrategy()
                    def permissionEntry = new org.jenkinsci.plugins.matrixauth.PermissionEntry(permission, userId) 
                    azureStrategy.add(permission, permissionEntry)
                        

                    Jenkins.instance.save()
                }
            }
        }

Getting error :

Also: org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: dafbe164-8fec-45cc-85f3-253d8806485b **14:31:04** groovy.lang.MissingPropertyException: No such field found: field java.lang.Class Administer **14:31:04** at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.unclassifiedField(SandboxInterceptor.java:402) **14:31:04** at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:386) **14:31:04** at org.kohsuke.groovy.sandbox.impl.Checker$7.call(Checker.java:375)

There is no hudson.model.Hudson.Administer
Try something like this

def userId = env.userObjectId
def permission = jenkins.model.Jenkins.ADMINISTER
def azureStrategy = Jenkins.instance.getAuthorizationStrategy()
def type = com.microsoft.jenkins.azuread.AuthorizationType.USER
def permissionEntry = new com.microsoft.jenkins.azuread.PermissionEntry(type, userId) 
azureStrategy.add(permission, permissionEntry)

Thanks for letting me know. But there is not such class found

15:28:34  WorkflowScript: 64: unable to resolve class com.microsoft.jenkins.azuread.PermissionEntry 
15:28:34   @ line 64, column 23.
15:28:34     def permissionEntry = new com.microsoft.jenkins.azuread.PermissionEntry(type, userId) 
15:28:34                           ^
15:28:34  
15:28:34  1 error
15:28:34  
15:28:34  	at org.codehaus.groovy.control.ErrorCollector.failIfErrors(ErrorCollector.java:309)

Used plugin version - Microsoft Entra ID (previously Azure AD)
Version457.vf85d61f83b_26

Ok you wrote you use azureAD so I assumed you use that plugin. Then go back to the original package

...
def type = org.jenkinsci.plugins.matrixauth.AuthorizationType.USER
def permissionEntry = new org.jenkinsci.plugins.matrixauth.PermissionEntry(type, userId)
...

Many thanks. It worked :slight_smile:

what are all permission sets or path. -jenkins.model.Jenkins.BUILD is not working. Where I can find all the permissions. In my jenkins config its like below-

<permission>USER:hudson.model.Item.Build:08dd9e02-3209-4288-8251-44eddd0ef00b</permission>
<permission>USER:hudson.model.Item.Cancel:fb8def53-4f94-42ad-9058-d6bce85b20af</permission>
<permission>USER:hudson.model.Item.Configure:08dd9e02-3209-4288-8251-44edbb0ede00b</permission>
<permission>USER:hudson.model.Item.Create:08dd9e02-3459-4488-8251-42edbb0effe0b</permission>

jenkins.model.Jenkins.BUILD is not a known permission.
The build permission is hudson.model.Item.BUILD
You could grant for an admin all permissions, and then look at the config.xml to get a list of all permissions. From the class name you can usually guess what the permission stands for.

I tried with paths fetched from config.xml (as shared above)and got error.

13:19:55 Also: org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: 954252db-ad0e-496a-b668-094b10ff0496 13:19:55 groovy.lang.MissingPropertyException: No such field found: field java.lang.Class Build 13:19:55 at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.unclassifiedField(SandboxInterceptor.java:402)

Note: Looking to set permission according to user role (not all admin) some would have read-only, some with build etc.

Grant the permissions via the UI, then look at the config.xml and you get a list of all permissions that you have in your Jenkins (plugins can also contribute permissions).
Not sure what you mean with path, permissions are class names the way you want to use them.

By path I mean permission class only. added user via UI and the below generated in config.xml. Tried using those permission class but getting error as shared above.

<permission>USER:hudson.model.Item.Build:08dd9e02-3209-4288-8251-44eddd0ef00b</permission>
<permission>USER:hudson.model.Item.Cancel:fb8def53-4f94-42ad-9058-d6bce85b20af</permission>
<permission>USER:hudson.model.Item.Configure:08dd9e02-3209-4288-8251-44edbb0ede00b</permission>
<permission>USER:hudson.model.Item.Create:08dd9e02-3459-4488-8251-42edbb0effe0b</permission>

you will need to share the code that you’re running to be able to understand the problem you’re facing.

Probably you need to capitalize the last part
e.g. hudson.model.Item.BUILD in your script