Changing authorization strategy with JCasC during migrations

We currently have dozens of Jenkins instances that need to be migrated to Kubernetes. We intend to enable SAML authentication and projectMatrix authorization strategy. Some of the current Jenkins instances use globalMatrix, others use projectMatrix. During test-migration of an instance which is running globalMatrix, we ran into the following error:

2022-02-16 13:07:24.818+0000 [id=29]	INFO	jenkins.InitReactorRunner$1#onAttained: System config loaded
2022-02-16 13:07:26.505+0000 [id=29]	SEVERE	jenkins.InitReactorRunner$1#onTaskFailed: Failed ConfigurationAsCode.init
java.lang.IllegalArgumentException: Permission can not be null for sid:Overall/Read:4e0f8217-1c58-41de-9716-60ca76710552

Our JCasC YAML file contains this:

        - GROUP:Overall/Read:4e0f8217-1c58-41de-9716-60ca76710552
        - GROUP:Credentials/Create:4e0f8217-1c58-41de-9716-60ca76710552
        - ...

Looking at the error, it’s clear that GlobalMatrixAuthorizationStrategy is being attempted, while projectMatrix is supplied for JCasC. This is likely because the current authorization strategy is set to globalMatrix, as seen in the config.xml:

<?xml version='1.1' encoding='UTF-8'?>
  <authorizationStrategy class="">

How can we ensure that JCasC erases the existing globalMatrix authorization strategy and forces projectMatrix? Thanks in advance!

Kind regards,

I found it to be related to the GROUP: prefix used. Once removed, the migrated instances started working. It was not related to the switch from globalMatrix → projectMatrix.