Help With Setting Up Access for New Users/Admins

I inherited Jenkins as part of my work as a Linux Engineer at my company. Up until now I haven’t had to really manage it any. Well now it’s being handed to a new team and I have been charged with setting up their access. I know Jenkins is tied into our Active Directory, because I use my AD account to log on to it.

I click on Manage Jenkins → Manage and Assign Roles → Assign Roles. There, under Global Roles are four AD groups used for elevated access (all have the admin role checked), and then 7 named users (most have admin checked, one has builder checked, and Anonymous has read-only checked).

I’ve tried adding the new admins to the proper elevated access group in AD that’s also listed in Global Roles as an admin. I’ve also tried adding the user directly and making them an admin. In both cases, when they log on to Jenkins, they still only have Read-Only access. I feel like I’m missing something but I am not sure what.

Jenkins setup:

Jenkins: 2.265
OS: Linux - 3.10.0-1160.114.2.el7.x86_64
Java: 1.8.0_402 - Red Hat, Inc. (OpenJDK 64-Bit Server VM)

ace-editor:1.1
ant:1.13
antisamy-markup-formatter:1.5
apache-httpcomponents-client-4-api:4.5.13-1.0
authentication-tokens:1.4
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.1-1
bouncycastle-api:2.25
branch-api:2.6.3
build-monitor-plugin:1.13+build.202111192133
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
cloudbees-credentials:3.3
cloudbees-folder:6.688.vfc7a_a_69059e0
command-launcher:1.6
conditional-buildstep:1.3.6
credentials:2.6.1
credentials-binding:1.27.1
display-url-api:2.3.5
docker-commons:1.19
docker-workflow:1.18
downstream-buildview:1.9
durable-task:1.37
echarts-api:5.2.1-2
email-ext:2.66
envinject-api:1.8
extended-choice-parameter:346.vd87693c5a_86c
external-monitor-job:191.v363d0d1efdf8
font-awesome-api:5.15.4-1
git-client:3.9.0
git-server:1.9
handlebars:3.0.8
jackson2-api:2.13.1-246.va8a9f3eaf46a
javadoc:217.v905b_86277a_2a_
jdk-tool:1.5
jobConfigHistory:2.31-rc1107.2354f08725a_8
jquery:1.12.4-1
jquery-detached:1.2.1
jquery-ui:1.0.2
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
ldap:1.26
lockable-resources:2.14
mailer:1.34.2
mapdb-api:1.0.9.0
matrix-auth:2.6.4
matrix-project:1.18.1
maven-plugin:3.3
momentjs:1.1.1
pam-auth:1.6.1
parameterized-trigger:2.35.2
pipeline-build-step:2.16
pipeline-graph-analysis:1.11
pipeline-input-step:427.va6441fa17010
pipeline-milestone-step:1.3.2
pipeline-model-api:1.3.9
pipeline-model-declarative-agent:1.1.1
pipeline-model-definition:1.3.9
pipeline-model-extensions:1.3.9
pipeline-rest-api:2.22
pipeline-stage-step:291.vf0a8a7aeeb50
pipeline-stage-tags-metadata:1.9.3
pipeline-stage-view:2.22
plain-credentials:1.8
plugin-util-api:2.5.0
popper-api:1.16.1-2
popper2-api:2.10.2-1
powershell:1.7
role-strategy:2.11
run-condition:1.2
schedule-build:0.5.1
scm-api:2.6.5
script-security:1138.v8e727069a_025
snakeyaml-api:1.29.1
ssh-credentials:1.18.1
ssh-slaves:1.26
structs:308.v852b473a2b8c
subversion:2.15.2
throttle-concurrents:2.0.1
timestamper:1.16
token-macro:2.8
translation:1.16
trilead-api:1.0.13
windows-slaves:1.8
workflow-aggregator:2.5
workflow-api:1138.v619fd5201b_2f
workflow-basic-steps:2.18
workflow-cps:2659.v52d3de6044d0
workflow-cps-global-lib:2.19
workflow-durable-task-step:2.31
workflow-job:1145.v7f2433caa07f
workflow-multibranch:2.24
workflow-scm-step:2.13
workflow-step-api:622.vb_8e7c15b_c95a_
workflow-support:3.8

You’re using a 4 year old Jenkins version and an even older role strategy version. That version of role strategy is limited as it is case sensitive regarding users and groups.
What the users should do is going to <jenkins>/whoAmI/ and check what is shown as name, this is the username as detected by Jenkins and users should login exactly like this and the role must be assigned exactly to this name.
Authorities lists the groups to which the user belongs.
You can also look up this info as an admin for other users under <jenkinsurl>/user/<userid>/

You should definitely consider updating your Jenkins to the latest LTS and update all plugins. Latest role strategy plugin is no longer case sensitive when the security realm is not case sensitive (e.g. ldap or AD).

So the only thing I’ve done is add the users do the AD group, referenced under global roles. However when they log in and I do an LDAP test on their user, it doesn’t show any of their AD Roles like it does my account.