Is it possible to configure a job as write protected or even read protected even from the admin user of jenkins?

all the question is in title :

is it possible to configure a job as write protected or even read protected even from the admin user of jenkins ?

I have configured the job to be read only for other users but admin can still read it. is it possible to avoid this ? because I will use passwords in my script…


admins have access to everything

don’t use passwords. Use the credentials system
don’t give everyone admin.

1 Like

By default, Jenkins allows the admin user to have full access to all jobs, including read and write access. However, it is possible to restrict access to a job, even from the admin user, by using the Jenkins Role-Based Access Control (RBAC) plugin.

I have not tested it yet, but with the Jenkins RBAC plugin, you can define roles and assign permissions to specific users or groups. For example, you could create a role called “restricted access” and assign it to the job that you want to restrict access to. Then, you could remove the “Overall/Administer” permission from this role, effectively preventing even the admin user from accessing the job.

To set up the Jenkins RBAC plugin and create roles and permissions, you can follow the official documentation here: Role-based Authorization Strategy .

Note that this may impact other jobs and plugins that rely on the admin user having full access, so make sure to test thoroughly before applying this configuration to a production system.

@poddingue If you’re administrator you have access to everything no matter what you configure on a job.
In RBAC global roles have always precedence over item/job roles.
And I think also in Matrix Auth as admin you have all permissions even when you disable inheritance. On a Job or folder the Overall/Administer permission can’t be configured at all.

If you use passwords in your scripts and you don’t want to see other admins to see it I wonder why you need this. Is it maybe a personal password? If yes you’re doing something wrong. Consider using a technical user where it is ok for other admins to see the password.

1 Like