Restrict credentials access using credentials domains in Jenkins

Hi all,
I have teams (eng & prod) that share the same folder in Jenkins. they are using the same pipeline, which takes as param some credentials (credID= variable_${env} where env can be prod or eng). I have created two credential domains inside the folder, Eng-secrets & Prod-secrets. Knowing that I use role based access control, is there a way to restrict access to credentials in a way eng team will access only Eng-secrets credentials domain, and prod team will access only Prod-secrets credentials domain.
Thank you.

Jenkins setup:
Jenkins version: 2.426.3
Credentials plugin version: 1319.v7eb_51b_3a_c97b_
Role-based Authorization Strategy plugin version: 689.v731678c3e0eb_

Hello @Bilel and welcome to this community. :wave:

I think you could restrict access to credentials in Jenkins based on the team using the Role-based Authorization Strategy plugin.

To get it to work, I think you could:

  1. Create roles for your teams: In Jenkins, go to “Manage Jenkins > Security > Authentication > Authorization > Role-Based Strategy” and click save.
  2. Go to “Manage Jenkins > Manage and Assign Roles”. Here, you can create roles for your teams (e.g., eng and prod) and assign them the necessary permissions.
  3. Assign roles to your teams: In the “Assign Roles” on the left, you can assign the roles you created to the users or groups that correspond to your teams.
  4. Restrict access to credentials: In the credentials plugin, you can restrict access to credentials based on roles. Go to “Manage Jenkins > Credentials” > “System” > “Global credentials (unrestricted)”. Here, you can create a new domain for each team (e.g., Eng-secrets and Prod-secrets) and restrict access to these domains based on the roles you created.

At least, that’s the way I think it works. :person_shrugging:

Hi Bruno,
Thank you for your reply.
I went under "Global credentials (unrestricted), and I did not found the option to create a new domain. I’m only able to create a new credential there. Am I missing something?