Hi Nick, it's not currently possible with Jenkins. (but even if you could the users can still do anything including changing security permissions by running a script in the console or uploading a plugin).
Part of what you are asking will be addressed by https://github.com/jenkinsci/jep/pull/249 / https://github.com/jenkinsci/jenkins/pull/4374 (and a likely follow up to allow installations of plugins without CONFIG or ADMINISTER). The second part "adding plugins" is always dangerous, given an installed plugin has unlimited access inside Jenkins (and we allow anyone to host a plugin on request) if you do not lock down your update center then those users would be again able to run arbitrary code by installing a evil plugin that they maintain - thus even if a new permission existed you would also need to have a curated UpdateCenter to only allow those users the ability to install plugins (and versions) that you have deemed safe/secure if you want a desire system. Finally with regards to editing security of Jobs, I am not sure about Project-based Matrix Authorization Strategy, or the other open source alternatives (but I would guess there is a way), if not I know CloudBees Core <https://www.cloudbees.com/products/core/overview> can provide this last peice of the puzzle (disclaimer: as you can tell from my email I work for CloudBees). Regards /James On Friday, December 13, 2019 at 9:37:41 AM UTC, Nick Howard wrote: > > Right now I'm the only developer at the company I work for and I have > unrestricted access to Jenkins, but we need to tighten down permissions. Is > there a way to setup a new user that would be able to maintain the users > and user permissions? That user would then remove my ability to make > changes in the "Configure Global Security" screen. But I still need other > admin ability, like adding plugins, or configuring the system. > > I suppose I shouldn't be able to edit the project based security settings > in the job either, but I'm almost certain that isn't possible. > > Right now we're using Project-based Matrix Authorization Strategy, if that > matters. > > Is that possible? From what I've tested I don't think it is, but I haven't > done a ton with Jenkins. > > Thanks, > Nick > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/5573ec35-9e14-41ad-a41c-9450e7eb5153%40googlegroups.com.
