How to restrict configuration permissions for templates in Jenkins?

Question

I'm setting up a Jenkins-Server for building Unity-Projects so the required build-jobs are basically allways the same except some parameters like the Unity-Version.

To make it easier to configure new build jobs, I created a job called "TEMPLATE_JOB" so for future jobs I just can select "Copy from Template" while creating a new job.

In a next step I've discovered the Job-Generator PlugIn which basically does the same thing but even a bit more elegant. It basically copies itself replacing required parameters by given values and ofcourse changing the new generated jobs name.

Now my problem is the following:

Both solutions named before have one great issue. Since they are templates which's configurations are copied, I don't want normal users to be able to make any changes to them, but still be able to create new Jobs using them.

So I'm trying to use the Project-based Matrix Authorization Strategy to restrict normal users from configuring the template jobs.

But if I restrict users from beeing able to configure the templates / job generator, then also the permissions and restrictions are copied => users can create a Job but than not reconfigure their own created job anymore.

---

What I want is

• Only the administrator can configure the templates / job-generators.
• All normal users can configure the generated jobs.

Is there any security model in Jenkins which provides the functionality I'm trying to archive?

Answer 1

As far as I'm aware, there's no security model per se that can do this, but you could easily do this with something like the following:

• Do not give normal users the permission to create new jobs.
• Create a template job, and do not give normal users the permission to edit it.
• Create another new job that creates new jobs from the template job. Make it a parameterized job, and use the parameters passed in by the user to configure the new job. Give normal users the permission to run this job.

So now, whenever normal users want to create a new job, they can run this "create a new job" job.

You may also want to look into Jenkinsfiles and shared libraries, which allow more flexible job configuration by writing job definitions as code and putting common code into shared configuration.

If your jobs that you're creating from template happen to be for new Git repositories, you may also want to look into branch source plugins for Bitbucket and GitHub, which automatically create new Jenkins jobs by discovering repositories in Bitbucket or GitHub organizations.