diff --git a/content/doc/book/security/access-control/permissions.adoc b/content/doc/book/security/access-control/permissions.adoc index 061a3fe22ecc..5f6c674edd31 100644 --- a/content/doc/book/security/access-control/permissions.adoc +++ b/content/doc/book/security/access-control/permissions.adoc @@ -5,8 +5,6 @@ layout: documentation :toc: :toclevels: 3 -// TODO add some more permissions - The following sections describe the access granted to users with (or without) the specified permissions. == Default Permissions @@ -107,6 +105,118 @@ Anything they cannot accomplish through the existing UI they can do through the An instance on which an untrusted user gained _Overall/Administer_ permission should be considered fully compromised and should be replaced. All secrets (credentials, etc.) stored on that instance should be rotated or revoked and all artifacts created from that point on should be verified. + +=== _Agent_ Permissions + +Agent/Build:: +This permission allows users to run jobs as them on agents. +In default setup where all builds run under SYSTEM user this permission is not relevant, +but if link:/doc/book/security/build-authorization/[build authorization] is active this permission defines which users may run jobs on agents. + +Agent/Configure:: +This permission allows users to configure agents. +Users with this permission can make all jobs run on a computer where they have root access, +gaining access to all information used by the build (content of files, environment variables including credentials). + +Agent/Connect:: +This permission allows users to connect agents or mark agents as online. ++ +This permission is implied by _Agent/Disconnect_. + +Agent/Create:: +This permission allows users to create agents. Security implications are the same as for _Agent/Configure_. + +Agent/Delete:: +This permission allows users to delete existing agents. + +Agent/Disconnect:: +This permission allows users to disconnect agents or mark agents as temporarily offline. + +=== _Job_ Permissions + +Though these permissions use the word "Job" in their name, +they refer to any items you can create using the _New Item_ menu option (freestyle jobs, folders, pipelines, ...) + +Job/Build:: +This permission grants the ability to start a new build. + +Job/Cancel:: +This permission grants the ability to cancel a scheduled, or abort a running, build. + +Job/Configure:: +Change the configuration of a job. + +Job/Create:: +Create a new job. + +Job/Delete:: +Delete a job. + +Job/Discover:: +This permission grants discover access to jobs. +Lower than read permissions, it allows you to redirect anonymous users to the login page when they try to access a job url. +Without it they would get a 404 error and wouldn't be able to discover project names. ++ +This permission is only useful if anonymous users have _Overall/Read_ permission, but not _Job/Read_. +It is implied by _Job/Read_. + +Job/Move:: +Required to move a job from one folder (or Jenkins root) to another. + +Job/Read:: +See a job. (You may deny this permission but allow Discover to force an anonymous user to log in to see the job.) + +Job/Workspace:: +This permission grants the ability to retrieve the contents of a workspace Jenkins checked out for performing builds. +If you don’t want a user to access files in the workspace (e.g. source code checked out from SCM or intermediate build results) through the workspace browser, you can revoke this permission. + +=== _Run_ Permissions + +Run/Delete:: +This permission allows users to manually delete specific builds from the build history. + +Run/Update:: +This permission allows users to update description and other properties of a build, for example to leave notes about the cause of a build failure. + +=== _View_ Permissions + +View/Configure:: +This permission allows users to change the configuration of views. + +View/Create:: +This permission allows users to create new views. + +View/Delete:: +This permission allows users to delete existing views. + +View/Read:: +This permission allows users to see views (implied by generic read access). + +=== _Credentials_ Permissions + +Following permissions are only enabled if the plugin:credentials[Credentials Plugin] is installed + +Credentials/Create:: +The create permission is necessary to add credentials to a credentials provider. + +Credentials/Delete:: +The delete permission is necessary to remove credentials stored in a credentials provider. + +Credentials/ManageDomains:: +The manage domains permission is necessary to add/remove/configure the credential domains of a credentials provider (where the credentials provider supports multiple credential domains). + +Credentials/Update:: +The update permission is necessary to modify credentials in a credentials provider. + +Credentials/View:: +The view permission is necessary to view the credentials stored in a credentials provider. + +=== Pipeline-related Permissions + +Run/Replay:: +Ability to perform a new Pipeline build with an edited script. This permission is implied by Job/Configure. +This permission is enabled by plugin:workflow-cps[Pipeline: Groovy]. + == Optional Permissions These permissions are not enabled by default. @@ -141,7 +251,6 @@ Learn more in jep:223[]. NOTE: This permission was added in Jenkins 2.222. Some features, especially those provided by plugins, may not yet support this permission. - == Obsolete Permissions The following three permissions are obsolete since Jenkins 2.222: