Beta

Certified Jenkins Engineer

Automation and Security

Demo Authorization Matrix Authorization Strategy

Unlock fine-grained access control in Jenkins using the Matrix Authorization Strategy plugin. In this tutorial, you’ll learn to:

  1. Install the plugin
  2. Compare project-based vs global matrix strategies
  3. Configure role-based permissions
  4. Validate access with sample user accounts

Prerequisites

  • A running Jenkins instance
  • Admin credentials (e.g., Barahalikar Siddharth)

1. Install the Matrix Authorization Strategy Plugin

  1. Sign in as admin.
  2. Navigate to Manage Jenkins → Manage Plugins → Available.
  3. Search for Matrix Authorization Strategy and click Install without restart.

This plugin supports both global and project-level access matrices.

The image shows a webpage for the "Matrix Authorization Strategy" plugin for Jenkins, detailing its documentation, version information, and use cases.

2. Project-Based Matrix Authorization

  1. Go to Manage Jenkins → Configure Global Security.
  2. Under Authorization, select Project-based Matrix Authorization Strategy and click Apply.
  3. Open a job (e.g., ascii-deploy-job), choose Configure, then enable Project-based security.
  4. Decide whether to inherit global permissions or define a custom ACL for this job.

The image shows a Jenkins security configuration page with a matrix authorization strategy. It lists users and groups with various permissions settings for different actions.

The image shows a Jenkins configuration screen for a job named "ascii-deploy-job," focusing on project-based security settings and inheritance strategy options. It includes a matrix for setting permissions for different user groups.

Note

If you only need instance-wide controls, return to Configure Global Security and choose Matrix-based Security instead.

3. Global Matrix-Based Security

  1. Open Manage Jenkins → Configure Global Security.
  2. Select Matrix-based Security in the Authorization section.
  3. Strip all permissions from anonymous. Leave authenticated unchecked (we’ll grant Overall Read later).
  4. Click Add user or group, enter each name, and confirm. Jenkins will warn if the user/group doesn’t exist.

The image shows a Jenkins security configuration screen with matrix-based security settings, where user permissions are being managed. A pop-up window is prompting for a user ID input.

3.1 Define Group Permissions

Configure these four groups:

GroupPermissions
adminOverall → Administer
managerOverall: Read<br>Job: Read<br>View: Read<br>Metrics: Read
QAJob: Read, Build
developerOverall: Read<br>Credentials: Create, Update, View<br>Agent: Provision<br>Job: All except Delete<br>View: Create, Read, Configure<br>Metrics: Read

The image shows a Jenkins security configuration screen with a matrix-based authorization strategy, displaying permissions for different user groups like admin, manager, qa, and developer. Various permissions are checked for each user group across categories like Overall, Credentials, Agent, Job, Run, View, SCM, and Metrics.

Once permissions are set, click Save to apply.

The image shows a Jenkins security configuration screen with a matrix-based authorization strategy, displaying user and group permissions for various actions. The interface includes options to add users or groups and save changes.

4. Test Role-Based Access

4.1 Admin: Full Control

As admin, verify you can view, configure, build, and delete the ascii-deploy-job.

The image shows a Jenkins dashboard for a job named "ascii-deploy-job," displaying build history and permalinks for recent builds.

4.2 Tina (QA + Developer)

Log in as Tina:

The image shows a Jenkins login page with fields for a username and password, and the Jenkins logo on the left.

  • Jobs: Delete is hidden
  • Credentials: Create, View, Update (no delete)
  • Manage Jenkins: Not accessible

4.3 Bob (QA Only)

Initially, Bob is denied access (no Overall Read). To fix:

  1. Log in as admin.
  2. Grant authenticated or QA the Overall Read permission.
  3. Re-login as Bob.

Now Bob can view and build jobs but cannot delete or manage credentials.

4.4 Ali (Manager)

Log in as Ali (manager):

  • Overall: Read
  • Job & View: Read
  • Metrics: Read

Ali can open jobs and view logs but cannot build, configure, or delete.

You’ve now secured your Jenkins instance with Matrix Authorization Strategy. Adjust role permissions as your team and security requirements evolve.

References

Watch Video

Watch video content

Previous
Demo Jenkins Authentication
Next
Demo Jenkins CLI SSH Authentication