Role Strategy Plugin, Project roles and Job creation

[Martin B.]

Hi all!

I was wondering how others handle rights management with the [Role
Strategy
Plugin](http://wiki.jenkins-ci.org/display/JENKINS/Role+Strategy+Plugin):

Job creation is handles via the Global Role, which makes sense as
per-project roles are only applicable once a job has been created.

The other job rights (Del, Cfg, Read, Workspace) can be handled via
Project roles.

Now, this means a user that only has the global create right, but not
the global Del/Cfg/Read right, can create jobs he then can neither view
nor edit. This makes little sense obviously(?).

So: If a user has the global Create right, should one always give him
also Global Del/Cfg/Read (at least read, lest he be completely confused)??

Other ideas?

cheers,
Martin

[Roms]

Hi Martin,

We do the following:

- 3 main global roles, admin, job-creator, and anonymous.

- 1 project role per set of jobs to "segregate" from others.

- Users with job-creator role know the pattern of the name of the jobs they can create and are aware that, if they don't comply with it, they will need to ask the admin to rename the job or grant them new rights.

This work fine with a little bit less than 1000 job, "grouped" through around 20 project roles, and accessed by a hundred users. The only real issue here comes from the size of the permissions table.

HTH,

Romain

[Martin B.]

Thanks for sharing!

The job-creator is a good idea. As our server is still small, it's still
the same as the admin role here, but it will hopefully become useful as
soon as we put other projects onto Jenkins.

cheers,
Martin