Scripting RBAC

Sometimes it is useful to perform large-scale operations on a Jenkins server using scripts.

group-membership

Having defined some roles and groups, a common requirement is to change the list of users authorized in a given group. To support this operation from scripts, the group-membership CLI command is available in plugin versions 4.1 and later. The first argument identifies the group container:

  • root for the root of Jenkins
  • jobname or foldername or foldername/jobname for a job, a folder, or any other item in the Jenkins folder hierarchy that can hold groups
  • viewname or foldername/viewname for a view
  • slavename for a slave node

The second argument is the name of an existing group. With no additional arguments, all the members of the group are printed, one per line. (These “members” might be user IDs, or Jenkins or external group names.) If additional arguments are given, the group membership is set to the listed members (replacing any current members).

create-group

Creating a group can be performed via the create-group CLI command, which is available in plugin versions 4.9 and later. The first argument identifies the group container:

  • root for the root of Jenkins
  • jobname or foldername or foldername/jobname for a job, a folder, or any other item in the Jenkins folder hierarchy that can hold groups
  • viewname or foldername/viewname for a view
  • slavename for a slave node

The second argument is the name of the group to create.

delete-group

Deleting a group can be performed via the delete-group CLI command, which is available in plugin versions 4.9 and later. The first argument identifies the group container:

  • root for the root of Jenkins
  • jobname or foldername or foldername/jobname for a job, a folder, or any other item in the Jenkins folder hierarchy that can hold groups
  • viewname or foldername/viewname for a view
  • slavename for a slave node

The second argument is the name of the group to delete.

group-role-assignments

Assigning or listing group roles can be performed via the group-role-assignments CLI command, which is available in plugin versions 4.9 and later. The first argument identifies the group container:

  • root for the root of Jenkins
  • jobname or foldername or foldername/jobname for a job, a folder, or any other item in the Jenkins folder hierarchy that can hold groups
  • viewname or foldername/viewname for a view
  • slavename for a slave node

The second argument is the name of the group.

With no additional arguments, the current group roles will be printed. By default the roles are printed one by line in the format used to assign them. To print them in a more readable format, use the -e (--expanded-display) command line option.

If additional arguments are given, the group roles are set to the listed roles (replacing any current roles).

Each role follow the format: ROLE[,GRANTED_AT[,PROPAGATES]] GRANTED_AT=0|1|2 (0:current level, 1: Child level, 2: Grand child level), PROPAGATES=true|false. For example: developer,0,true will assign the "developer" role at the current level and the role will be available in child contexts.

list-groups

Listing existing groups can be performed via the list-groups CLI command, which is available in plugin versions 4.11 and later. The argument identifies the group container:

  • root for the root of Jenkins
  • jobname or foldername or foldername/jobname for a job, a folder, or any other item in the Jenkins folder hierarchy that can hold groups
  • viewname or foldername/viewname for a view
  • slavename for a slave node