we have mapped hudson logging to our LDAP. We use matrix [username x permission]
for setting permissions. However, if we set for some user all permission except
"administer" of hudson, such a user is unable to save his/her job. Saving of
job end with Status code 403.

This code seems to be the cause:

public synchronized void doConfigSubmit( StaplerRequest req, StaplerResponse rsp
) throws IOException, ServletException {
try {
checkPermission(ADMINISTER);