Hello, as there is no status update on this ticket, I take it that this feature is still not implemented?

@Terje
Yes, the feature has not been implemented yet.
I have it in my wishlist, but unfortunately I cannot provide any ETAs now?

What are your use-cases for this feature?

@Oleg
Where I work we have a Jenkins Master, and I was just asked to add a group to the ownership of a job, meaning that the members of a group can change the Job Configuration and run the Job.

We are using Single Sign-On in front of the Master, where the user identity and groups are fetched via environment variables ( reverse-proxy-auth-plugin ).
We are also using Role Strategy Plugin ( role-strategy ).

I managed it now, by:
1. Setting the @ItemSpecific and @ItemSpecificWithUserId roles in "Manage Jenkins" > "Manage And Assign Roles" > "Manage Roles"
2. Assigning both roles (@ItemSpecific, @ItemSpecificWithUserId) to the group in question in "Manage Jenkins" > "Manage And Assign Roles" > "Manage Roles"
3. Going to "<my-job>" > "Manage Ownership" > "Configure specific access rights" and giving full access to the group in question (ticking all checkboxes).

• What I struggle to understand is why I need to do step 1 and 2, and not only 3 to give the members of a group access to edit the job configuration and run it.
• The access rights I set in step 3 would indicate that the users of the group could delete the Job, but I guess that's limited to the Project Roles I defined in step 1, correct?

Maybe this isn't the correct place to ask for this, we can move it to the Jenkins Users google group? And yes, I am new with Jenkins

jenkinsci-users group is a useful communication utility, but it's hard to continuously monitor all messages there. In general I would recommend to ask such questions using Jenkins IRC channel or Ownerhip Plugin Wiki Page.

> What I struggle to understand is why I need to do step 1 and 2, and not only 3 to give the members of a group access to edit the job configuration and run it.

Ownership plugin does not have it's own security engine. It depends on Role Strategy Plugin. In role strategy macros are being used to register roles with special hooks, which then call routines in Ownership plugin on-demand.

Such implementation allows to keep both plugins independent, but it requires some configuration (which may be automated BTW).

> The access rights I set in step 3 would indicate that the users of the group could delete the Job, but I guess that's limited to the Project Roles I defined in step 1, correct?

Yes, the access will be limited to permissions registered for Ownership macros.

Currently, there's no filtering of permission tables. I'm not sure if it is possible to add such functionality w/o a full check of roles (multiple expression matches, custom macros, etc.). Created JENKINS-26397 for the case.

This feature would be great to have, specially for those using AD / LDAP.

@andersen oleg_nenashev

I did the same thing as you, trying to give read and write permission to the authenticated group. We are using LDAP as an identification server and also using Role Strategy Plugin.

I set up two roles in Project Role -->"Manage Jenkins" > "Manage And Assign Roles" > "Manage Roles", but I am not sure which permission  I should give to these two roles so I left the permission table empty, only filled pattern with ".*", then assigned both roles (@ItemSpecific, @ItemSpecificWithUserId) to the authenticated group.

Also gave full access to the authenticated group in "Configure specific access rights", but it turned out a login user still could not read and config this job.

Wonder why does this not work for me.