The role strategy plugin is not documented well enough to explain to me how to meet my requirements.  I will tell you my requirements, what I've tried, and the results which are not what I want.  Perhaps then you can tell me a solution.

Basically, I want to have two classes of users (other than the administrators).  One class, let's call them "senior" needs to have read/write/execute permissions throughtout the instance.  Can view every job, in every folder (we use the Cloudbees Folder Plugin), run jobs, configure jobs, modify jobs, delete jobs, anywhere in the instance.  Another class, let's call them "junior" should have read only access throughout the system, and full read/write/execute access but just to one folder in the instance.

To even let the juniors get into the system, I must give them read access globally.  So then how do I expand their rights to "their" special folder?  I created a "Junior" folder at the top level of the instance.  I added a project based role called "Junior" and gave them full access within their folder.  But whether I define the pattern as

/Junior, 
/Junior/*, 
Junior, or
Junior/*

the expanded rights within the folder do not take effect.

So my first question is, what, really, is the syntax of a pattern expression? How do I say "this project and all its subprojects"?

And the second question is, Can I override the global permission to allow MORE privileges at the project level?

Another option would be to say that "any authenticated user has read access everywhere". Can I do that?

Thank you.