As a Jenkins administrator, I would like for developers to be able to configure jobs, but only have certain users able to build those jobs. Through various means like RBAC and controlled agents, I have given jobs in a certain folder the ability to access agents and secrets. While I trust developers to configure those jobs, I have business requirements to only allow certain users to build those jobs.

However, Jenkins allows users to Replay a build even if they don't have the Run/Replay or Job/Build permissions. This seems to due the fact that Run/Replay is implied by Job/Configure.

Put another way, Job/Build isn't implied by Job/Configure, so why does Job/Configure imply Run/Replay? Instead, it seems like Run/Replay should only be implied if a user has both Job/Build and Job/Configure.