-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
Jenkins 2.164.3
Credentials plugin 2.1.18
Hi, we have our Jenkins configured with Project-based Matrix Authorization Strategy. I recently removed for normal users all Credentials permissions because I don't want them to be able to use the system credentials store. I want them to use the folder credentials store instead. Now users cannot see the credentials option in the main menu, only inside their folders. However, when they need to add some credential to their jobs (i.e. in SCM configuration), they still can select the credentials in the system store. My expectation is that they can only select the credentials in the folder store.
When you say system credentials store, are you referring to the system scope as defined in https://github.com/jenkinsci/credentials-plugin/blob/master/docs/user.adoc#credentials-scopes or do you mean the system credential store as defined in https://github.com/jenkinsci/credentials-plugin/blob/master/docs/user.adoc#credentials-providers? The system scope is only used by system tasks, while the system credential store is available to anyone with Credentials/View permission. The system credentials store is effectively the root store available to anything in the system which can read credentials and is intended for users who only slightly care about security. If you're isolating credentials to that extent, then you shouldn't bother adding any to the root unless they're meant to be used as such.