After upgrading to Jenkins LTS 2.222.1 + role-strategy-plugin 2.16, REST API calls have stopped working. On the Log we can see
 

2020-04-02 14:42:46.468+0000 [id=20318] INFO o.e.j.s.h.ContextHandler$Context#log: While serving http://XXXXXXXXXXX/jenkins/job/YYYYYY-pipeline/buildWithParameters: hudson.security.AccessDeniedException2: inetic is missing the Job/Build permission

which is exactly what we get through the REST API

inetic has Admin permissions granted to a role, set throuch role-strategy-plugin and is able to execute any jobs through the UI.

We're using user+token for auth, which should not need Jenkins-Crumb header. Nevertheless, we've also tried user+password+crumb and user+token+crumb and we get the same results. We've also tried setting hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION to either true or false, but again, it makes no difference.

May be the security hardening done on 2.222.1 / 2.204.6 affects the role-strategy-plugin?

Only workaround found so far is to set global Read + Build permissions, however that allows every user to execute everything without being logged which is not so funny.

EDIT: forgot to add, $JENKINS/whoAmI for user yields:

Name:	INETIC
IsAuthenticated?:	true
Authorities:	* "authenticated"