We have a use case wherein we want,

1. a limited number of administrators to have access to configuration
2. build status to be publicly available

As such, under 'Configure Global Security', we have set the following,

• 'Security Realm' is set to 'Jenkins' own user database' with the 'Allow users to sign up' checkbox unchecked
• 'Authorization' is set to 'Logged-in users can do anything' with the 'Allow anonymous read access' checkbox checked

This works well, except that we have just noticed that the credentials page is exposed to non-registered visitors: they cannot modify credentials, but they can view the 'ID' and 'Name' fields for each, which may pose a soft security threat. Additionally, the 'Credentials' link appears in the left sidebar for non-registered visitors.