Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-66246

Credential handling should be more fine-grained


      We use:

      Jenkins 2.289.2

      Micro Focus Application Automation Plugin 6.9


      after installing your plugin, we are faced with a big security issue.

      in order to use the plugin we are required to enter ALL the users and their password in the Jenkins Configure System screen.


      this causes us:

      1. the need to have jenkins administrative access server to change/add/remove users.
      2. the need to have jenkins administrative access to change a password for a user.
      3. a problem in which any user with access to the jenkins server can choose any pre-defined user to access the ALM server (since it is configured in the server level, and not in the job level) - THIS IS THE SECURITY PROBLEM....

      I would expect you to use the credentials system embedded in the jenkins server in order to be able to receive the credentials on the job/script level (like almost any other plugin).

      this way:

      1. each user can only access the credentials he is allowed.
      2. each user can add/change/remove credentials without jenkins administrative privilege but only with credential privilege.
      3. other users in the system are not exposed to credentials they are not allowed to see.


      I'm available to provide any needed information regarding this issue.


            dbogdan7 Dorin Bogdan
            amidar Amit Dar
            0 Vote for this issue
            7 Start watching this issue