Jenkins supports specific permissions for viewing, creating, updating and deleting credentials.

When a user has Credentials.Update permission, but not Item.Configure permission for a specific item, he is able to visit the credentials update page.

But when he saves the dialog (without changing the concealed password), the credential entry is saved with '******' as password value.

These passwords obviously are rejected by the target systems.

It seems there's a check for Item.Configure permission within hudson.Functions class which needs to be extended with a Credential.Update check.