Add more permission descriptions

[zbynek]

The permission descriptions are copied from tooltips in Jenkins global security configuration.

Direct preview link: https://deploy-preview-5534--jenkins-io-site-pr.netlify.app/doc/book/security/access-control/permissions/

[MarkEWaite]

Thanks very much for spending the time to extract those additional definitions. I've made some optional comments. I approve whether you take any action on the optional comments or not.

This will also need review by a member of the security team, since the change is in a section where they are a code owner.

Thanks again for the contribution

[MarkEWaite]

@jenkins-infra/security could one of you review and approve the added role descriptions?

[daniel-beck]

Thanks for your interest in the security docs!

The reason I originally left this as a TODO is that the idea of this page was to go in-depth about permissions; and some of the implications of (lack of) permissions explained here were documented nowhere previously. Permissions are a difficult topic in Jenkins as they're not really well defined in many cases, and used on a best effort basis.

While some (barely above) placeholder-level content copied from Jenkins can be useful when docs are used standalone rather than as an additional tool when using Jenkins, there are problems with this content. These problems apply to Jenkins as well of course.

So I don't reject this documentation, but I also don't think it adds much value. It probably depends on whether you think listing stuff with minimal documentation that's listed elsewhere already is useful to have or not.

If you're willing to spend some more time on this topic I'd be happy to collaborate on a more extensive permission documentation that goes into more detail. Some of that we'd probably be able to adapt directly into Jenkins, and the more surprising aspects might even justify adding more form validation/admin monitors to inform admins what it is they're doing.

[daniel-beck]

Should not be placed here as it's not an optional permission as explained in the introductory paragraph.

Also, while Credentials Plugin is as much of a "core" plugin as is possible, what's the threshold for putting plugin docs here?

[daniel-beck]

Probably makes more sense as a list (e.g. definition list?), given the current lack of details? (Also applies to all other lists at this level.)

[daniel-beck]

This content is actually generated by Matrix Authorization Plugin 😄

[daniel-beck]

Here an explanation could make sense that this permission only makes sense when anonymous users are granted Overall/Read permission.

[daniel-beck]

How sensitive are these permissions? Can this be given to just anyone, or are there security considerations? This doesn't say. (Not that it would inside Jenkins, but I'd expect more from docs that exist. IMO of course.)

[daniel-beck]

This is basically useless unless you already know what it does (it's related to https://www.jenkins.io/doc/book/security/build-authorization/ ).

[daniel-beck]

implied by generic read

That's a permission that exists but hasn't been shown on the UI pretty much ever, so it's not particularly helpful.

[kmartens27]

suggestions appear to be updated, thanks so much @zbynek!

@daniel-beck when you have a moment, would you be able to review the updates here and let us know if there's anything else that needs to be cleared up? Thanks!

[daniel-beck]

Besides two minor formatting issues that have had suggested changes applied, my feedback remains unaddressed (neither acted on, nor explicitly rejected).

[zbynek]

@daniel-beck I went through your review notes and extended some paragraphs a bit.

I also don't think it adds much value

Agreed. My goal was mostly to put the information somewhere where it's accessible and searchable. If you have some more pointers how to make this useful, please let me know.

[daniel-beck]

If you have some more pointers how to make this useful, please let me know.

I don't think useful docs exist yet, therefore my offer to collaborate on creating that.

[kmartens27]

Hi @daniel-beck, when you have a moment, would you be able to confirm and review the changes on this PR? Thanks!

[zbynek]

@daniel-beck I know this is still pretty minimal, but do you think it's already worth merging?