Jenkins CasC role strategy can't get permissions working correctly

Question

I want to setup a role (based on ldap security group) that ONLY has access to folders based on a pattern.

Jenkins version: Version 2.426.3
role-strategy: 689.v731678c3e0eb_
configuration-as-code: 1775.v810dc950b_514

Let's say I have these folders set up:

Folder1/app1/deploy
Folder1/app1/build
Folder1/app2/deploy
Folder1/app2/build
...

I want all users in the app1_build_team to be able to access all jobs defined under Folder1/app1/.* hence the pattern.

My issues:

1. if I don't define "build_execute" in Global the user gets access denied on main dashboard after login.

2. If I do add "build_execute" to global part of the config the user in that group can see all folders, all jobs but can only run what is defined in the pattern line.

We will be host a wide variety of folders/jobs for a large user base and need to have only the folders and jobs visible and accessible to specific teams.

I am populating all the permissions using CasC. I got as far as it mostly working with #2 above. User can run jobs assigned to their group but can see EVERYTHING once logged in.

I have tried so many permutations of configs below, that I do not want to paste here as it will just make this post messy.

How can I write the config for user of below group to only see folders as per the defined pattern?

I have gone into th manage roles and assign roles in the GUI configured to how I think it should be, exported the casc config but as I said either the user gets access denied to all or can see all folders/jobs based on if I use "Job/Read" is global configs.

Here is a chunk of my configuration with "Job/Read" not defined in a global scope.

authorizationStrategy:
  roleBased:
    permissionTemplates:
    - name: "build_execute_perm_template"
      permissions:
      - "Job/Cancel"
      - "Run/Delete"
      - "Job/Build"
      - "Run/Update"
      - "Job/Discover"
      - "Job/Read"
      - "View/Read"
      - "Run/Replay"
      - "Folder/Read"
    roles:
      global:
      - entries:
        - group: "devops_team"
        name: "admin"
        pattern: ".*"
        permissions:
        - "Overall/Administer"
      items:
      - entries:
        - group: "app1_build_team"
        name: "build_execute"
        pattern: "Folder1/app1/.*"
        templateName: "build_execute_perm_template"
      - entries:
        - group: "app2_build_team"
        name: "build_execute"
        pattern: "Folder1/app2/.*"
        templateName: "build_execute_perm_template"

Answer 1

Assuming you're using the Role Strategy plugin, here's how you can separate teams into roles with different folder access (I will be using the GUI for simplicity reasons).

1. Start with the Manage Roles menu, where you can create some roles. Here, I've created admins, which can see everything, and readers, that can only see what's available to them. Next, headover to the Item roles, where you can define what your teams can see. In your case, the patterns would be Folder1(/app1.*)? and Folder2(/app2.*)?.

Global roles

Item roles

2. You can then enter the Assign Roles menu, and check that the roles/teams you defined previously, can be found here. For instance, to say every authenticated user is a reader, use the Global roles.

3. Finally, you'll be able to separate users into different teams using Item roles, which will make them see different things upon login.