From 957913fcc7f2d02af2d574f519bbd09b4107c7cd Mon Sep 17 00:00:00 2001
From: Oleg Nenashev <o.v.nenashev@gmail.com>
Date: Wed, 27 May 2020 15:08:09 +0200
Subject: [PATCH 1/2] JEP-224, JEP-223 - Add users with System Read and Manage
 permissions

---
 .../src/main/groovy/scripts/Auth.groovy        |  8 +++++---
 jenkins.yaml                                   | 18 ++++++++++++++++--
 plugins.txt                                    |  2 ++
 3 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/init_scripts/src/main/groovy/scripts/Auth.groovy b/init_scripts/src/main/groovy/scripts/Auth.groovy
index 82b5bf6..cca96eb 100644
--- a/init_scripts/src/main/groovy/scripts/Auth.groovy
+++ b/init_scripts/src/main/groovy/scripts/Auth.groovy
@@ -9,11 +9,13 @@ boolean createAdmin = Boolean.getBoolean("io.jenkins.dev.security.createAdmin")
 
 println("=== Configuring users")
 def securityRealm = Jenkins.instance.getSecurityRealm()
-User user = securityRealm.createAccount("user", "user")
-user.setFullName("User")
+securityRealm.createAccount("user", "user").setFullName("User")
+securityRealm.createAccount("readonly", "readonly").setFullName("Read-only Admin")
+securityRealm.createAccount("manager", "manager").setFullName("Admin (Manage)")
+
 if (createAdmin) {
     User admin = securityRealm.createAccount("admin", "admin")
-    admin.setFullName("Admin")
+    admin.setFullName("Admin (Full Permissions)")
 }
 
 println("=== Configure Authorize Project")
diff --git a/jenkins.yaml b/jenkins.yaml
index 484db23..a276bf6 100644
--- a/jenkins.yaml
+++ b/jenkins.yaml
@@ -42,12 +42,26 @@ jenkins:
       roles:
         global:
           - name: "admin"
-            description: "Jenkins administrators"
+            description: "Jenkins administrators with full permissions"
             permissions:
               - "Overall/Administer"
             assignments:
               - "admin"
-          - name: "readonly"
+          - name: "manager"
+            description: "Jenkins managers with limited admin permissions"
+            permissions:
+              - "Overall/Manage"
+            assignments:
+              - "manager"
+          - name: "readonly-admin"
+            description: "Jenkins read-only administrators"
+            permissions:
+              - "Overall/SystemRead"
+              - "Job/Read"
+              - "Agent/Read"
+            assignments:
+              - "readonly"
+          - name: "readonly-user"
             description: "Read-only users"
             permissions:
               - "Overall/Read"
diff --git a/plugins.txt b/plugins.txt
index 5579d93..7023856 100644
--- a/plugins.txt
+++ b/plugins.txt
@@ -9,6 +9,7 @@ configuration-as-code:1.41
 docker-commons:1.16
 docker-workflow:1.23
 email-ext:2.69
+extended-read-permission:3.2
 favorite:2.3.2
 filesystem_scm:2.1
 git-client:3.2.1
@@ -26,6 +27,7 @@ junit:1.27
 locale:1.4
 lockable-resources:2.8
 mailer:1.32
+manage-permission:1.0
 matrix-auth:2.6.1
 maven-plugin:3.6
 momentjs:1.1.1

From ce452e349af147129995b94f1cc045acd7a7bd17 Mon Sep 17 00:00:00 2001
From: Oleg Nenashev <o.v.nenashev@gmail.com>
Date: Wed, 27 May 2020 15:20:57 +0200
Subject: [PATCH 2/2] Document new users

---
 README.md | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index d8a117f..7ea6601 100644
--- a/README.md
+++ b/README.md
@@ -18,8 +18,14 @@ Prototyping is in progress, compatibility of the scripts and Dockerfiles is **NO
 
 Jenkins container starts with the following contents:
 
-* Authentication: Internal database with two users: `admin` and `user`
-  * Passwords are same as user names
+* Authentication: Internal database with four users. Passwords are same as user names
+  * `admin` - Admin with full access
+  * `manager` - User with `Jenkins/Manage` permissions
+    ([JEP-223](https://github.com/jenkinsci/jep/tree/master/jep/223))
+  * `readonly` - User with `Jenkins/SystemRead` and read-only permissions
+    ([JEP-224](https://github.com/jenkinsci/jep/tree/master/jep/224)) -
+    [announcement](https://www.jenkins.io/blog/2020/05/25/read-only-jenkins-announcement/)
+  * `user` - User with ability to run jobs
 * Authorization: 
   * [Ownership-Based Security](https://github.com/jenkinsci/ownership-plugin/blob/master/doc/OwnershipBasedSecurity.md), 
   powered by [Role Strategy](https://plugins.jenkins.io/role-strategy)