Getting RBAC permissions for user and item with groups path

[ironcerocloudbees]

We developed a Groovy script to extract the Permissions and the roles for a specific user (username, line 10) and an item (like a folder, line 11), including in the report the Role and the group from which we granted the permission.

For example:

Gathering RBAC roles for user 'user1' in item 'folder1' and all inherited scopes...

RBAC Role & Permission Summary for 'user1' (including inherited scopes):

🔹 Role: administrator
   • From Group: folder1group2
   • Group Path: folder1group2 → folder1group1
   • Context: folder1
   • Permissions:
       - Alerts / Mute
       - Alerts / View
       - ...

[duemir]

Doesn't Roles page kind of answers the same question? The roles are defined in a single place, but every item has Roles and "Roles / Who Am I?" pages.
"Has role in" column, if not mistaken, shows which groups grant the role and if it propagates further. Group links lead to the page where the group is defined.
e.g. https://gauntlet-3.cloudbees.com/elroy/job/playground/job/ddigtiar/job/20250404-gh-auth-3-to-1-line/roles/
There is no impersonation, so admins cannot check this page for other users. There is also question of permission. "Role/View" is need for Roles page, if not mistaken. "Who Am I?" page might be available to anybody with "Overall / Read".

Regarding script itself. I think we should start all the script with a comment that explains the purpose of the script. It doesn't seem to be the rule but lots of scripts do it.

[ironcerocloudbees]

Hey @duemir, you are right. This "Roles / Who Am I?" makes some similar. However, I'm not sure if the list of permissions inherited from different levels is shown as we can do it here.

Furthermore, the fact that we cannot impersonate, it could be a problem for some cases (where the administrator is asking for help).

I do believe this script could fill this little gap.

Kind regards,

[duemir]

OK