diff --git a/docs/fflags.adoc b/docs/fflags.adoc index 6ac6e8635..ad73f2531 100644 --- a/docs/fflags.adoc +++ b/docs/fflags.adoc @@ -3,15 +3,21 @@ The following system properties are available for toggling or specifying particular features to turn on or off. Like any system properties, they should be considered experimental and subject to removal without notice. -* `com.cloudbees.plugins.credentials.UseOwnPermission` - Enables the Credentials/UseOwn permission type which allows a -user to provide their own user-scoped credentials to a build. When this feature flag is not specified, this permission -is ignored in favor of Job/Build. When the flag is enabled, Credentials/UseOwn is only implied by Overall/Administer by -default. +* `com.cloudbees.plugins.credentials.UseOwnPermission` + - Setting this property to `true` enables the _Credentials/UseOwn_ permission. + Primarily useful when using project-based security authorization strategies or authenticated builds, this permission allows an immediate action to access user-scoped credentials from the user's private credentials store. + Immediate actions include invoking a build with parameters, tagging a build in SCM, providing credentials to a pipeline input step, and other user interaction. + Using this permission can help limit which users are allowed to provide their own credentials as input to an action which can be particularly handy when combined with the Authorize Project plugin where builds may be run as the user who triggered the build. + This allows separation of the permission to build a job from the permission to provide user-scoped credentials. + When this flag is `false` or unspecified, then _Job/Build_ is used instead for the same purpose. -* `com.cloudbees.plugins.credentials.UseItemPermission` - Enables the Credentials/UseItem permission type which allows a -user to select and use the credentials that the job or item has access to. This permission is implied by -Job/Configure, and when the feature flag is not present, then the permission is ignored in favor of Job/Configure. +* `com.cloudbees.plugins.credentials.UseItemPermission` + - Setting this property to `true` enables the _Credentials/UseItem_ permission. + Primarily useful when using project-based security authorization strategies or authenticated builds, this permission allows an immediate action to access credentials within the scope of the item. + Immediate actions include invoking a build with parameters, tagging a build in SCM, providing credentials to a pipeline input step, and other user interaction. + This allows separation of the permission to configure a job from permission to use credentials that the job would normally have access to. + When this flag is `false` or unspecified, then _Job/Configure_ is used instead for the same purpose. -* `com.cloudbees.plugins.credentials.CredentialsProvider.fingerprintEnabled` - Overrides the default behavior that -credentials tracking is handled by Jenkins fingerprints. This feature flag is enabled by default and can be disabled -by setting the property to `false`. +* `com.cloudbees.plugins.credentials.CredentialsProvider.fingerprintEnabled` + - Overrides the default behavior that credentials tracking is handled by Jenkins fingerprints. + This flag is enabled by default and can be disabled by setting the property to `false`.