In order to allow users to see a specific job but not actually be able to do anything with it I have the following in place in the relevant .aclpolicy file (edited down for brevity):
context:
project: '.*'
for:
job:
- deny: [run,create,delete,kill,killAs,runAs,scm_create,scm_delete,scm_update,toggle_execution,toggle_schedule,update,read]
equals:
uuid: ee70e193-733c-4cb2-bdf0-0d6672da563f
- allow: '*'
by:
group: [users]
The deny line here is listing all available actions except view. I want my users to have access to all other jobs (in the example above I have '*' for the allowed actions, just by way of example).
What I'm wondering is if there is a way to shorten the deny line to something like - deny: [!view] or something -- basically an "everything except view" shortcut.
While the above works, I'm worried that a future update might add in extra actions, and these will then be available for this job as they are not specifically denied.
By default Rundeck ACLs denies all actions (works like a network firewall, denies all and you need to open step by step), in your case, you can use - allow: [view].
EDIT: Right now doesn't exist a rule like the question.