 You'll see that I've instilled the extended read permission plugin version 3.1, this activates the feature. If I go to configure global security, you'll see I'm using matrix based security, which is the matrix auth plugin. And I've configured it to give my system reader user overall read and overall system read. They need both denotes connected, but in order to log in, you need read. So I'm going to now swap to a different session. And if I go here, system reader, system reader will open Jenkins. He said the rest of the jobs, but he doesn't have access to see them. You probably wouldn't do that in a real world. The system reader probably is allowed to see jobs by just having added the permission. So as you can see here, you can see, actually I might just pop back to the other view so that you can see a total to see everything that an admin currently sees. You see at the top is the admin monitors. That's not implemented yet. It needs some careful work so that the system reader user can't do some of the actions they shouldn't be able to do. So you see here there's three, six, nine, 12, about 20 pages available. So there's a couple of ones that are not planned at all to be implemented. Those are ones that are actions rather than actual pages that are prepared for shutdown as an action, reload configuration from disk, and the script page, which the only thing it does also not this one, the script console. So that just allows you to actually run code, which should never be allowed. So just going back to system read. These are the views that are coming very shortly. I think I forgot to install my last version of the configurations code plugin. Possibly I forgot to restart. I think I forgot to, sorry, I'll just leave that actually. It doesn't really matter. So you see here, global configure global security. You see it's a read only view. So there was an earlier permission implemented back in 2009 extended read that just that gave users access to view job configurations, but didn't actually change the UI. So that was quite confusing to users. So one feature that developed as part of this was adapting the HTML inputs and HTML UI to be clear to users that they can't interact with it. And in the certain cases where they can interact, making it obvious that they can. So the system reader user can hear, see who has access, see who has permission. They can see the security warnings. They're on this instance. And so you need a configuration that's there. One of the very interesting, one of them. So the configure system page is implemented. So you can come down here and they can see all the configuration. You'll see here that some of this doesn't look fully read only. That's because some of the UI is implemented in the plugins. So we've done incrementally. But everything that we have control of in core is being implemented. And you see here it tells you if a field isn't populated, it's not applicable. And it's got some styling on it to show that it's the system read that is changing this. The other thing I wanted to show, but I think I forgot to do a last compile is configuration as code plugin implemented that just in about 15 minutes just changed a little bit of code. And was able to get it. So system read user could go to configuration's code page. They could view the configuration. They could download it. And do the schemas and whatnot. So all the sort of user facing documentation and the currently running configuration. Just going on a chat. Is there anything else just thinking? Yeah, right. So I'll just quickly show a little bit of the developers that might be interested in this. I'm not really sure what the user audience here is. Is it mostly users or developers? So just quickly show a little bit of code for what plugin developers need to change. It's not very much. And most of it doesn't require raising the Jenkins core version. So if if you have a management link, it's probably I might just show matrix or plug in. So this is a very simple plug in which require well very simple to adapt to system read. Why did it change? So there's a control in core code is admin. So anything that you don't want to show on the page, you hide it with admin. So if I go to configure global security, you'll see that this add user or group button has been hidden to read only users. So it's just not there. So that's that's using the jelly tag is admin. There's also features detection. So rather than so this is a plug in need of some JavaScript adaption done. So the submit and apply buttons are hidden on pages where the user is read only. So you don't have to know saver apply button. So in matrix or we detect the button is present by querying for the submit button class. And if it's not present then we disable the checkboxes. Another class of this one. So most of this is driven off the read only mode jelly context variable where the top level page or that to the layout will set whether it's read only mode based on whether it's a minister or not. And if it's read only mode then the jelly tags will adapt the UI. Which in some cases means that you don't need to do any other UI changes at all. I think that's actually a fully read only view. So that's an example of a groovy view setting read only plug in manager. Here's the jelly example. So I was planning on including this in the slide deck but I didn't quite have enough time just to show some very short concrete examples. But this is basically the jelly fragment that gets copied around. J choose which is basically a complicated if else lock. So the permission check and then sets the value true or false depending on what's needed. And the last class of examples that I'll show is a plug in that needs to adapt in these in needs to access the core dependency. So not matrix or they just go to roll strategy plug in. So this plug in needed to add a dependency on the extended read permission plug in. And also needed to bump this call version to two one three four because that's the baseline for the extended read commission. So may require minor bump but it doesn't require going to two to two. So the reason that it needed this bump was it needed. It has its own pages. So it has a management link so it needed to directly reference the commission. Extended read permission. That's a reflection look up depending on your core version. Well, no, she not depending on your core version just tries to look it up. And if it finds that it'll give you system read. If it doesn't find it will give you administer. And that's basically it. That's the main examples. There's also an internal manage. If anyone needs to support the manager and system read permissions which was also introduced recently. But that's all I have. Does anyone have any questions or want to see anything else. So Tim, I did have a question if you're okay with. I'm just barging in and going to ask. So as a plugin developer. I've got a plug in platform label or as an example that has a global configuration page which has checkboxes on it. Are the checkboxes something that I'm going to need to adapt in my plug in or will system read some somehow magically take care of showing the state of those checkboxes for me. So is that on the configure system. Yes, one of its one of its pages is or one of its things is added to the configure system page. So you'll see here that that this page is already marked as read only. So if you don't have permission to configure anything on this page, it will automatically set read only for your configuration page. This page is slightly more complicated because they manage permission as well. So you can be allowed to manage part of this page and also read only part of it. So it basically checks where you have the required permission on each descriptor. And based on that will set read only mode. So these on here is no special changes as long as you're using standard jelly tags. So if checkbox and you're not writing standard HTML. So the problems will happen if people are either making their own jelly tags or writing HTML rather than the jelly tags. But as long as you're not doing that, then no, you shouldn't have to make any changes unless you want to enhance the UI to look a bit nicer. So on quite a few of the management link pages, we have done minor things to hide buttons and whatnot. But I haven't really done any effort and it looks reasonably good. Okay. And so how I could test I can test this by installing the extended read permission. Now do I need to install 2.222 to test this myself. Yeah. So let's have a look at it now. Okay. The platform label. Are you you're really yes platform label or vitally important, many, many, many. Yeah, okay, maybe not vitally important, but yes platform label or no dash. There it is. And so what it will do on the system page on the configure system page is it should add a checkbox that's called automatic platform labels. I did it. Cool. So no change on my part as a platform as a plugin maintainer, and the UI still retains my help and retains the value of the checkboxes that were defined, even though this particular plugin actually does not support configuration as code at all. This, this specific plugin has no support for configuration, it will eventually but it doesn't right now. And yet I get system read. Nice. Very nice. Thank you. Anyone else got any questions or any more questions from Mark. So could you take us back the page just for my reminder it was matrix off was a good example of place where I could see the jelly markup and role strategy those were two. Are you likely to do a blog post or some other play or maybe a web pages to Jenkins.io that we can use to read this to learn how to do it or to use video for now. There is a page in Jenkins.io. The only page in the view section. So this is a documentation here. I should have mentioned it earlier. So this one was slightly aimed towards was it's a mixture of both extended read to this one here is looking for configure not administer this one here is aimed at how making system read and manage work together. And this is this one here is more for tag developers. So if you've got your own tag, then these are some of the changes that you might want to do. And this is how she shouldn't need to do a lot of this, because most of it's handled for you in core. These are kind of some examples of the changes that were done in core to make it easy for a developer to consume them. But yeah, I expect this to be updated a bit as I think this was written pre-merge. It's still accurate, but probably had have some improvements. And yeah, I am planning on doing a blog post. I've just been working on getting this feature more out there just because I think it looks better if the feature is more complete than just two pages. Yeah, that is that is elegant. Thank you. Thanks for showing the demo. Thanks for doing a live demo with a pro plugin you probably never seen before and having it work that's that's impressive beyond impressive well done. I've never seen it before. It's an excellent plugin you would love it you need it. You can see this feature in the weekly release. Yeah. Taking the current discussion the developer might at least looks like it's going to end in the next LCS baseline because we are about choosing two dot two to two and your LCS fingers crossed. Yeah, there is still a lot of changes which need to be done to make it fully complete but hopefully by the next baseline will be able to integrate fully complete user experience for those who want to use. System with commissions. So now Tim I guess one one concern for people running production installations. If I don't install the extended read permission plugin. This is by default off. So I, I, I'm safeguarded from it. I have to install extended read permission plugin do I then have to enable some checkbox which says yes. No, there's two ways of doing it. You can. Well, three ways. You can run some groovy scripts. If you want to to enable or disable it, you can set a system property to enable disable it. And you can install the set of read permission plugin, which will automatically enable it. You can also then set a system property to disable it if you want to and you have the extended read permission plugin installed. You've got many options, but the recommended way is just to install the extended read permission plugin and it will activate it for you. Thank you. Thanks very much. Thank you for an excellent presentation. It was great. Now, like you mentioned about the recording. I actually don't know. I see that the recording says it's running. I make no commitment that it's actually running given how under how the behavior has been, but I propose we call it the meeting done and see if the recording is running. If not, Tim, we beg you to present it again later. Yeah, I'm going to, I'm going to stop the recording now. I have the function do that. And then I will edit this video at some point later today. I'll stop the recording now.