Restrict user logon in Jenkins

We have been using groovy script to read the build queue state:

def builder = new groovy.json.JsonBuilder()

builder {
  queueItems(Jenkins.instance.queue.items.collect { obj ->
      [
        id: obj.id,
        name: obj.task.name,
        isStuck: obj.stuck,
        isBlocked: obj.blocked,
        isDisabled: obj.task.disabled,
        inQueueSince: obj.inQueueSince,
        why: obj.why,
        causesDescription: obj.causesDescription,
        queueItemUrl: obj.url,
        taskUrl: obj.task.url
      ]
   })
}

println builder.toPrettyString()

Then we add Azure AD plugin. It requires an account with the hudson.model.Hudson.Administer permission to run a script.

We use a tech account, but the problem is that everyone can logon interactively using this login and became Jenkins admin.

Is it possible to have this account enabled, but restrict interactive logon to Jenkins?

If you're running this code today via script console, you're probably running into a RejectedAccessException from the sandbox which is why you require admin access to run this coupled with and or needing administrator access to use the script console.

If you put this code into a shared library, the code becomes trusted, and you no longer require administrator access to run the code and you no longer need script console. You just need a job that can call the shared library, if needed you can restrict access to the folder or job.

StackExchange DevOps Q#8794, answer score: 1