I configured global authentication to allow "authenticated" users to have all permissions.

Then, for a specific project, I configured several users to have all permissions, and "authenticated" users to have no permissions.

I expected that these project-level settings for authenticated users would trump global permissions.

Instead, it had no effect. all authenticated users could still perform all operations on this project.

Now, if in global permissions, I removed administer, build, and configure permissions for authenticated users, then the project level permissions worked as expected.

However, there's a serious downside here: by removing those permissions for authenticated users at the global level, I then have to add them for every project, which surely is not the expected behavior.

I'd expect that if authenticated users have all permissions, then all projects by default would inherit those permissions. However, the act of checking off "Enable Project Based Security" on any project should signal to Jenkins that Global permissions do not apply to this project, and that the only permissions that should apply are the ones configured for that project.