In Global authorization matrix (https://ci.gfi.fr/jenkins/configureSecurity/), the "Authorization" option is "Project-based Matrix Authorization Strategy" :
"jenkins-im" user has all authorizations, and is the one I've mapped to "Jenkins Username" parameter of "instant-messaging plugin"

I have a user will no right at all in Jenkins but allowed to connect to the conference used by "jenkins-im".

This user can send any bot commands and this is really weird. The same is true for a registered jenkins user having only read/view rights. If he can only see builds using the Web/REST/CLI interfaces, this plugin acts like a "sudo".

"Jenkins Username" parameter of "instant-messaging plugin" should be removed or merged with the rights of connected IM user. The Jenkins user corresponding to the author of the bot command must be used.