As an admin, I can retrieve the API token of all users with:
user = hudson.model.User.get('userId')
prop = user.getProperty(jenkins.security.ApiTokenProperty.class)
println(prop.getApiTokenInsecure())
and then I can launch a command on their behalf (even on other admin behalf).
That should not be possible.
A malicious administrator can do whatever he wants; that is not acceptable at an organization level.
- links to