As I struggled a few hours trying to set up valid ACLs, here is a policy file usable on Rundeck to allow a run-only group of users.
Rundeck doc on ACLs is... unsufficient. And as stated before, I needed to grant execution of jobs to a dedicated group but without other rights.
Adding this file to your rundeck setup will grant all users belonging to deploy group execution of all jobs in all projects.
description: Application access. context: application: rundeck for: project: - allow: read by: group: [deploy] --- description : global project config for running jobs on nodes. context: project: '.*' for: resource: - equals: kind: 'event' allow: read - equals: kind: 'node' allow: [read, refresh, run] # allow refresh node sources (dynamic nodes resources) job: - allow: [read, run, kill] node: - allow: [read, run] by: group: [deploy]