diff --git a/services/jenkins/helmrelease.yaml b/services/jenkins/helmrelease.yaml
index de4bda9..78e9382 100644
--- a/services/jenkins/helmrelease.yaml
+++ b/services/jenkins/helmrelease.yaml
@@ -92,7 +92,7 @@ spec:
           import jenkins.model.Jenkins
           import org.jenkinsci.plugins.oic.OicSecurityRealm
           import org.jenkinsci.plugins.oic.OicServerWellKnownConfiguration
-          import hudson.security.GlobalMatrixAuthorizationStrategy
+          import hudson.security.FullControlOnceLoggedInAuthorizationStrategy
           def env = System.getenv()
           if (!(env['ENABLE_OIDC'] ?: 'false').toBoolean()) {
             println("OIDC disabled (ENABLE_OIDC=false); keeping default security realm")
@@ -126,8 +126,8 @@ spec:
             realm.setSendScopesInTokenRequest(true)
             def j = Jenkins.get()
             j.setSecurityRealm(realm)
-            def auth = new GlobalMatrixAuthorizationStrategy()
-            auth.add(Jenkins.ADMINISTER, "authenticated")
+            def auth = new FullControlOnceLoggedInAuthorizationStrategy()
+            auth.setAllowAnonymousRead(false)
             j.setAuthorizationStrategy(auth)
             j.save()
             println("Configured OIDC realm from init script (well-known)")