fabric-tna: add read permissions for ProntoAccess

Change-Id: I6232abdfad6145045f9c2706d3f32cf6c806d97f
diff --git a/jjb/onf-macros.yaml b/jjb/onf-macros.yaml
index 38e8972..89ffce8 100644
--- a/jjb/onf-macros.yaml
+++ b/jjb/onf-macros.yaml
@@ -91,6 +91,39 @@
                 <permission>hudson.model.Item.ViewStatus:anonymous</permission>
               </hudson.security.AuthorizationMatrixProperty>
 
+# Sets permissions for job to be visible to ProntoAccess and ONFStaff only.
+- property:
+    name: onf-infra-pronto-private
+    properties:
+      - raw:
+          xml: |
+              <hudson.security.AuthorizationMatrixProperty>
+                <inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.NonInheritingStrategy"/>
+                <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create:JenkinsPowerusers</permission>
+                <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete:JenkinsPowerusers</permission>
+                <permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:JenkinsPowerusers</permission>
+                <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Update:JenkinsPowerusers</permission>
+                <permission>com.cloudbees.plugins.credentials.CredentialsProvider.View:JenkinsPowerusers</permission>
+                <permission>hudson.model.Item.Build:JenkinsPowerusers</permission>
+                <permission>hudson.model.Item.Cancel:JenkinsPowerusers</permission>
+                <permission>hudson.model.Item.Configure:JenkinsPowerusers</permission>
+                <permission>hudson.model.Item.Delete:JenkinsPowerusers</permission>
+                <permission>hudson.model.Item.Discover:JenkinsPowerusers</permission>
+                <permission>hudson.model.Item.ExtendedRead:JenkinsPowerusers</permission>
+                <permission>hudson.model.Item.Move:JenkinsPowerusers</permission>
+                <permission>hudson.model.Item.Read:JenkinsPowerusers</permission>
+                <permission>hudson.model.Item.Workspace:JenkinsPowerusers</permission>
+                <permission>hudson.model.Run.Delete:JenkinsPowerusers</permission>
+                <permission>hudson.model.Run.Replay:JenkinsPowerusers</permission>
+                <permission>hudson.model.Run.Update:JenkinsPowerusers</permission>
+                <permission>hudson.model.Item.Discover:ONFStaff</permission>
+                <permission>hudson.model.Item.Discover:ProntoAccess</permission>
+                <permission>hudson.model.Item.Discover:anonymous</permission>
+                <permission>hudson.model.Item.Read:ONFStaff</permission>
+                <permission>hudson.model.Item.Read:ProntoAccess</permission>
+                <permission>hudson.model.Item.ViewStatus:anonymous</permission>
+              </hudson.security.AuthorizationMatrixProperty>
+
 # trigger on gerrit patchsets and actions
 # docs: https://docs.openstack.org/infra/jenkins-job-builder/triggers.html#triggers.gerrit
 # Uses a regex based project match