diff --git a/README.md b/README.md
index 7247b79a90..20f876a848 100644
--- a/README.md
+++ b/README.md
@@ -98,13 +98,25 @@ cd:
   enabled: true
 ```
 
+For this to work, there needs to be at least one developers listed.
+If the list of developers is empty or missing entirely (e.g., after the last maintainer steps down), no new releases can be published through JEP-229 CD.
+
 **IMPORTANT:**
 When using JEP-229 CD, [every committer to your repository](https://www.jenkins.io/doc/developer/publishing/source-code-hosting/) can create new releases by merging pull requests.
 As a result, the list of maintainer accounts maintained in your plugin's YAML file is no longer the single reference on who can publish new releases.
 Be sure to check [which users have commit access](https://www.jenkins.io/doc/developer/publishing/source-code-hosting/) to your repository and remove any that are unexpected before enabling CD, as well as any unexpected [deploy keys](https://docs.github.com/en/developers/overview/managing-deploy-keys).
 Additionally, the users listed in this repository still serve as the contacts for security issues and plugin/component governance questions.
+For that reason, CD permissions are also only granted to components with at least one maintainer.
 In particular, the Jenkins security team will _not_ make an effort to reach out to GitHub committers when maintainers (and security contacts, see below) are unresponsive before [announcing vulnerabilities without a fix](https://www.jenkins.io/security/plugins/#unresolved).
 
+It is also possible to enable JEP-229 CD exclusively, i.e., the listed users will not be able to create new releases, but remain contacts for security issues and plugin/component governance questions. 
+
+```yaml
+cd:
+  enabled: true
+  exclusive: true
+```
+
 
 Managing Security Process
 -------------------------
diff --git a/permissions/component-core-annotation-processors.yml b/permissions/component-core-annotation-processors.yml
index 12c3ff7f34..da007252a8 100644
--- a/permissions/component-core-annotation-processors.yml
+++ b/permissions/component-core-annotation-processors.yml
@@ -3,6 +3,8 @@ name: "core-annotation-processors"
 github: "jenkinsci/core-annotation-processors"
 cd:
   enabled: true
+  exclusive: true
 paths:
   - "org/jenkins-ci/core-annotation-processors"
-developers: []
+developers:
+  - "@core"
diff --git a/permissions/component-jellydoc-annotations.yml b/permissions/component-jellydoc-annotations.yml
index da49a4d448..e0ead2f81e 100644
--- a/permissions/component-jellydoc-annotations.yml
+++ b/permissions/component-jellydoc-annotations.yml
@@ -6,3 +6,6 @@ paths:
   - "io/jenkins/tools/maven/jellydoc-annotations"
 cd:
   enabled: true
+  exclusive: true
+developers:
+  - "@core"
diff --git a/permissions/component-jellydoc-maven-plugin.yml b/permissions/component-jellydoc-maven-plugin.yml
index b0d3b70754..d5c961cc92 100644
--- a/permissions/component-jellydoc-maven-plugin.yml
+++ b/permissions/component-jellydoc-maven-plugin.yml
@@ -6,3 +6,6 @@ paths:
   - "io/jenkins/tools/maven/jellydoc-maven-plugin"
 cd:
   enabled: true
+  exclusive: true
+developers:
+  - "@core"
diff --git a/permissions/component-license-maven-plugin.yml b/permissions/component-license-maven-plugin.yml
index 9690043164..768f3e9610 100644
--- a/permissions/component-license-maven-plugin.yml
+++ b/permissions/component-license-maven-plugin.yml
@@ -8,3 +8,6 @@ paths:
   - "io/jenkins/tools/maven/license-maven-plugin"
 cd:
   enabled: true
+  exclusive: true
+developers:
+  - "@core"
diff --git a/permissions/component-stapler-maven-plugin.yml b/permissions/component-stapler-maven-plugin.yml
index 995ecd0227..40411a390b 100644
--- a/permissions/component-stapler-maven-plugin.yml
+++ b/permissions/component-stapler-maven-plugin.yml
@@ -7,3 +7,6 @@ paths:
   - "io/jenkins/tools/maven/stapler-maven-plugin"
 cd:
   enabled: true
+  exclusive: true
+developers:
+  - "@core"
diff --git a/permissions/component-stapler.yml b/permissions/component-stapler.yml
index d320330a5c..1293b13306 100644
--- a/permissions/component-stapler.yml
+++ b/permissions/component-stapler.yml
@@ -3,6 +3,8 @@ name: "stapler"
 github: "jenkinsci/stapler"
 cd:
   enabled: true
+  exclusive: true
 paths:
   - "org/kohsuke/stapler/stapler*"
-developers: []
+developers:
+  - "@core"
diff --git a/permissions/component-taglib-xml-writer.yml b/permissions/component-taglib-xml-writer.yml
index 26f7b99d42..664654fd9c 100644
--- a/permissions/component-taglib-xml-writer.yml
+++ b/permissions/component-taglib-xml-writer.yml
@@ -6,3 +6,6 @@ paths:
   - "io/jenkins/tools/maven/taglib-xml-writer"
 cd:
   enabled: true
+  exclusive: true
+developers:
+  - "@core"
diff --git a/permissions/plugin-any-buildstep.yml b/permissions/plugin-any-buildstep.yml
index 57bf417525..b3938dcef0 100644
--- a/permissions/plugin-any-buildstep.yml
+++ b/permissions/plugin-any-buildstep.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jenkins-ci/plugins/any-buildstep"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-anything-goes-formatter.yml b/permissions/plugin-anything-goes-formatter.yml
index fc93030ed5..4d54f20aca 100644
--- a/permissions/plugin-anything-goes-formatter.yml
+++ b/permissions/plugin-anything-goes-formatter.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jenkins-ci/plugins/anything-goes-formatter"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-backup-interrupt-plugin.yml b/permissions/plugin-backup-interrupt-plugin.yml
index 7f841b0ad0..e5139d8654 100644
--- a/permissions/plugin-backup-interrupt-plugin.yml
+++ b/permissions/plugin-backup-interrupt-plugin.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "jenkins/ci/plugins/backup/backup-interrupt-plugin"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-build-cause-run-condition.yml b/permissions/plugin-build-cause-run-condition.yml
index 51dbde458c..21385e5591 100644
--- a/permissions/plugin-build-cause-run-condition.yml
+++ b/permissions/plugin-build-cause-run-condition.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jenkins-ci/plugins/build-cause-run-condition"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-build-keeper-plugin.yml b/permissions/plugin-build-keeper-plugin.yml
index 09dbfc4c04..cc549cbab9 100644
--- a/permissions/plugin-build-keeper-plugin.yml
+++ b/permissions/plugin-build-keeper-plugin.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jenkins-ci/plugins/build-keeper-plugin"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-console-tail.yml b/permissions/plugin-console-tail.yml
index 6edb9ec360..db6b4f25fc 100644
--- a/permissions/plugin-console-tail.yml
+++ b/permissions/plugin-console-tail.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jenkins-ci/plugins/console-tail"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-copy-project-link.yml b/permissions/plugin-copy-project-link.yml
index f0269bd12e..2db708af05 100644
--- a/permissions/plugin-copy-project-link.yml
+++ b/permissions/plugin-copy-project-link.yml
@@ -7,6 +7,5 @@ paths:
   - "hudson/plugins/copyProjectLink/copy-project-link"
   - "org/jenkins-ci/plugins/copy-project-link"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-create-fingerprint.yml b/permissions/plugin-create-fingerprint.yml
index f6025c4330..8a912a3ea0 100644
--- a/permissions/plugin-create-fingerprint.yml
+++ b/permissions/plugin-create-fingerprint.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jenkins-ci/plugins/create-fingerprint"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-downstream-buildview.yml b/permissions/plugin-downstream-buildview.yml
index da89b56bee..7f2356ba2d 100644
--- a/permissions/plugin-downstream-buildview.yml
+++ b/permissions/plugin-downstream-buildview.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jvnet/hudson/plugins/downstream-buildview"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-downstream-ext.yml b/permissions/plugin-downstream-ext.yml
index 6b3fba0dea..8d82d5a3f4 100644
--- a/permissions/plugin-downstream-ext.yml
+++ b/permissions/plugin-downstream-ext.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jenkins-ci/plugins/downstream-ext"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-envfile.yml b/permissions/plugin-envfile.yml
index dce1ff2fc8..8e3b95ab8d 100644
--- a/permissions/plugin-envfile.yml
+++ b/permissions/plugin-envfile.yml
@@ -7,6 +7,5 @@ issues:
 paths:
   - "org/jenkins-ci/plugins/envfile"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-fail-the-build-plugin.yml b/permissions/plugin-fail-the-build-plugin.yml
index 1108fc3a79..452a52c398 100644
--- a/permissions/plugin-fail-the-build-plugin.yml
+++ b/permissions/plugin-fail-the-build-plugin.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jenkins-ci/plugins/fail-the-build-plugin"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-favorite-view.yml b/permissions/plugin-favorite-view.yml
index d75d2ab67f..4cc109fac8 100644
--- a/permissions/plugin-favorite-view.yml
+++ b/permissions/plugin-favorite-view.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jenkins-ci/plugins/favorite-view"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-groovy-remote.yml b/permissions/plugin-groovy-remote.yml
index 5656b144a4..1854898b5e 100644
--- a/permissions/plugin-groovy-remote.yml
+++ b/permissions/plugin-groovy-remote.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jenkinsci/plugins/groovy-remote"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-hsts-filter-plugin.yml b/permissions/plugin-hsts-filter-plugin.yml
index 0ae8656d87..892d6c2dae 100644
--- a/permissions/plugin-hsts-filter-plugin.yml
+++ b/permissions/plugin-hsts-filter-plugin.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jenkins-ci/plugins/hsts-filter-plugin"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-jqs-monitoring.yml b/permissions/plugin-jqs-monitoring.yml
index e614e6e7e1..c8debaad9e 100644
--- a/permissions/plugin-jqs-monitoring.yml
+++ b/permissions/plugin-jqs-monitoring.yml
@@ -7,6 +7,5 @@ issues:
 paths:
   - "org/jenkins-ci/plugins/jqs-monitoring"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-kpp-management-plugin.yml b/permissions/plugin-kpp-management-plugin.yml
index 161872be9a..d5f7600046 100644
--- a/permissions/plugin-kpp-management-plugin.yml
+++ b/permissions/plugin-kpp-management-plugin.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "sic/software/kpp-management-plugin"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-nant.yml b/permissions/plugin-nant.yml
index cbd3a4bdb6..e6a6c777ac 100644
--- a/permissions/plugin-nant.yml
+++ b/permissions/plugin-nant.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jenkins-ci/plugins/nant"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-openid4java.yml b/permissions/plugin-openid4java.yml
index 47dc7a66aa..0dedb1938e 100644
--- a/permissions/plugin-openid4java.yml
+++ b/permissions/plugin-openid4java.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jenkins-ci/plugins/openid4java"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-progress-bar-column-plugin.yml b/permissions/plugin-progress-bar-column-plugin.yml
index 0c4ce71d48..324247b79b 100644
--- a/permissions/plugin-progress-bar-column-plugin.yml
+++ b/permissions/plugin-progress-bar-column-plugin.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jenkins-ci/plugins/progress-bar-column-plugin"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-project-stats-plugin.yml b/permissions/plugin-project-stats-plugin.yml
index e5c57626e4..ce939fcb1d 100644
--- a/permissions/plugin-project-stats-plugin.yml
+++ b/permissions/plugin-project-stats-plugin.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jenkins-ci/plugins/project-stats-plugin"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-sbt.yml b/permissions/plugin-sbt.yml
index e1e576a173..d94db8be71 100644
--- a/permissions/plugin-sbt.yml
+++ b/permissions/plugin-sbt.yml
@@ -7,6 +7,5 @@ paths:
   - "org/jenkins-ci/plugins/sbt"
   - "org/jvnet/hudson/plugins/sbt"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-scoring-load-balancer.yml b/permissions/plugin-scoring-load-balancer.yml
index b23fb680ce..335a51b780 100644
--- a/permissions/plugin-scoring-load-balancer.yml
+++ b/permissions/plugin-scoring-load-balancer.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "jp/ikedam/jenkins/plugins/scoring-load-balancer"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-slave-status.yml b/permissions/plugin-slave-status.yml
index dbbce7a781..cc77fbed1e 100644
--- a/permissions/plugin-slave-status.yml
+++ b/permissions/plugin-slave-status.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jvnet/hudson/plugins/slave-status"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-statusmonitor.yml b/permissions/plugin-statusmonitor.yml
index c2e441c34c..08aa1fa15e 100644
--- a/permissions/plugin-statusmonitor.yml
+++ b/permissions/plugin-statusmonitor.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jvnet/hudson/plugins/statusmonitor"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-svn-revert-plugin.yml b/permissions/plugin-svn-revert-plugin.yml
index eeceda9c96..c9e2e6e786 100644
--- a/permissions/plugin-svn-revert-plugin.yml
+++ b/permissions/plugin-svn-revert-plugin.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jenkins-ci/plugins/svn-revert-plugin"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-svncompat14.yml b/permissions/plugin-svncompat14.yml
index e942433780..3c92912261 100644
--- a/permissions/plugin-svncompat14.yml
+++ b/permissions/plugin-svncompat14.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jvnet/hudson/plugins/svncompat14"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-template-workflows.yml b/permissions/plugin-template-workflows.yml
index 122be25dd9..31a207a4ea 100644
--- a/permissions/plugin-template-workflows.yml
+++ b/permissions/plugin-template-workflows.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jenkins/plugin/templateWorkflows/template-workflows"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-text-finder-run-condition.yml b/permissions/plugin-text-finder-run-condition.yml
index 9369d12a79..3c9f1ef74e 100644
--- a/permissions/plugin-text-finder-run-condition.yml
+++ b/permissions/plugin-text-finder-run-condition.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jenkins-ci/plugins/text-finder-run-condition"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/plugin-windows-exe-runner.yml b/permissions/plugin-windows-exe-runner.yml
index 507623b778..fbfd8d0007 100644
--- a/permissions/plugin-windows-exe-runner.yml
+++ b/permissions/plugin-windows-exe-runner.yml
@@ -6,6 +6,5 @@ issues:
 paths:
   - "org/jenkins-ci/plugins/windows-exe-runner"
 developers: []
-#CD blocked for lack of maintainers
-#cd:
-#  enabled: true
+cd:
+  enabled: true
diff --git a/permissions/pom-jellydoc.yml b/permissions/pom-jellydoc.yml
index 426c719312..fc0beeaf35 100644
--- a/permissions/pom-jellydoc.yml
+++ b/permissions/pom-jellydoc.yml
@@ -6,3 +6,6 @@ paths:
   - "io/jenkins/tools/maven/jellydoc"
 cd:
   enabled: true
+  exclusive: true
+developers:
+  - "@core"
diff --git a/src/main/groovy/io/jenkins/infra/repository_permissions_updater/ArtifactoryPermissionsUpdater.groovy b/src/main/groovy/io/jenkins/infra/repository_permissions_updater/ArtifactoryPermissionsUpdater.groovy
index 76e6b45e7b..5482c56fa1 100644
--- a/src/main/groovy/io/jenkins/infra/repository_permissions_updater/ArtifactoryPermissionsUpdater.groovy
+++ b/src/main/groovy/io/jenkins/infra/repository_permissions_updater/ArtifactoryPermissionsUpdater.groovy
@@ -152,13 +152,17 @@ class ArtifactoryPermissionsUpdater {
                     if (!definition.github.matches('(jenkinsci)/.+')) {
                         throw new Exception("CD is only supported when the GitHub repository is in @jenkinsci")
                     }
-                    List<Definition> definitions = cdEnabledComponentsByGitHub[definition.github]
-                    if (!definitions) {
-                        definitions = new ArrayList<>()
-                        cdEnabledComponentsByGitHub[definition.github] = definitions
+                    if (definition.developers.length > 0) {
+                        List<Definition> definitions = cdEnabledComponentsByGitHub[definition.github]
+                        if (!definitions) {
+                            definitions = new ArrayList<>()
+                            cdEnabledComponentsByGitHub[definition.github] = definitions
+                        }
+                        LOGGER.log(Level.INFO, "CD-enabled component '${definition.name}' in repository '${definition.github}'")
+                        definitions.add(definition)
+                    } else {
+                        LOGGER.log(Level.INFO, "Skipping CD-enablement for '${definition.name}' in repository '${definition.github}' as it is unmaintained")
                     }
-                    LOGGER.log(Level.INFO, "CD-enabled component '${definition.name}' in repository '${definition.github}'")
-                    definitions.add(definition)
                 }
             } else {
                 if (definition.cd && definition.getCd().enabled) {
@@ -230,56 +234,80 @@ class ArtifactoryPermissionsUpdater {
                 principals {
                     if (definition.developers.length == 0) {
                         users [:]
+                        groups [:]
+                        if (definition.cd?.enabled) {
+                            LOGGER.log(Level.INFO, "Skipping CD group definition for " + definition.name + " as there are no maintainers")
+                        }
                     } else {
-                        users definition.developers.collectEntries { developer ->
-                            def existsInArtifactory = KnownUsers.existsInArtifactory(developer)
-                            def existsInJira = KnownUsers.existsInJira(developer) || JiraAPI.getInstance().isUserPresent(developer)
-
-                            if (!existsInArtifactory && !existsInJira) {
-                                reportChecksApiDetails(developer + " needs to log in to Artifactory and Jira",
-                                """
-                                ${developer} needs to log in to [Artifactory](https://repo.jenkins-ci.org/) and [Jira](https://issues.jenkins.io/).
-
-                                We resync our Artifactory and Jira user list every 2 hours, so you will need to wait some time before rebuilding your pull request.
-                                The easiest way to trigger a rebuild is to close your pull request, wait a few seconds and then reopen it.
-
-                                Alternatively the hosting team can re-trigger it if you post a comment saying you have now logged in.
-                                """.stripIndent())
-                                throw new IllegalStateException("User name not known to Artifactory and Jira: " + developer)
-                            }
-
-                            if (!existsInArtifactory) {
-                                reportChecksApiDetails(developer + " needs to log in to Artifactory",
-                                        """
-                                ${developer} needs to log in to [Artifactory](https://repo.jenkins-ci.org/).
-
-                                We resync our Artifactory user list every 2 hours, so you will need to wait some time before rebuilding your pull request.
-                                The easiest way to trigger a rebuild is to close your pull request, wait a few seconds and then reopen it.
-
-                                Alternatively the hosting team can re-trigger it if you post a comment saying you have now logged in.
-                                """.stripIndent())
-                                throw new IllegalStateException("User name not known to Artifactory: " + developer)
+                        if (!definition.cd?.exclusive) {
+                            users definition.developers.collectEntries { developer ->
+                                def existsInArtifactory = KnownUsers.existsInArtifactory(developer)
+                                def existsInJira = KnownUsers.existsInJira(developer) || JiraAPI.getInstance().isUserPresent(developer)
+
+                                if (!existsInArtifactory && !existsInJira) {
+                                    reportChecksApiDetails(developer + " needs to log in to Artifactory and Jira",
+                                            """
+                                    ${developer} needs to log in to [Artifactory](https://repo.jenkins-ci.org/) and [Jira](https://issues.jenkins.io/).
+
+                                    We resync our Artifactory and Jira user list every 2 hours, so you will need to wait some time before rebuilding your pull request.
+                                    The easiest way to trigger a rebuild is to close your pull request, wait a few seconds and then reopen it.
+
+                                    Alternatively the hosting team can re-trigger it if you post a comment saying you have now logged in.
+                                    """.stripIndent())
+                                    throw new IllegalStateException("User name not known to Artifactory and Jira: " + developer)
+                                }
+
+                                if (!existsInArtifactory) {
+                                    reportChecksApiDetails(developer + " needs to log in to Artifactory",
+                                            """
+                                    ${developer} needs to log in to [Artifactory](https://repo.jenkins-ci.org/).
+
+                                    We resync our Artifactory user list every 2 hours, so you will need to wait some time before rebuilding your pull request.
+                                    The easiest way to trigger a rebuild is to close your pull request, wait a few seconds and then reopen it.
+
+                                    Alternatively the hosting team can re-trigger it if you post a comment saying you have now logged in.
+                                    """.stripIndent())
+                                    throw new IllegalStateException("User name not known to Artifactory: " + developer)
+                                }
+
+                                if (!existsInJira) {
+                                    reportChecksApiDetails(developer + " needs to log in to Jira",
+                                            """
+                                    ${developer} needs to log in to [Jira](https://issues.jenkins.io/)
+
+                                    We resync our Jira user list every 2 hours, so you will need to wait some time before rebuilding your pull request.
+                                    The easiest way to trigger a rebuild is to close your pull request, wait a few seconds and then reopen it.
+
+                                    Alternatively the hosting team can re-trigger it if you post a comment saying you have now logged in.
+                                    """.stripIndent())
+                                    throw new IllegalStateException("User name not known to Jira: " + developer)
+                                }
+                                [(developer.toLowerCase(Locale.US)): ["w", "n"]]
                             }
-
-                            if (!existsInJira) {
-                                reportChecksApiDetails(developer + " needs to log in to Jira",
-                                        """
-                                ${developer} needs to log in to [Jira](https://issues.jenkins.io/)
-
-                                We resync our Jira user list every 2 hours, so you will need to wait some time before rebuilding your pull request.
-                                The easiest way to trigger a rebuild is to close your pull request, wait a few seconds and then reopen it.
-
-                                Alternatively the hosting team can re-trigger it if you post a comment saying you have now logged in.
-                                """.stripIndent())
-                                throw new IllegalStateException("User name not known to Jira: " + developer)
+                        } else {
+                            definition.developers.each { developer ->
+                                def existsInJira = KnownUsers.existsInJira(developer) || JiraAPI.getInstance().isUserPresent(developer)
+
+                                if (!existsInJira) {
+                                    reportChecksApiDetails(developer + " needs to log in to Jira",
+                                            """
+                                    ${developer} needs to log in to [Jira](https://issues.jenkins.io/)
+
+                                    We resync our Jira user list every 2 hours, so you will need to wait some time before rebuilding your pull request.
+                                    The easiest way to trigger a rebuild is to close your pull request, wait a few seconds and then reopen it.
+
+                                    Alternatively the hosting team can re-trigger it if you post a comment saying you have now logged in.
+                                    """.stripIndent())
+                                    throw new IllegalStateException("User name not known to Jira: " + developer)
+                                }
                             }
-                            [(developer.toLowerCase(Locale.US)): ["w", "n"]]
+                            users [:]
+                        }
+                        if (definition.cd?.enabled) {
+                            groups([(ArtifactoryAPI.getInstance().toGeneratedGroupName(definition.github)): ["w", "n"]])
+                        } else {
+                            groups([:])
                         }
-                    }
-                    if (definition.cd?.enabled) {
-                        groups([(ArtifactoryAPI.getInstance().toGeneratedGroupName(definition.github)): ["w", "n"]])
-                    } else {
-                        groups([:])
                     }
                 }
             }
diff --git a/src/main/java/io/jenkins/infra/repository_permissions_updater/Definition.java b/src/main/java/io/jenkins/infra/repository_permissions_updater/Definition.java
index 06e860b88f..5f1e2f0ee9 100644
--- a/src/main/java/io/jenkins/infra/repository_permissions_updater/Definition.java
+++ b/src/main/java/io/jenkins/infra/repository_permissions_updater/Definition.java
@@ -10,6 +10,7 @@ public class Definition {
 
     public static class CD {
         public boolean enabled;
+        public boolean exclusive;
     }
 
     public static class Security {