I want to give an AzureDevOps user the privilege to create a pipeline from a repository and run it, without having to give them privilege on all the other pipelines in the project. I can't find a way to do this... it seems you can only give permissions to all or nothing.
Related
When I am running the pipeline there is no error that occurs.
But when another project administrator tries to Run a CI pipeline they get an "Failed to load Azure Repos source specified by this pipeline" Error.
Like below:
I assigned the other users as Project administrators and they too have the same permissions as me. Yet they get this error. How to mitigate this? Is it an organization-related setting or a project-related issue?
The users can still run the CI pipeline by clicking on the run button, just that they cannot select the "branch/tag" and this error keeps popping up.
Failed to load Azure Repos source specified by this pipeline. Please ensure Azure Repos is enabled for this project.
The cause of the issue can be related to the Access Level of the users.
If the access level of the users are Stakeholder, they will have no access to the repos and get the error above even though they are Project admin.
Navigate to Organization Settings -> Users and check the Access Level of the users.
You need to grant Basic Access level to the users and they will have access to see the repo and select the branch when running Pipeline.
Refer to this doc: About access levels in Azure DevOps
The azure-pipeline.yml is placed in the repo, I don't want other users to be able to edit it while running the pipeline.
How can I achieve this from Azure devops.
Locking a branch is available, can I use same for a single file azure-pipeline.yml in my case.
You should go under Project -> Repositories -> Security and restrict access to the particular user or group. This way user could run the pipeline but cannot view the .YAML file or edit it.
You cannot restrict a single file, permissions should be given on the repository.
In Azure devops is it possible to grant access (read-only) to a repo in a project without the user having access to the project containing the repo?
We want to use the repo basically as a file share with clients that shouldn't be able to see all our code/scripts/pipelines etc that exist in the parent project and other repos.
As stakeholder access on the project and Reader rights on the repo they had too much access to the project. Removing them from the project and creating a new group with limited repo rights they got to a forbidden, access denied screen which makes me think they have to have access to the project.
My testing is limited because of corporate environment I am unable to create additional users/emails and don't want to have to keep asking co-workers to test every change I could try.
Azure DevOps is designed to enable all valid users to view all objects defined in the system. You can restrict access to specific resources by setting the permission state to Deny.
So not quite sure if this specific requirement is achievable. The closest you could probably get to is this: Assign read-only rights to a single repository in Azure DevOps.
Here is a very similar idea on Developer Community from 2019: Restrict access to dev ops functionality for a guest user. One more resolved post: Restrict access to specific objects in DevOps.
If you think this implementing this suggestion can benefit others in the Community as well, do request it as a new feature on Developer Community for Azure DevOps.
Also go through the elaborate documentation available for configuring ADO granular security controls and check if changing individual permission at the project-level helps.
I am reading through this documentation - https://learn.microsoft.com/en-us/rest/api/azure/devops, I can't see a clear answer on how one can manage permissions to run pipelines and permissions to edit variable groups through the Rest API.
For security management with REST APIs you can refer to Security for details. Some of the REST APIs are not documented, however we can track them by develop tools (the simplest way is pressing F12 in your browser).
In your scenario seems you are trying to manage the permission of the pipelines in a specific project. If so, we can navigate to the Pipeline node -> Manage security -> Select the specific group/user to set the permission accordingly, (Just track the APIs when do the actions).
To run the pipelines, we at least need the View build pipeline , View builds, Queue builds permissions. You can also set other permissions as needed.
For example, just Deny the Queue builds permission for the Contributors group:
POST https://dev.azure.com/{organization}/{Project}/_api/_security/ManagePermissions?api-version=5.1
Sample Request Body:
{"updatePackage":"{\"IsRemovingIdentity\":false,\"TeamFoundationId\":\"24cb2a78-4d79-49d6-b96c-bf0ac65d7032\",\"DescriptorIdentityType\":\"Microsoft.TeamFoundation.Identity\",\"DescriptorIdentifier\":\"S-1-9-1551374245-3809964236-1275365961-2582801090-4223875273-1-492339072-1927234371-3142690236-612141869\",\"PermissionSetId\":\"33344d9c-fc72-4d6f-aba5-fa317101a7e9\",\"PermissionSetToken\":\"cc7017e3-044c-498a-99f2-6ac2fbc338c9\",\"RefreshIdentities\":false,\"Updates\":[{\"PermissionId\":2,\"PermissionBit\":128,\"NamespaceId\":\"33344d9c-fc72-4d6f-aba5-fa317101a7e9\",\"Token\":\"cc7017e3-044c-498a-99f2-6ac2fbc338c9\"}],\"TokenDisplayName\":null}"}
Do the same things to track the APIs to manage the variable groups.
In addition, you can also use the Azure CLI to manage the permissions, refer to az devops security for details.
My company creates a lot of projects in Azure DevOps, and they all have the same structure -- same members, same permissions. Each project has different Git repositories within it, but that's the only thing (other than the name) that differs between them. It would be helpful to have a template so that everything is set up correctly each time we need a new one.
I don't see a way to do this through the web interface. I have the sense that I could probably do it with a script, but I don't know where to begin with that (including which tool to use). Where should I start?
It looks like there is now a way to do this without the Azure DevOps CLI (as long as your project that you want to template is one of the supported types (Agile, Scrum and Basic)). There is a tool available here that will step you through the process.
There is also an excellent blog post here that gives you an overview.
Yes, you can accomplish most of the configuration by script. For the beginning you might take a look at the Azure Devops CLI, which allows you to perform several actions on Azure Devops, like:
Create projects, Users and configure security
Create repositories, pipelines and set branch permissions
Create and manage work items
...