I want to add a group/user to an Azure DevOps project with just access to repositories and pipelines.
If I deny "View project-level information" they don't have access to the project at all.
If I allow the "View project-level information" it gives them a read-only access to the Project Settings including permissions to see users and members of other groups etc.
It seems unbelievable that such a basic security and privacy hole exists.
Am I missing something in the config because I have never seen this in any other application and I find it hard to believe that everyone else using Azure DevOps finds this acceptable.
The easiest equivalent is GitHub (that Microsoft now owns) and you can't see the project settings if you are just a contributor.
How do I give external contractors access to the project to work but prevent them from viewing the Project Settings?
There is no possibility to restrict access to the Team Project - Project Settings page. The only thing that comes close is the feature that is now in preview: Limit user visibility and collaboration to specific projects, which will enable you to restrict access to the Organization Settings. You could suggest this feature in the Microsoft Developer Community.
Related
In Azure devops is it possible to grant access (read-only) to a repo in a project without the user having access to the project containing the repo?
We want to use the repo basically as a file share with clients that shouldn't be able to see all our code/scripts/pipelines etc that exist in the parent project and other repos.
As stakeholder access on the project and Reader rights on the repo they had too much access to the project. Removing them from the project and creating a new group with limited repo rights they got to a forbidden, access denied screen which makes me think they have to have access to the project.
My testing is limited because of corporate environment I am unable to create additional users/emails and don't want to have to keep asking co-workers to test every change I could try.
Azure DevOps is designed to enable all valid users to view all objects defined in the system. You can restrict access to specific resources by setting the permission state to Deny.
So not quite sure if this specific requirement is achievable. The closest you could probably get to is this: Assign read-only rights to a single repository in Azure DevOps.
Here is a very similar idea on Developer Community from 2019: Restrict access to dev ops functionality for a guest user. One more resolved post: Restrict access to specific objects in DevOps.
If you think this implementing this suggestion can benefit others in the Community as well, do request it as a new feature on Developer Community for Azure DevOps.
Also go through the elaborate documentation available for configuring ADO granular security controls and check if changing individual permission at the project-level helps.
I want to change the security settings of my repository project by selecting More options > Security in Azure DevOps web console / browser. But when I do so, I get the below error:
Your administrator has disabled web editing for this repository. You cannot add, delete, rename, or edit files via the web.
I am an administrator myself and not sure what setting I should change and where in Azure DevOps, given that it has varying levels of permissions and that the error message above is more cryptic that I don't see a setting that matches it anywhere.
Note: I am also admin of an external group where access permissions are restricted to many of the projects in this repository. Not sure if this deny is over-riding my permissions and how to go about solving the issue if this is the case.
I really would appreciate your help in fixing this issue
Your administrator has disabled web editing for this repository. You cannot add, delete, rename, or edit files via the web.
As far as I know, this issue should appear in the TFVC repo.
To solve this issue, you need to navigate to Project Settings -> Repositories -> TFVC Repo -> Settings and enable the Web editing option.
I have added multiple team members to two different teams in Azure Devops project. But team members are not able to see organization, project and dashboards when they login to devops account?
team members are not able to see organization, project and dashboards
Users cannot see the organization, you can first check whether these users have been added to the organization in Users of Organization Settings.
Then you can check whether the user has the permission to access the project on the Manage user page.
Regarding that users cannot see the projects, you can check whether the “View project-level information” permission of the team is set to Deny in the Permissions of Projects Settings.
Regarding that the user cannot see the dashboard, there should be no permission to restrict it. All users in the project should be able to see the dashboard. Can you share the screenshots about this issue?
In addition, you can try to let users log in with incognito window to see if the problem exists. Check if your organization is connected to AAD.
This is the answer for my additional questinos.
To get an access to Devops project user must be added in the organization either as stakeholder or owner
Once they are owner or stakeholder they are able to access all the features.
Right now my NuGet restore fails since the project build user doesn't have contributor access to the package feed.
/usr/share/dotnet/sdk/3.0.100/NuGet.targets(123,5): error : Unable to load the service index for source pkgs.dev.azure.com[..]index.json.
/usr/share/dotnet/sdk/3.0.100/NuGet.targets(123,5): error : Response status code does not indicate success: 403 (Forbidden - User 'xxxxxxx' lacks permission to complete this action. You need to have 'ReadPackages'.
The solution is to change the build authorization scope from current project to project collection. This seems very doable as seen here:
https://learn.microsoft.com/en-us/azure/devops/pipelines/build/options?view=azure-devops
But where, in DevOps' myriad menus, can this scope be set?
EDIT 2023: The Artifacts UI in DevOps has changed since this answer and this answer is no longer valid. See J-M's answer on a similar question:
https://stackoverflow.com/a/73136309/5358731
There was a workaround for this 403 error posted a few hours ago: https://developercommunity.visualstudio.com/content/problem/795493/403-error-during-nuget-restore.html
In short, this seems to affect new projects connecting to a private feed. Here's the suggested work around:
Click "Artifacts" in the project with the failing build
Select the feed you were trying to consume in your build and click the cog in the top right corner
Click "Feed Settings"
Go to the Permissions tab
Click the 3 dots [...] that appeared to the right of the tab
Click "Allow project-scoped builds"
This adds the relevant user permissions that the error the OP posted was complaining about. Hopefully Microsoft will make a proper fix for this soon.
Full credit to Tim Lynch from the developer community page.
All answers are valid but it depends.
Take into account that only Contributor and Owner roles are allowed to push packages read the docs here.
Then also remember Scoped build identities .
Azure DevOps uses two built-in identities to execute pipelines.
A collection-scoped identity, which has access to all projects in the collection (or organization for Azure DevOps Services)
A project-scoped identity, which has access to a single project
...
By default, the collection-scoped identity is used, unless the Limit
job authorization scope to current project is set in Project Settings > Settings.
With this in mind follow the next steps:
You need to check which identity is being used for your pipelines:
For me is project-scoped identity
Add/Check the Feed Permissions as it may apply (I'll leave a description below the image)
No. 1 If the identity is collection-scoped
No. 2 If the identity is project-scoped
No. 3 Give your contributors the least privilege principle if it applies. (For me its ok to leave them read the feed, and the pipeline or me are the only ones allowed to push packages)
Remember again you need to use Owner or Contributor roles.
Go to your feed settings:
In the Permissions tab verify that have at least reader permissions to "Project Collection Build Service (username)":
It appears under Organization and Project Settings. Find Pipelines/Settings and there is a toggle option named Limit job authorization scope to current project.
We are planning to use the Visual Studio Team Service for our DevOps process. But the problem is we can not give restriction in repository level. In Visual Studio Team Service , restriction can be implemented in project level, We want to create all repository in one project so that we can easily manage our scrum board. Now how can we give repository level restriction like GitHub or Bitbucket where only assigned team member can only see the repository ?
You can refer to these steps to set permission:
1.Add users to your VSTS (https://XXX.visualstudio.com/_user) (I turn off the feature of Streamlined User Management)
2.Go to your Git team project admin page and select version control (https://XXX.visualstudio.com/[teamproject]/_admin/_versioncontrol)
3.Select a repository
4.In Security page, click Add > Add user to add members
5.Grant these users Contribute and Read permission
Note: View instance-level information (For connection in Visual Studio) and View project-level information are needed too.
More information about permission, you can refer to this article: Permissions and groups defined for Team Services and TFS
You can set permissions at the repository level. Look at the "Version Control" section of the administration area.