In GCloud, I would like to see what resources a service account can access but the console shows me the message The Selected project does not have any ancestors to run a policy report over.
Anyone knows what does this mean and how to fix it?
The Policy Analyzer requires an Google Cloud Organization. You can run the Policy Analyzer at the organization or folder level.
If you have an organization, select the Organization at the top of the Google Cloud Console in the project selector dropdown.
If you do not have an organization, create one and move your project into the organization.
Related
When I am running the pipeline there is no error that occurs.
But when another project administrator tries to Run a CI pipeline they get an "Failed to load Azure Repos source specified by this pipeline" Error.
Like below:
I assigned the other users as Project administrators and they too have the same permissions as me. Yet they get this error. How to mitigate this? Is it an organization-related setting or a project-related issue?
The users can still run the CI pipeline by clicking on the run button, just that they cannot select the "branch/tag" and this error keeps popping up.
Failed to load Azure Repos source specified by this pipeline. Please ensure Azure Repos is enabled for this project.
The cause of the issue can be related to the Access Level of the users.
If the access level of the users are Stakeholder, they will have no access to the repos and get the error above even though they are Project admin.
Navigate to Organization Settings -> Users and check the Access Level of the users.
You need to grant Basic Access level to the users and they will have access to see the repo and select the branch when running Pipeline.
Refer to this doc: About access levels in Azure DevOps
I want to add a group/user to an Azure DevOps project with just access to repositories and pipelines.
If I deny "View project-level information" they don't have access to the project at all.
If I allow the "View project-level information" it gives them a read-only access to the Project Settings including permissions to see users and members of other groups etc.
It seems unbelievable that such a basic security and privacy hole exists.
Am I missing something in the config because I have never seen this in any other application and I find it hard to believe that everyone else using Azure DevOps finds this acceptable.
The easiest equivalent is GitHub (that Microsoft now owns) and you can't see the project settings if you are just a contributor.
How do I give external contractors access to the project to work but prevent them from viewing the Project Settings?
There is no possibility to restrict access to the Team Project - Project Settings page. The only thing that comes close is the feature that is now in preview: Limit user visibility and collaboration to specific projects, which will enable you to restrict access to the Organization Settings. You could suggest this feature in the Microsoft Developer Community.
I have a user who is both Project Admin and Team Admin (all teams) within a project in Azure DevOps. They appear to be unrestricted within the project except when they attempt to modify sprint taskboard settings. They are immediately presented with a warning:
'You do not have sufficient permissions to configure cards for this
team. You must either be a team administrator or a project
administrator.'
As the user is both project/team admin and able to modify the project's process, I'm at a loss as to what is missing. Or could this possibly be a bug? This is the only thing within the project that is blocking the user.
The screen is under 'Boards/Sprints/[Sprint Name]/[Cog icon in top right]'
The access level of this user is stakeholder. Please contact members of the Project Collection Administrators group to change the access level of the user to Basic.
Users with Stakeholder access level have partial access to Azure Boards in private projects. You can find more detailed information about access level in this document.
My Account(AAD) is Linked with 2 DevOps Organisation(personal organization & Business orgnaization)
I am unable to view Business orgnaization on DevOps Profile but able view personal organization.
I am able to access both via Url https://dev.azure.com/xxxCloud/.
I can't able to Connect DevOps Business Organisation with Visual Studio also.
Please try the following steps:
Please enter aka.ms/vssignout in browser and login to aka.ms/vsprofile again to see if the issue still exists.
If your organizations are in different AADs, please select the right directory in the dropdown list.
Please use other PCs to sign in and check if it works.
If you sign in this organization, can you see the projects in it? Please click specific projects in Web UI, or add project name in organization URL to get access to it.
Please ask your AAD admin to remove your MSA account from Azure Active directory and re-add you again to check if the issue still exists.
Right now my NuGet restore fails since the project build user doesn't have contributor access to the package feed.
/usr/share/dotnet/sdk/3.0.100/NuGet.targets(123,5): error : Unable to load the service index for source pkgs.dev.azure.com[..]index.json.
/usr/share/dotnet/sdk/3.0.100/NuGet.targets(123,5): error : Response status code does not indicate success: 403 (Forbidden - User 'xxxxxxx' lacks permission to complete this action. You need to have 'ReadPackages'.
The solution is to change the build authorization scope from current project to project collection. This seems very doable as seen here:
https://learn.microsoft.com/en-us/azure/devops/pipelines/build/options?view=azure-devops
But where, in DevOps' myriad menus, can this scope be set?
EDIT 2023: The Artifacts UI in DevOps has changed since this answer and this answer is no longer valid. See J-M's answer on a similar question:
https://stackoverflow.com/a/73136309/5358731
There was a workaround for this 403 error posted a few hours ago: https://developercommunity.visualstudio.com/content/problem/795493/403-error-during-nuget-restore.html
In short, this seems to affect new projects connecting to a private feed. Here's the suggested work around:
Click "Artifacts" in the project with the failing build
Select the feed you were trying to consume in your build and click the cog in the top right corner
Click "Feed Settings"
Go to the Permissions tab
Click the 3 dots [...] that appeared to the right of the tab
Click "Allow project-scoped builds"
This adds the relevant user permissions that the error the OP posted was complaining about. Hopefully Microsoft will make a proper fix for this soon.
Full credit to Tim Lynch from the developer community page.
All answers are valid but it depends.
Take into account that only Contributor and Owner roles are allowed to push packages read the docs here.
Then also remember Scoped build identities .
Azure DevOps uses two built-in identities to execute pipelines.
A collection-scoped identity, which has access to all projects in the collection (or organization for Azure DevOps Services)
A project-scoped identity, which has access to a single project
...
By default, the collection-scoped identity is used, unless the Limit
job authorization scope to current project is set in Project Settings > Settings.
With this in mind follow the next steps:
You need to check which identity is being used for your pipelines:
For me is project-scoped identity
Add/Check the Feed Permissions as it may apply (I'll leave a description below the image)
No. 1 If the identity is collection-scoped
No. 2 If the identity is project-scoped
No. 3 Give your contributors the least privilege principle if it applies. (For me its ok to leave them read the feed, and the pipeline or me are the only ones allowed to push packages)
Remember again you need to use Owner or Contributor roles.
Go to your feed settings:
In the Permissions tab verify that have at least reader permissions to "Project Collection Build Service (username)":
It appears under Organization and Project Settings. Find Pipelines/Settings and there is a toggle option named Limit job authorization scope to current project.