I manage an Azure DevOps organization with a couple dozen users, all with either Visual Studio subscriber or Basic user access level on the organization.
When someone creates a new project, which need to be private repos, I want all the organization users to automatically get read access to see the project and clone repos. Is there a way to do that? Everything works great once we grant the access at the project level, but sometimes people create projects and don't grant the access, so I don't know what projects exist. Do we need to rely on people creating the projects to grant read access to the group of users when they create them?
When someone creates a new project, which need to be private repos, I
want all the organization users to automatically get read access to
see the project and clone repos. Is there a way to do that?
This is not supported by design.
To protect private project, Azure Devops doesn't support automatically granting any access of newly created project to those normal Organization-level users unless the users belongs to the PCA (Project Collection Administrators, highest level in whole Org. It shouldn't be granted to normal users).
So we do need to rely on people creating the projects to grant read access to the group of users when they create them. Apart from project creators(people creating the projects), PCA or project administrators can also do this job.
You can create a new organization group which contains the Org users:
Then grant the access to those users by manually adding this group as member of default Project Reader group:
Related
In Azure devops is it possible to grant access (read-only) to a repo in a project without the user having access to the project containing the repo?
We want to use the repo basically as a file share with clients that shouldn't be able to see all our code/scripts/pipelines etc that exist in the parent project and other repos.
As stakeholder access on the project and Reader rights on the repo they had too much access to the project. Removing them from the project and creating a new group with limited repo rights they got to a forbidden, access denied screen which makes me think they have to have access to the project.
My testing is limited because of corporate environment I am unable to create additional users/emails and don't want to have to keep asking co-workers to test every change I could try.
Azure DevOps is designed to enable all valid users to view all objects defined in the system. You can restrict access to specific resources by setting the permission state to Deny.
So not quite sure if this specific requirement is achievable. The closest you could probably get to is this: Assign read-only rights to a single repository in Azure DevOps.
Here is a very similar idea on Developer Community from 2019: Restrict access to dev ops functionality for a guest user. One more resolved post: Restrict access to specific objects in DevOps.
If you think this implementing this suggestion can benefit others in the Community as well, do request it as a new feature on Developer Community for Azure DevOps.
Also go through the elaborate documentation available for configuring ADO granular security controls and check if changing individual permission at the project-level helps.
I have added multiple team members to two different teams in Azure Devops project. But team members are not able to see organization, project and dashboards when they login to devops account?
team members are not able to see organization, project and dashboards
Users cannot see the organization, you can first check whether these users have been added to the organization in Users of Organization Settings.
Then you can check whether the user has the permission to access the project on the Manage user page.
Regarding that users cannot see the projects, you can check whether the “View project-level information” permission of the team is set to Deny in the Permissions of Projects Settings.
Regarding that the user cannot see the dashboard, there should be no permission to restrict it. All users in the project should be able to see the dashboard. Can you share the screenshots about this issue?
In addition, you can try to let users log in with incognito window to see if the problem exists. Check if your organization is connected to AAD.
This is the answer for my additional questinos.
To get an access to Devops project user must be added in the organization either as stakeholder or owner
Once they are owner or stakeholder they are able to access all the features.
We are group of developers who have a joint organisation on GitHub.
When we create a repository for the organisation on GitHub it is only the creator that is made admin and read, write, and maintainance rights are not given to the organisation, nor the organisation team.
We have to go to Settings => Manage Access every time.
Can this somehow be changed?
We have already contact GitHub support but after 3 months and no answer, we believe it is okay to ask the question here.
You can configure it in the organisation settings under Member privileges. The option is named Base permissions.
You can also access it under https://github.com/organizations/<organisation name>/settings/member_privileges.
By default, organisation members have no permissions in repositories created by other organisation members. In this setting, you can configure the permissions every member has in every repository owned by the organisation.
You can also create a team for the developers and give the team the required permission per-repository.
I have in Azure Devops one project with a lot of developer teams. Our Cloud Platform team uses a different project to create artifacts with ARM templates as result of a build pipeline.
How do I grant access to these artifacts for all my developers at group level? At the second project I can create a new group with View project-level information permissions. But I can only add users, not groups from that project.
Anyone any ideas?
When you add other project groups to the newly created group, do you receive the following error message?
If so, we can make clear from the error message that this is by design, auzre devops does not support adding groups of different projects to the group.
If you want to add a group as a member to the group you created, then the added group needs to be organization-level. Only organization-level groups can be added to project-level groups.
I have a setup on Devops where I want to give and external account (not part of the company) access to the repos. I thought that the Stakeholders would have at least read only access there but seems not.
I've invited a new user (external) with Access Level = Stakeholder, given access to the project X and made him a member of Project Contributors for the project.
So the question is, should Stakeholders here have access to the repos? is there a way for me to do this?
If you are using private repos for your project then stakeholders only have access to the following features:
Dashboards, Wiki, Boards, Project and Organization settings - Partial access
Repos, Test Plans - No access
Pipelines, Notifications, Semantic Search - Full access
If you are using public repos for your project then stakeholders only have access to the following features:
Dashboards, Wiki, Boards, Repos, Pipelines, Notifications, Semantic Search - Full access
Test Plans - No access
Project and Organization settings - Partial access
If you want details on Stakeholder access rights for each of the features, go here
I hope that helps.