Azure DevOps - permissions issue with deployment groups - azure-devops

Does anyone know where I can set the permission to manage deployment groups in Azure DevOps.
If i click on "deployment groups" in the menu shown here:
I am receiving this message when i click on a deployment group.
The error message states:
You do not have permissions to register targets. Contact your release
manager to grant permission
I am a member of both project administrators and build administrators groups.

I can reproduce your problem and solve it with the following permission settings.
Click Manage in the Deployment pool
If you get this error you do not have permission to manage this deployment pool's roles to prevent you from modifying permissions in Security. You need to be added to Project Collection Administrators group in organization setting permissions. If you can't be added to the PCA group, you can let the users in the PCA group help you modify it.
Set the user's Role to Administrator in Security, click Save Changes.
After this setting, you will not receive the error message:You do not have permissions to register targets. Contact your release manager to grant permission when you enter the Deployment groups.

This access is not required as I was able to fix this without changing org level access to others and indeed such access is not made to share with all.

Related

Custom Role in Azure DevOps to allow Add Users

Is it possible to provide a reduced set of permissions to allow a user permission to add other users to a project without being a full blown administrator? Adding a user as a Project Admin provides to more access which is a huge security issue.
You could add user as contributor or Project Valid Users with limited access. Please see Project-level groups
Contributors: Has permissions to contribute fully to the project code base and work item tracking. The main permissions they don't have are those that manage or administer resources.
Project Valid Users: Has permissions to access and view project information.
Besides, you could also create a custom group to grant or restrict permissions in project setting >> permission >> new group. Then, change permission for the group.

How to deny Project Admins permission to manage user rights?

How to deny Project Administrators permission to manage user rights?
So that he keeps all the Admin rights in the Project, but can no longer add or delete users in the Project.
In the web portal, all rights of the Project Administrators group are grayed out. Despite the fact that I am Project Collection Admin.
I found a similar question: Prevent project admin from adding new user to project and organization in Azure DevOps?
But that answer only indicates that you should then not make the user a member of the Project Administrators group, but not how to give the user all Project Admin rights except manage user rights.
edit 13-04-2021
According to Hugh Lin - MSFT's answer you cannot take away the right to manage users from the Project Administrators group, you have to create a new group.
But, how can you give that new group the other rights of the Project Administrators (underlined on this picture)?
And you can see that the Project Administrators group is used in many places (at many object-level permissions), how does the new group get the same permissions in all those places?
Project Administrators are granted all project-level permissions, have the highest permission of the project. You can't change the permission settings for the Project Administrators group. This is by design.
This is stated in the official document.
So if you don't want a user in the Project Administrators to manage users right. You need to remove this user from the Project Administrators group. Add the user to a new project group and grant all permissions, set all permissions to Allow.
In the newly created custom group, we can only assign the permissions given in the list. Some permissions exclusive to the project administrator group cannot be granted.

Azure Devpos Server 2019 : How to correctly manage user role

I'am recently installed Azure DevOps Server 2019 in on-premises server.
However, i'am so confused : How i can set the security and the user permission in the server, such as : Deny user to view author project in the same collection , create custom group not in the azure devops default groups ...
I ask for idea to implement that
Thank you
According to Azure DevOps permission setting, most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
Deny user to view author project in the same collection.
Assume you were talking about team project. In your scenario, the simplest way is not add that user to your team project. People without team project collection admin permission will not be able to see those projects which they are not added in.
If you already add users in the team project and want the user not be able to see some info such as repo/build/work items in the project .
You need to evidently deny those users for viewing some project repositories/builds/ work items.
As how to create group, you could directly click New Group in the right top corner of the page from Project Settings-- Permission
More details about how are permissions and groups defined, suggest you go through our official doc here-- About permissions and groups
Besides, you could also manage user permission with the help of command line. The tfssecurity command line tool allows us to manage permissions for Azure DevOps groups and users. We could use it in a PowerShell script to grant access to projects that already exists.

Access denied. Needs Use permissions for pool Default to perform the action

I get following error when trying to save a release pipeline on Azure dev. What exact permissions do I need to ask from my administrator?
Access denied. <<user id>> needs Use permissions for pool Default to perform the action. For more information, contact the Azure DevOps Server administrator.
I found granting Admin to a pool very confusing (and time-consuming to resolve) but I think I can explain how I got it to work for my org. This is a further explanation, based upon what #Leo Lui-MSFT said, as that was not quite clear enough for me.
My problem: I wanted to give a user access to update a pool that the user had not created (ie, was not an Owner).
Attempted solution: Making the user Admin on the pool did not let the user do that.
Successful solution: I had to go to https://dev.azure.com/my-org/_settings/agentpools > Security > Add . I then added the user and assigned the Admin role.
This has the side effect of giving the user Admin on every pool in the org (which was not what I wanted to do). If this is not your desire then go into the pool you do not wish to grant Admin access to, set Inheritance off and then remove the user from that pool.
This feels wrong, to me. I should have been able to make a user an Admin of a single pool without granting org-wide Admin over all pools.
Also as all pools seem to be created with Inheritance defaulted to true then to remove that user as an Admin from all other pools could be time-consuming and when more pools are created then I would need to remember to turn inheritance off.
That is my experience. If I have missed something please let me know.
What exact permissions do I need to ask from my administrator?
You need ask the User permissions from administrator.
When we go to Project Settings->Agent pools->The Agent Name->Security:
Check the document Security of agent pools for some more details.
Roles are also defined on each organization agent pool, and
memberships in these roles govern what operations you can perform on
an agent pool.
The All agent pools node in the Agent pools tab is used to control the
security of all project agent pools in a project. Role memberships for
individual project agent pools are automatically inherited from those
of the 'All agent pools' node. By default, the following groups are
added to the Administrator role of 'All agent pools': Build
Administrators, Release Administrators, Project Administrators.
So, you should ask User permissions from your administrator, or add your account to one of the groups mentioned above, then try it again.
I used -e AZP_POOL=XXX parameter when docker run to solve the same issue, even my account is an administrator.
Check if you are entering the pool name correctly. If you pressed 'Enter' to keep the default name for the pool, it does not work, you need to specify the correct name for the agent pool
I had similar problem with a Pipeline:
Error: Access Denied: 0000000d-0000-8888-8000-000000000000 needs the following permission(s) on the resource /Organizations to perform this action: Read Organization resources
I created again service connections and change this in the pipeline:
I think this user was delete from active directory.
(I realize this question is regarding DevOps but DevOps Server / TFS may have different interface but encounter the same issue)
In TFS or DevOps Server, you have to be added to Team Foundation Administrators group through TFS Admin Console only. To do that:
Access Team Foundation Server Administration Console via Server > Application Tier > Group Membership > Team Foundation Administrators > Properties > Add user.
You should have an organization level access to get rid of the error message you are getting.
If you've created the organization you will be the owner of the organization, you should have all the admin access to do whatever your pipeline need.
otherwise, Select the organization -> Go to organization settings -> agent pool [left plane] -> security [right top] -> add a new user with your name with admin role
Try the same with project level settings.

Make VSTS SPN owner of AAD AppId

I have a scenario that requires a task running in VSTS add a "Reply URL" to an App registered in AAD.
I've added a service connection in VSTS, it created a SPN and made it a contributor of the Azure subscription, additionally I've added the SPN as an owner of the AppID by calling Add-AzureADApplicationOwner
Still the VSTS task can't operate on the AppID, it can't even read it, e.g. running Get-AzureRmADApplication I get:
[error]Insufficient privileges to complete the operation.
Refer to these steps below to grant permission:
Log on to the Azure portal
Select Azure Active Directory
Select App registrations
Select the corresponding application
Click Settings
Click Required permissions
Click + Add > Select an API
Select Windows Azure Active Directory >Select
Check necessary permissions in Select permissions > select.
Click Done
Click Grant Permissions button
An addition to starian chen-MSFT's answer. I managed to solve the same problem by adding and granting the following permissions on the answer's Step 9:
Read and write directory data
Manage apps that this app creates or owns