I have a setup on Devops where I want to give and external account (not part of the company) access to the repos. I thought that the Stakeholders would have at least read only access there but seems not.
I've invited a new user (external) with Access Level = Stakeholder, given access to the project X and made him a member of Project Contributors for the project.
So the question is, should Stakeholders here have access to the repos? is there a way for me to do this?
If you are using private repos for your project then stakeholders only have access to the following features:
Dashboards, Wiki, Boards, Project and Organization settings - Partial access
Repos, Test Plans - No access
Pipelines, Notifications, Semantic Search - Full access
If you are using public repos for your project then stakeholders only have access to the following features:
Dashboards, Wiki, Boards, Repos, Pipelines, Notifications, Semantic Search - Full access
Test Plans - No access
Project and Organization settings - Partial access
If you want details on Stakeholder access rights for each of the features, go here
I hope that helps.
Related
Similar to Github Cloud is there a way in Azure Devops to create internal repos wherein multiple users can have access to some repos which have certain documents without adding them as users or groups to such repos? If we make RepoA as internal it should be available to all users under an org without specifically adding them.
In Azure DevOps, for public projects, any user can get access your public project and check Git repo without signing in or added as a user in your org. You can also refer to this doc: Make your private project public - Azure DevOps Services Public Project | Microsoft Learn .
If for private projects in Azure DevOps, firstly, users must be granted access to the specified private project also as Basic access level in your org via navigating to Organization Settings -> Users -> Select the specified user -> Manage user to set users' access level.
Users be with Stakeholder access level, they will not be able to use Azure Repos for your private project.
Otherwise, to set permissions for a specific repository or some specific users, navigating to Project Settings -> Repositories -> Security to manage the permissions.
You can also refer to: About access levels - Azure DevOps | Microsoft Learn and Set Git repository permissions - Azure Repos | Microsoft Learn
I want to add a group/user to an Azure DevOps project with just access to repositories and pipelines.
If I deny "View project-level information" they don't have access to the project at all.
If I allow the "View project-level information" it gives them a read-only access to the Project Settings including permissions to see users and members of other groups etc.
It seems unbelievable that such a basic security and privacy hole exists.
Am I missing something in the config because I have never seen this in any other application and I find it hard to believe that everyone else using Azure DevOps finds this acceptable.
The easiest equivalent is GitHub (that Microsoft now owns) and you can't see the project settings if you are just a contributor.
How do I give external contractors access to the project to work but prevent them from viewing the Project Settings?
There is no possibility to restrict access to the Team Project - Project Settings page. The only thing that comes close is the feature that is now in preview: Limit user visibility and collaboration to specific projects, which will enable you to restrict access to the Organization Settings. You could suggest this feature in the Microsoft Developer Community.
In Azure devops is it possible to grant access (read-only) to a repo in a project without the user having access to the project containing the repo?
We want to use the repo basically as a file share with clients that shouldn't be able to see all our code/scripts/pipelines etc that exist in the parent project and other repos.
As stakeholder access on the project and Reader rights on the repo they had too much access to the project. Removing them from the project and creating a new group with limited repo rights they got to a forbidden, access denied screen which makes me think they have to have access to the project.
My testing is limited because of corporate environment I am unable to create additional users/emails and don't want to have to keep asking co-workers to test every change I could try.
Azure DevOps is designed to enable all valid users to view all objects defined in the system. You can restrict access to specific resources by setting the permission state to Deny.
So not quite sure if this specific requirement is achievable. The closest you could probably get to is this: Assign read-only rights to a single repository in Azure DevOps.
Here is a very similar idea on Developer Community from 2019: Restrict access to dev ops functionality for a guest user. One more resolved post: Restrict access to specific objects in DevOps.
If you think this implementing this suggestion can benefit others in the Community as well, do request it as a new feature on Developer Community for Azure DevOps.
Also go through the elaborate documentation available for configuring ADO granular security controls and check if changing individual permission at the project-level helps.
I have added multiple team members to two different teams in Azure Devops project. But team members are not able to see organization, project and dashboards when they login to devops account?
team members are not able to see organization, project and dashboards
Users cannot see the organization, you can first check whether these users have been added to the organization in Users of Organization Settings.
Then you can check whether the user has the permission to access the project on the Manage user page.
Regarding that users cannot see the projects, you can check whether the “View project-level information” permission of the team is set to Deny in the Permissions of Projects Settings.
Regarding that the user cannot see the dashboard, there should be no permission to restrict it. All users in the project should be able to see the dashboard. Can you share the screenshots about this issue?
In addition, you can try to let users log in with incognito window to see if the problem exists. Check if your organization is connected to AAD.
This is the answer for my additional questinos.
To get an access to Devops project user must be added in the organization either as stakeholder or owner
Once they are owner or stakeholder they are able to access all the features.
I manage an Azure DevOps organization with a couple dozen users, all with either Visual Studio subscriber or Basic user access level on the organization.
When someone creates a new project, which need to be private repos, I want all the organization users to automatically get read access to see the project and clone repos. Is there a way to do that? Everything works great once we grant the access at the project level, but sometimes people create projects and don't grant the access, so I don't know what projects exist. Do we need to rely on people creating the projects to grant read access to the group of users when they create them?
When someone creates a new project, which need to be private repos, I
want all the organization users to automatically get read access to
see the project and clone repos. Is there a way to do that?
This is not supported by design.
To protect private project, Azure Devops doesn't support automatically granting any access of newly created project to those normal Organization-level users unless the users belongs to the PCA (Project Collection Administrators, highest level in whole Org. It shouldn't be granted to normal users).
So we do need to rely on people creating the projects to grant read access to the group of users when they create them. Apart from project creators(people creating the projects), PCA or project administrators can also do this job.
You can create a new organization group which contains the Org users:
Then grant the access to those users by manually adding this group as member of default Project Reader group: