I am using Visual Studio Team Services.
Part of Release Management is allowing users to approve a deployment environment or not. I have noticed that the list of approvers can only be of people added to VSTS. Is it possible to have approvers who are not added to VSTS.
I want to have the tracking of their inputs for approving, but they don't have any interest in seeing user stories, source code, etc.
If you don't want people to have access to work items and source code, restrict their access by defining security groups and adding them to these groups.
Yes — they will need at least a basic licence.
You can add the specific approver with a basic licence, then use the security settings to add them to either the approver group or give them specifically approval rights. (More info.)
You can also specify account (user) groups as approvers. When a group is specified as an approver, only one of the users in that group needs to approve in order for the release to move forward. If you are using Visual Studio Team Services, you can use local groups managed in Team Services or Azure Active Directory (AAD) groups if they have been added into Team Services. If you are using Team Foundation Server (TFS), you can use local groups managed in TFS or Active Directory (AD) groups if they have been added into TFS.
Related
In Azure devops is it possible to grant access (read-only) to a repo in a project without the user having access to the project containing the repo?
We want to use the repo basically as a file share with clients that shouldn't be able to see all our code/scripts/pipelines etc that exist in the parent project and other repos.
As stakeholder access on the project and Reader rights on the repo they had too much access to the project. Removing them from the project and creating a new group with limited repo rights they got to a forbidden, access denied screen which makes me think they have to have access to the project.
My testing is limited because of corporate environment I am unable to create additional users/emails and don't want to have to keep asking co-workers to test every change I could try.
Azure DevOps is designed to enable all valid users to view all objects defined in the system. You can restrict access to specific resources by setting the permission state to Deny.
So not quite sure if this specific requirement is achievable. The closest you could probably get to is this: Assign read-only rights to a single repository in Azure DevOps.
Here is a very similar idea on Developer Community from 2019: Restrict access to dev ops functionality for a guest user. One more resolved post: Restrict access to specific objects in DevOps.
If you think this implementing this suggestion can benefit others in the Community as well, do request it as a new feature on Developer Community for Azure DevOps.
Also go through the elaborate documentation available for configuring ADO granular security controls and check if changing individual permission at the project-level helps.
I have in Azure Devops one project with a lot of developer teams. Our Cloud Platform team uses a different project to create artifacts with ARM templates as result of a build pipeline.
How do I grant access to these artifacts for all my developers at group level? At the second project I can create a new group with View project-level information permissions. But I can only add users, not groups from that project.
Anyone any ideas?
When you add other project groups to the newly created group, do you receive the following error message?
If so, we can make clear from the error message that this is by design, auzre devops does not support adding groups of different projects to the group.
If you want to add a group as a member to the group you created, then the added group needs to be organization-level. Only organization-level groups can be added to project-level groups.
I am reading through this documentation - https://learn.microsoft.com/en-us/rest/api/azure/devops, I can't see a clear answer on how one can manage permissions to run pipelines and permissions to edit variable groups through the Rest API.
For security management with REST APIs you can refer to Security for details. Some of the REST APIs are not documented, however we can track them by develop tools (the simplest way is pressing F12 in your browser).
In your scenario seems you are trying to manage the permission of the pipelines in a specific project. If so, we can navigate to the Pipeline node -> Manage security -> Select the specific group/user to set the permission accordingly, (Just track the APIs when do the actions).
To run the pipelines, we at least need the View build pipeline , View builds, Queue builds permissions. You can also set other permissions as needed.
For example, just Deny the Queue builds permission for the Contributors group:
POST https://dev.azure.com/{organization}/{Project}/_api/_security/ManagePermissions?api-version=5.1
Sample Request Body:
{"updatePackage":"{\"IsRemovingIdentity\":false,\"TeamFoundationId\":\"24cb2a78-4d79-49d6-b96c-bf0ac65d7032\",\"DescriptorIdentityType\":\"Microsoft.TeamFoundation.Identity\",\"DescriptorIdentifier\":\"S-1-9-1551374245-3809964236-1275365961-2582801090-4223875273-1-492339072-1927234371-3142690236-612141869\",\"PermissionSetId\":\"33344d9c-fc72-4d6f-aba5-fa317101a7e9\",\"PermissionSetToken\":\"cc7017e3-044c-498a-99f2-6ac2fbc338c9\",\"RefreshIdentities\":false,\"Updates\":[{\"PermissionId\":2,\"PermissionBit\":128,\"NamespaceId\":\"33344d9c-fc72-4d6f-aba5-fa317101a7e9\",\"Token\":\"cc7017e3-044c-498a-99f2-6ac2fbc338c9\"}],\"TokenDisplayName\":null}"}
Do the same things to track the APIs to manage the variable groups.
In addition, you can also use the Azure CLI to manage the permissions, refer to az devops security for details.
When I'm working for external organization that owns Azure DevOps project, they usually create new AAD account for me in their organization.
Is it possible to use my Visual Studio (MSDN) Enterprise license with the account as well? (as well as with my own account, since I work on multiple projects)
Background:
In Azure DevOps, there are 5 users for free, additional licenses have to be bought unless the users have MSDN Subscription.
I have MSDN Subscription which shows as a user with Visual Studio Enterprise license in Azure DevOps.
However, when working for customers, I usually have to use different AAD account, which means they have to pay 5$/month even when I have the MSDN
From your description, you want to use an account that’s different from the one that your subscription is assigned to. You may go to http://my.visualstudio.com, click on Subscriptions, and then Add Alternate Account to add new account.
Some Azure DevOps users need to become Basic users instead of VS Enterprise users, because these users got another role in our organisation.
I removed the VS Enterprise subscription from these users in the MS partner portal (partner.microsoft.com). But Azure DevOps still sees the previously assigned VSE subscription for the users. And I cannot change the access level to Basic because Azure DevOps somehow detects the VSE subscription on the user.
How can I change the access level for the affected users?
Thanks for the input.
Currently, Azure Devops only validates the subscription when the user is added. So remove the user from the organization and then re-add them after removing the subscription should fix it.
Update to this since Eddie's answer is out of date
As of this date, Azure DevOps will automatically change access level based on Visual Studio Subscription (assuming the user is tied to the same email address in AzDO that their VS sub is tied to). You DO NOT have to remove the user from Azure DevOps and add them back in to get Visual Studio Subscription changes to appear in AzDo.
Scenario I observed 02/03/2021
Existing AzDO user had access level of: Visual Studio Professional subscription. User had license upgraded to Visual Studio Enterprise subscription on 02/02/2021. User logged out and back in on 02/03/2021 and access level updated correctly.