Manage access to specific features

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019

Managing access to specific features in Azure DevOps can be crucial for maintaining the right balance of openness and security. Whether you're looking to grant or restrict access to certain functionalities for a group of users, understanding the flexibility beyond the standard permissions provided by built-in security groups is key.

If you're new to the permissions and groups landscape, see Get started with permissions, access, and security groups, which covers the essentials of permission states and how they're inherited.

Tip

The structure of your project in Azure DevOps plays a pivotal role in determining the granularity of permissions at an object level, such as repositories and area paths. This structure is the foundation that allows you to fine-tune access controls, enabling you to specifically delineate which areas are accessible or restricted. For more information, see About projects and scaling your organization.

Use security groups

For optimal maintenance, we suggest using either the default security groups or establish custom security groups to manage permissions. The permission settings for the Project Administrators and Project Collection Administrators groups are fixed by design and can't be altered. But, you have the flexibility to modify permissions for all other groups.

Managing permissions for a small number of users individually might seem feasible, but custom security groups offer a more organized approach to overseeing roles and the permissions associated with those roles, ensuring clarity and ease of management.

Delegate tasks to specific roles

As an administrator or account owner, delegating administrative tasks to team members who oversee specific areas is a strategic approach. The primary built-in roles equipped with predefined permissions and role assignments include:

• Readers: Have read-only access to the project.
• Contributors: Can contribute to the project by adding or modifying content.
• Team Administrator: Manage team-related settings and permissions.
• Project Administrators: Have administrative rights over the project.
• Project Collection Administrators: Oversee the entire project collection and have the highest level of permissions.

These roles facilitate the distribution of responsibilities and streamline the management of project areas.

For for more information, see Default permissions and access and Change project collection-level permissions.

To delegate tasks to other members within your organization, consider creating a custom security group and then granting permissions as indicated in the following table.

Role

Tasks to perform

Permissions to set to Allow

Development lead (Git)

Manage branch policies

Edit policies, Force push, and Manage permissions
See Set branch permissions.

Development lead (TFVC)

Manage repository and branches

Administer labels, Manage branch, and Manage permissions
See Set TFVC repository permissions.

Software architect (Git)

Manage repositories

Create repositories, Force push, and Manage permissions
See Set Git repository permissions

Team administrators

Add area paths for their team
Add shared queries for their team

Create child nodes, Delete this node, Edit this node See Create child nodes, modify work items under an area path
Contribute, Delete, Manage permissions (for a query folder), See Set query permissions.

Contributors

Add shared queries under a query folder, Contribute to dashboards

Contribute, Delete (for a query folder), See Set query permissions
View, Edit, and Manage dashboards, See Set dashboard permissions.

Project or product manager

Add area paths, iteration paths, and shared queries
Delete and restore work items, Move work items out of this project, Permanently delete work items

Edit project-level information, See Change project-level permissions.

Process template manager (Inheritance process model)

Work tracking customization

Administer process permissions, Create new projects, Create process, Delete field from account, Delete process, Delete project, Edit process
See Change project collection-level permissions.

Process template manager (Hosted XML process model)

Work tracking customization

Edit collection-level information, See Change project collection-level permissions.

Project management (On-premises XML process model)

Work tracking customization

Edit project-level information, See Change project-level permissions.

Permissions manager

Manage permissions for a project, account, or collection

For a project, Edit project-level information
For an account or collection, Edit instance-level (or collection-level) information
To understand the scope of these permissions, see Permission lookup guide. To request a change in permissions, See Request an increase in permission levels.

In addition to assigning permissions to individuals, you can manage permissions for various objects within Azure DevOps. These objects include:

• Git repositories
• Git branches
• TFVC repositories
• Build and release pipelines
• Wikis.

These links provide detailed steps and guidelines for setting up and managing permissions effectively for the respective areas in Azure DevOps.

Limit user visibility to organization and project information

Important

• The limited visibility features described in this section apply only to interactions through the web portal. With the REST APIs or azure devops CLI commands, project members can access the restricted data.
• Guest users who are members in the limited group with default access in Microsoft Entra ID, can't search for users with the people picker. When the preview feature's turned off for the organization, or when guest users aren't members of the limited group, guest users can search all Microsoft Entra users, as expected.

By default, when users are added to an organization, they gain visibility into all organizational and project information and settings. To tailor this access, the Limit user visibility and collaboration to specific projects preview feature can be enabled at the organizational level. For more information, see Manage preview features.

Once this feature is activated, users who are part of the Project-Scoped Users group have limited visibility, unable to see most Organization settings. Their access is confined to the projects they have been explicitly added to, ensuring a more controlled and secure environment.

Warning

When the Limit user visibility and collaboration to specific projects preview feature is enabled for the organization, project-scoped users are unable to search for users who were added to the organization through Microsoft Entra group membership, rather than through an explicit user invitation. This is an unexpected behavior and a resolution is being worked on. To self-resolve this issue, disable the Limit user visibility and collaboration to specific projects preview feature for the organization.

Limit people picker to project users and groups

For organizations that integrate with Microsoft Entra ID, the people picker feature allows for a comprehensive search across all users and groups within Microsoft Entra ID, without being confined to a single project.

The people picker supports the following Azure DevOps functionalities:

• Selecting a user identity from work tracking identity fields like Assigned To.
• Using @mention to select a user or group in various discussions and comments, such as work item discussions, pull request discussions, commit comments, or comments on changesets and shelvesets.
• Utilizing @mention to select a user or group from a wiki page.

When using the people picker, as you enter info, it displays matching user names or security groups as illustrated in the following example.

For users and groups within the Project-Scoped Users group, visibility and selection are limited to users and groups within their connected project. To extend the scope of the people picker for all project members, see Manage your organization, Limit identity search and selection.

Restrict access to view or modify objects

Azure DevOps is designed to allow all authorized users to view all defined objects within the system. However, you can tailor access to resources by setting the permission state to Deny. You can set permissions for members who belong to a custom security group or for individual users. For more information, see Request an increase in permission levels.

Area to restrict

Permissions to set to Deny

View or contribute to a repository

View, Contribute
See Set Git repository permissions or Set TFVC repository permissions.

View, create, or modify work items within an area path

Edit work items in this node, View work items in this node
See Set permissions and access for work tracking, Modify work items under an area path.

View or update select build and release pipelines

Edit build pipeline, View build pipeline
Edit release pipeline, View release pipeline
You set these permissions at the object level. See Set build and release permissions.

Edit a dashboard

View dashboards
See Set dashboard permissions.

Restrict modification of work items or select fields

For examples that illustrate how to restrict modification of work items or select fields, see Sample rule scenarios.

Next steps

Remove user accounts

Related articles

• Default permissions and access
• Permission lookup guide
• Get started with permissions, access, and security groups
• Permissions and groups reference
• Change project-level permissions
• Change project collection-level permissions