Редактиране

Споделяне чрез

Manage security in Azure Pipelines

  • Статия

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019

Azure Pipelines security controls access to pipelines and their resources through a hierarchy of security groups and users. This system governs resources like release pipelines, task groups, agent pools, and service connections, though external to pipelines. Upon creation, pipelines and resources inherit project-level permissions from predefined security groups and users, affecting all project pipelines.

Administrators typically have unrestricted access, contributors oversee resources, and readers have view-only permissions, with user roles determining group assignments. For more information, see About pipeline security roles.

Prerequisites

Security area Prerequisites
Pipelines security - To manage project collection groups, you must be a member of the Project Collection Administrators group.
- To manage project level users and groups, you must be a member of an administrator group or be allowed Administer build permissions.
Agent pool security - To manage agent pool security at the organization, collection, or project level, you must be a member of the Project Collection Administrators group or have the Administrator role for agent pools.
- To manage agent pool security at the object level, you must have the Administrator role for the agent pool.
Deployment group security - To manage project-level deployment group security, you must be a member of an administrator group or be assigned an administrator role.
- To manage security for individual deployment groups, you must be assigned an administrator role.
Environment security - To manage project-level environment security, you must be a member of an administrator group or be assigned an administrator role.
- To manage object-level security for individual environments, you must be assigned an administrator role.
Library security - To manage library security, you must be a member of an administrator group or be assigned an administrator role.
- To manage security for individual library assets, you must be an administrator or have the appropriate role.
Release pipeline security - To manage release pipeline security, you must be a member of an administrator group or be allowed Administer release permissions.
- A release pipeline must be created.
Service connection security - To manage service connection security, you must be a member of the Project Administrators group or have an administrator role. - To manage security at the project level, you must be a member of the Project Administrators group or have the Administrator role for service connections.
- To manage security at the object level, you must have the Administrator role for the service connection.
Task group security To manage task group security, you must be a member of an administrator group or be allowed Administer task group permissions.
- A task group must exist.

Set pipeline permissions in Azure Pipelines

Pipeline security follows a hierarchical model of user and group permissions. Project-level permissions are inherited at the object level by all pipelines in the project. You can change inherited and default user and group permissions for all pipelines at the project- and object-levels. You can't change the permissions set by the system.

The following table shows the default security groups for pipelines:

Group Description
Build Administrators Administer build permissions and manage pipelines and builds.
Contributors Manage pipelines and builds, but not build queues. This group includes all team members.
Project Administrators Administer build permissions and manage pipelines and builds.
Readers View pipeline and builds.
Project Collection Administrators Administer build permissions and manage pipelines and builds.
Project Collection Build Administrators Administer build permissions and manage pipelines and builds.
Project Collection Build Service Accounts Manage builds.
Project Collection Test Service Accounts View pipelines and builds.

The system automatically creates the <project name> Build Service (collection name) user, a member of the Project Collection Build Service Accounts group. This user executes build services within the project.

Depending on the resources you use in your pipelines, your pipeline could include other built-in users. For instance, if you're using a GitHub repository for your source code, a GitHub user is included.

The following table shows default permissions for security groups:

Task Readers Contributors Build Admins Project Admins
View builds ✔️ ✔️ ✔️ ✔️
View build pipeline ✔️ ✔️ ✔️ ✔️
Administer build permissions ✔️ ✔️
Delete or edit build pipeline ✔️ ✔️ ✔️
Delete or destroy builds ✔️ ✔️
Edit build quality ✔️ ✔️ ✔️
Manage build qualities ✔️ ✔️
Manage build queue ✔️ ✔️
Override check-in validation by build ✔️
Queue builds ✔️ ✔️ ✔️
Retain indefinitely ✔️ ✔️ ✔️ ✔️
Stop builds ✔️ ✔️
Update build information ✔️

For a description of pipeline permissions, see Pipeline or Build permissions.

Set project-level pipeline permissions

To manage project-level permissions for users and groups across all build pipelines in your project, do the following steps:

  1. From your project, select Pipelines.

    Screenshot showing Pipelines menu selection.

  2. Select More actions and select Manage security.

  3. Select users or groups and set permissions to Allow, Deny, or Not set.

    Screenshot of project-level pipelines security dialog.

  4. Repeat the previous step to change the permissions for more groups and users.

  5. Close permissions dialog to save the changes.

Add users or groups to the permissions dialog

To add users and groups that aren't listed in the permissions dialog, do the following steps:

  1. Enter the user or group in the search bar, then select the user or group from the search result.
  2. Set the permissions.
  3. Close the dialog.

When you open the security dialog again, the user or group is listed.

Remove users or groups from the permissions dialog

To delete a user from the permissions list, do the following steps:

  1. Select the user or group.

  2. Select Remove and clear explicit permissions.

    Screenshot of remove user or group selection.

  3. When you're done, close the dialog to save your changes.

To manage project-level permissions for users and groups across all build pipelines in your project, do the following steps:

  1. From your project, select Pipelines.

    Screenshot showing Pipelines menu selections.

  2. Select More actions and select Manage security.

  3. To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.

  4. Select a user or group and set the permissions.

    Screenshot showing project-level pipeline security dialog.

  5. Repeat the previous step to change the permissions for more groups and users.

  6. Select Save changes or you can select Undo changes to undo the changes.

  7. To remove a user or group from the list, select the user or group and select Remove.

  8. Select Close.

Your project-level pipelines permissions are set.

To manage project-level permissions for users and groups across all build pipelines in your project, do the following steps:

  1. From your project, select Builds.

  2. Select the folders icon and select the All build pipelines folder.

  3. Select More actions > Security.

    Screenshot showing all pipelines security selections.

  4. To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.

    Screenshot of pipeline security add user or group selection.

  5. Select a user or group and set the permissions.

    Screenshot of pipeline security dialog.

  6. Select Save changes or Undo changes, if necessary.

  7. Repeat the previous step to change the permissions for more groups and users.

  8. To remove a user or group from the list, select the user or group, and then Remove.

  9. Select Close.

Set object-level pipeline permissions

By default, object-level permissions for individual pipelines are inherited from the project-level permissions. You can override the inherited project-level permissions.

You can set the permissions to Allow, Deny, or to Not set if the permission isn't inherited. If inheritance is enabled you can change an explicitly set permission back to the inherited value.

To manage permissions for a pipeline, do the following steps:

  1. From your project, select Pipelines .

    Screenshot showing Pipelines menu selection.

  2. Select a pipeline, then select More actions and select Manage security.

    Screenshot showing selected security option from a pipeline's more actions menu.

  3. Select a user or group and set the permissions.

    Screenshot of object-level pipeline security dialog.

  4. Repeat the previous step to change the permissions for more groups and users.

  5. When you're finished, close the dialog to save your changes.

Add users or groups to the permissions dialog

To add users and groups that aren't listed in the permissions dialog, do the following steps:

  1. Enter the user or group in the search bar, then select the user or group from the search result.
  2. Set the permissions.
  3. Close the dialog.

When you open the security dialog again, the user or group is listed.

Remove users or groups from the permissions dialog

Inherited users and groups can't be removed unless inheritance is disabled. To remove users or groups from a pipeline's permissions, do the following steps:

  1. Select the user or group.

  2. Select Remove and clear explicit permissions.

    Screenshot of remove user or group selection.

  3. When you're done, close the dialog to save your changes.

By default, object-level permissions for individual pipelines inherit the project-level permissions. You can override the inherited permissions.

You can set the permissions to Allow, Deny, or to Not set if the permission is not inherited. If inheritance is enabled you can change an explicitly set permission back to the inherited value.

To set permissions for an individual pipeline, do the following steps:

  1. From your project, select Pipelines .

    Screenshot showing Pipelines ordered menu selections.

  2. Select a pipeline, then select More actions and select Manage security.

    Screenshot showing selected Manage security option from a pipeline's more actions menu.

  3. To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.

  4. Select users and groups and set the permissions.

  5. Select Save changes or *Undo changes, if necessary.

    Screenshot of pipeline security add user or group selection.

  6. To remove a user or group, select the user or group and select Remove. You can't remove inherited users or groups unless inheritance is disabled.

  7. Select Close when you're finished.

When you explicitly set an inherited user or group permission, inheritance is disabled for that specific permission. To restore inheritance, set the permission to Not set. Select Clear explicit permissions to reset all explicitly set permissions to their inherited settings. To disable inheritance for all user and group permissions, turn off the Inheritance setting. Upon re-enabling inheritance, the permissions for all users and groups revert to their project-level settings.

Object-level permissions for individual pipelines inherit the project-level permissions by default. You can override these inherited permissions for an individual pipeline.

You can set the permissions to Allow, Deny, or to Not set if the permission isn't inherited. If inheritance is enabled you can change an explicitly set permission back to the inherited value.

To set object-level permissions for a pipeline, do the following steps:

  1. From your project, select the Builds from the menu.

  2. Select the folders icon and select the All build pipelines folder.

  3. Select More actions > Security.

    Screenshot showing all pipelines security navigation selections.

  4. To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.

    Screenshot of pipeline security add user or group.

  5. Select a user or group and set the permissions.

  6. You can select more users and groups to change their permissions.

  7. Select Save changes or you can select Undo changes to undo the changes.

  8. To remove a user or group, select the user or group and select Remove. Inherited users and groups can't be removed unless inheritance is disabled.

  9. Select Close when you're finished.

When you explicitly set an inherited user or group permission, inheritance is disabled for that specific permission. To restore inheritance, set the permission to Not set. Select Clear explicit permissions to reset all explicitly set permissions to their inherited settings. To disable inheritance for all user and group permissions, turn off the Inheritance setting. When you reenable inheritance, the permissions for all users and groups revert to their project-level settings.

Set deployment group security in Azure Pipelines

A deployment group is a pool of physical or virtual target machines that have agents installed. Deployment groups are only available with classic release pipelines. You can create deployment groups in the following circumstances:

  • When dependent deployment groups are provisioned for projects from organization deployment pools
  • When a deployment group is created at the project level
  • When a project shares a deployment group, dependent deployment groups are created in the recipient projects

Individual deployment groups inherit the security roles from the project-level assignments. You can override the project-level assignments for a user or group. To remove an inherited user or group, or lower the privilege level of an inherited role, you must disable inheritance.

When a deployment group gets shared with another project, a separate deployment group, which inherits its security roles, is created in the other project. If sharing is disabled, the deployment group is removed from the other project.

The following table shows security roles for deployment groups:

Role Description
Reader Can only view deployment groups.
Creator Can create deployment groups. This role is a project-level role only.
User Can view and use deployment groups.
Service Account Can view agents, create sessions, and listen for jobs. This role is a collection- or organization-level role only.
Administrator Can administer, manage, view, and use deployment groups.

The following table shows default user and group role assignments:

Group Role
[project name]\Contributors Creator (project-level), Reader (object-level)
[project name]\Deployment Group Administrators Administrator
[project name]\Project Administrators Administrator
[project name]\Release Administrators Administrator

Set project-level deployment group security roles

Do the following steps to set project-level security roles for all deployment groups:

  1. From your project, select Deployment groups under Pipelines.

  2. Select Security.

    Screenshot of security selection for all deployment groups.

  3. Set roles for users and groups.

    Screenshot of security dialog for all deployment groups.

  4. To remove a user or group, select the user or group and select Delete .

  5. Select Save changes to save your changes or Reset changes to revert unsaved changes.

Do the following steps to add project users or groups that aren't listed in the security dialog:

  1. Select Add.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.

Set object-level deployment group security roles

Do the following steps to set security roles for an individual deployment group:

  1. From your project, select Deployment groups under Pipelines.

  2. Select a deployment group under Groups.

  3. Select Security.

    Screenshot of security selection for an individual deployment group.

  4. Set roles for users and groups. To lower the privilege level of an inherited role, disable inheritance.

    Screenshot of object-level deployment group security dialog.

  5. To remove a user or group, select the user or group and select Delete . Inherited users and groups can't be removed unless inheritance is disabled.

  6. Select Save changes to save your changes or Reset changes to revert unsaved changes.

When you explicitly set a role, the inheritance for that user or group is turned off. To disable inheritance for all users and groups, turn off the Inheritance setting. When you re-enable inheritance, the roles for all users and groups revert to their project-level assignments.

Do the following steps to add project users or groups that aren't listed in the security dialog:

  1. Select Add.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.

Set security for environments in Azure Pipelines

Environments bundle deployment targets for YAML pipelines but aren't compatible with classic pipelines. Security roles, assigned at the project level to default users and groups, are inherited by all environments. These security settings can be adjusted at both the project and individual environment levels.

The following table shows security roles for environments:

Role Description
Creator Can create environments in the project. It only applies to project-level security. Contributors are automatically assigned this role.
Reader Can view the environment.
User Can use the environment when creating or editing YAML pipelines.
Administrator Can administer permissions, create, manage, view and use environments. The creator of an environment is granted the administrator role for that environment. Administrators can also open access to an environment for all pipelines in the project.

The following table shows default user and group role assignments:

Group Role
[project name]\Contributors Creator (project-level) Reader (object-level)
[project name]\Project Administrators Creator
[project name]\Project Valid Users Reader

The individual who creates an environment is automatically given the Administrator role for that specific environment. This role assignment is permanent and can't be changed.

Set project-level environment security roles

To set project-level security roles for all environments, do the following steps:

  1. From your project, Environments under Pipelines.

  2. Select More actions and select Security.

    Screenshot of security selection for all environments.

  3. Set roles for user and groups to Administrator, Creator, User, or Reader.

    Screenshot of project-level environments security dialog.

  4. To remove a user or group, select the user or group and select Delete .

  5. Select Save to save your changes or Undo to revert unsaved changes.

To add project users or groups that aren't listed in the security dialog, do the following steps:

  1. Select Add.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.

Set object-level environment security

By default, object-level security roles inherit from project-level settings. But, you can customize these settings for individual environments, including removing inherited users or groups and adjusting privilege levels, by disabling inheritance. Additionally, you have the option to manage pipeline access for each environment.

Set object-level environment user and group security roles

To set user and group security roles for an environment, do the following steps:

  1. From your project, select Environments under Pipelines.

  2. Select an environment.

  3. Select More actions and select Security.

    Screenshot of security selection for a single environment.

  4. Set roles for user and groups to Administrator, User, or Reader.

    Screenshot of object-level security dialog for environments.

  5. To remove a user or group, select the user or group and select Delete . Inherited users and groups can't be removed unless inheritance is disabled.

  6. Select Save to save your changes or Undo to revert unsaved changes.

Setting a role explicitly for a user or group disables their inheritance. To halt inheritance for everyone, deactivate the Inheritance option. Reactivating inheritance resets all users and groups to their original project-level role assignments.

To add project users or groups that aren't listed in the security dialog, do the following steps:

  1. Select Add.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.

Set pipeline access for an environment

Pipeline permissions can be set to Open access to allow access to all pipelines in a project or restricted access to specific pipelines. Only Project administrators can set pipeline permissions to Open access.

To set open access to all pipeline in a project, do the following steps:

  1. Select More actions and select Open access.

    Screenshot of open access for pipelines in an environment.

  2. Select Open access on the confirmation dialog.

To restrict access and manage pipeline access, do the following steps:

  1. Select Restrict access.

  2. Select Add pipeline and select a pipeline from the dropdown menu.

  3. To remove a pipeline, select the pipeline and select the Revoke access icon.

    Screenshot of revoke pipeline option.

Set library security in Azure Pipelines

The library facilitates asset sharing, like variable groups and secure files, across build and release pipelines. It employs a unified security model, allowing role assignments for asset management, creation, and usage. These roles, once set at the library level, automatically apply to all contained assets but can be individually adjusted.

Role Description
Administrator Can edit/delete and manage security for library assets. The creator of an asset is automatically given this role for the asset.
Creator Can create library assets.
Reader Can only read library assets.
User Can consume library assets in pipelines.

The following table shows default roles:

Group Role
[project name]\Project Administrators Administrator
[project name]\Build Administrators Administrator
[project name]\Project Valid Users Reader
[project name]\Contributors Creator (project-level) Reader (object-level)
[project name]\Release Administrators Administrator
project name Build Service (collection or organization name) Reader

For individual library assets, the creator is automatically assigned the Administrator role.

Set project-level library security roles

To manage access for all library assets, such as variable groups and secure files, do the following steps:

  1. From your project, select Pipelines > Library.

    Screenshot of the Library menu item.

  2. Select Security.

    Screenshot of the library Security button.

  3. Select a user or group and change the role to Reader, User, Creator, or Administrator.

    Screenshot of the library security dialog.

  4. To remove a user or group, select the user or group and select Delete .

  5. Select Save changes to save your changes or Reset changes to revert unsaved changes.

To add project users or groups that aren't listed in the security dialog, do the following steps:

  1. Select Add.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.

You can manage access for all library assets, such as variable groups and secure files, from the project-level library security settings.

Set secure file security roles

Security roles for Secure files are inherited from the project-level library role assignments by default. You can override these assignments for an individual file. To remove an inherited user or group, or lower the privilege level of an inherited role, you must disable inheritance.

The creator of the secure file is automatically assigned the Administrator role for that file, which can't be changed.

To set permissions for a secure file, do the following steps:

  1. From your project, select Pipelines > Library.
  2. Select Secure files.
  3. Select a file.
  4. Select Security. Screenshot of secure file permission dialog.
  5. Set the desired role for users and groups.
  6. To remove a user or group, select the user or group and select Delete . Inherited users and groups can't be removed unless inheritance is disabled.
  7. Select Save changes to save your changes or Reset changes to revert unsaved changes.

When you explicitly set a role, the inheritance for that user or group is turned off. To disable inheritance for all users and groups, turn off the Inheritance setting. When you re-enable inheritance, the roles for all users and groups revert to their project-level assignments.

To add project users or groups that aren't listed in the security dialog, do the following steps:

  1. Select Add.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.

Set variable group security roles

Security roles for variable groups are inherited from the project-level library role assignments by default. You can override these assignments for an individual variable group. To remove an inherited user or group, or lower the privilege level of an inherited role, you must disable inheritance.

The creator of the variable group is automatically assigned the Administrator role for that group, which can't be changed.

To set access for a variable group, do the following steps:

  1. From your project, select Pipelines > Library.
  2. Select a variable group.
  3. Select Security. Screenshot of variable group permission dialog.
  4. Set the desired role for users and groups.
  5. To remove a user or group, select the user or group and select Delete . Inherited users and groups can't be removed unless inheritance is disabled.
  6. Select Save changes to save your changes or Reset changes to revert unsaved changes.

When you explicitly set a role, the inheritance for that user or group is turned off. To disable inheritance for all users and groups, turn off the Inheritance setting. When you re-enable inheritance, the roles for all users and groups revert to their project-level assignments.

To add project users or groups that aren't listed in the security dialog, do the following steps:

  1. Select Add.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.

Set release pipeline permissions in Azure Pipelines

Once you create a release pipeline, you can set project-level permissions for all release pipelines and object-level permissions for individual release pipelines and stages. You can also set permissions for release stages, which are a subset of permissions inherited from the object-level release pipeline permissions.

The following table shows the permission hierarchy for release pipelines:

  • Project-level release pipelines permissions
  • Object-level release pipeline permissions
  • Object-level stage permissions

The following table shows default user and group roles:

Group Role
Contributors All permissions except Administer release permissions.
Project Administrators All permissions.
Readers Can view pipelines and releases.
Release Administrators All permissions.
Project Collection Administrators All permissions.
<project name> Build Service(<organization/collection name>) Can view pipelines and releases.
Project Collection Build Server (<organization/collection name>) Can view pipelines and releases.

For permission descriptions, see Permissions and groups.

Set project-level release pipeline permissions

To update permissions for all releases, do the following steps:

1.From your project, select Pipelines > Releases.

  1. Select the file view icon.

    Screenshot showing selection of the all files view.

  2. Select the All pipelines folder.

    Screenshot showing selection of all release pipelines folder.

  3. Select More actions and select Security.

    Screenshot of all release pipelines security dialog.

  4. Select users and groups to and change their permissions.

    Screenshot of all release pipelines security add user or group selection.

  5. When you're done, close the dialog to save your changes.

Add users or groups to the permissions dialog

To add users and groups that aren't listed in the permissions dialog, do the following steps:

  1. Enter the user or group in the search bar, then select the user or group from the search result.
  2. Set the permissions.
  3. Close the dialog.

When you open the security dialog again, the user or group is listed.

Remove users or groups from the permissions dialog

To delete a user from the permissions list, do the following steps:

  1. From your project permissions page, select the user or group.

  2. Select Remove and clear explicit permissions.

    Screenshot of remove user or group selection.

  3. When you're done, close the dialog to save your changes.

To set permissions for all releases, do the following steps:

  1. From your project, select Pipelines > Releases.

  2. Select the file view icon.

    Screenshot showing selection of the all files view.

  3. Select the All pipelines folder.

    Screenshot showing selection of all release pipelines folder.

  4. Select More actions and select Security.

    Screenshot of all release pipelines security dialog.

  5. To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.

  6. Select a user and group and set the permission to Allow, Deny or Not set, then select Save changes or Undo changes.

    Screenshot of all release pipelines security add user or group selection.

  7. Repeat the previous step for each user or group to modify their permissions.

  8. When you're finished, close the dialog.

Set object-level release pipeline permissions

By default, the object-level permissions for individual release pipelines are inherited from the project-level release pipeline permissions. You can override these inherited permissions for a specific release pipeline.

To override permissions for a release, do the following steps:

  1. From your project, select Pipelines > Releases.

  2. Select the file view icon .

  3. Select the release pipeline you want to modify, and then select More actions > Security.

    Screenshot of object-level release pipeline security dialog.

  4. Select users or groups to set their permissions to Allow, Deny or Not set.

    Screenshot of release pipeline security add user or group selection.

  5. When you're finished, close the dialog to save your changes.

When you explicitly set an inherited user or group permission, inheritance is disabled for that specific permission. To restore inheritance, set the permission to Not set. To disable inheritance for all user and group permissions, turn off the Inheritance setting. Upon re-enabling inheritance, the permissions for all users and groups revert to their project-level settings.

Add users or groups to the permissions dialog

To add users and groups that aren't listed in the permissions dialog, do the following steps:

  1. Enter the user or group in the search bar, then select the user or group from the search result.
  2. Set the permissions.
  3. Close the dialog.

When you open the security dialog again, the user or group is listed.

Remove users or groups from the permissions dialog

Users and groups can be removed from a release pipeline. Inherited users and groups can't be removed unless inheritance is disabled. To remove release pipeline permissions for users or groups, do the following steps:

  1. Select the user or group.

  2. Select Remove and clear explicit permissions.

    Screenshot of remove user or group selection.

  3. When you're done, close the dialog to save your changes.

You can set the permissions to Allow, Deny, or to Not set if the permission is not inherited. If inheritance is enabled you can change an explicitly set permission back to the inherited value.

  1. From your project, select Pipelines > Releases.

  2. Select the file view icon .

  3. Select the release pipeline you want to modify, select More actions , and select Security.

    Screenshot of object-level release pipeline security dialog.

  4. To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.

  5. Select a user and group and set the permission to Allow, Deny, or Not set, or the inherited value (for example, Allow (inherited)).

    Screenshot of release pipeline security add user or group selection.

  6. Select Save changes or you can select Undo changes to undo the changes. You must save the changes to apply the permissions before selecting another user or group.

  7. To remove a user or group, select the user or group and select Remove. Inherited users and groups can't be removed unless inheritance is disabled.

  8. Select OK when you're finished.

When you explicitly set an inherited user or group permission, inheritance is disabled for that specific permission. To restore inheritance, set the permission to Not set. Select Clear explicit permissions to reset all explicitly set permissions to their inherited settings. To disable inheritance for all user and group permissions, turn off the Inheritance setting. Upon re-enabling inheritance, the permissions for all users and groups revert to their project-level settings.

Set release stage permissions

Stage permissions are a subset of permissions that are inherited from the object-level release pipeline permissions.

To set permissions for a stage, do the following steps:

  1. From your project, select Pipelines > Releases.

  2. Select the file view icon and select All pipelines.

  3. Select the release pipeline you want to modify from All pipelines

    Screenshot of the release pipeline stage security dialog.

  4. Select the stage you want to modify.

  5. Select the More options icon and select Security.

    Screenshot showing release stage security navigation selections.

  6. To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.

  7. Select users and groups to set their permissions to Allow, Deny or Not set.

    Screenshot of release pipeline stage security dialog.

  8. Select Save changes or you can select Undo changes to undo the changes. You must save the changes to apply the permissions before selecting another user or group.

  9. You can select more users and groups to change their permissions.

  10. To remove a user or group, select the user or group and select Remove. Inherited users and groups can't be removed unless inheritance is disabled.

  11. Select OK when you're finished.

When you explicitly set an inherited user or group permission, inheritance is disabled for that specific permission. To restore inheritance, set the permission to Not set. Select Clear explicit permissions to reset all explicitly set permissions to their inherited settings. To disable inheritance for all user and group permissions, turn off the Inheritance setting. Upon re-enabling inheritance, the permissions for all users and groups revert to their project-level settings.

Set service connection security in Azure Pipelines

Service connections are used to connect to external and remote services. You can set service connection security for:

  • Projects: Permissions are set at the object level.
  • Pipelines: Permissions are set at the object level.
  • Users and Groups: Security roles are set at the project and object levels.

The following table show service connection roles:

Role Purpose
Reader Can view service connections.
User Can use service connections in classic and YAML build and release pipelines.
Creator Can create a service connection in the project. This role is a project-level role only.
Administrator Can use the service connection and manage roles for other users and groups.

The following table shows default security roles for service connections:

Group Role
[project name]\Endpoint Administrators Administrator
[project name]\Endpoint Creators Creator

The user who creates the service connection is automatically assigned the Administrator role for that service connection.

  • Pipelines: Permissions are set at the object level.
  • Users and Groups: Security roles are set at the project and object levels.

The following table show service connection roles:

Role Purpose
User Can use service connections in classic and YAML build and release pipelines.
Administrator Can use the service connection and manage roles for other users and groups.

By default, the [project]/\Endpoint Administrators group is assigned the Administrator role for all service connections in the project. The user who creates the service connection is automatically assigned the Administrator role for that service connection.

For more information, see Service connections.

For more information, see Service connections.

Set project-level service connection security roles

To manage security roles for all service connections, do the following steps:

  1. From your project, select Project settings .

  2. Select Service connections under Pipelines.

  3. Select More actions and select Security.

    Screenshot of select service connection security option.

  4. To change a role, select a user or group, and select a role from the dropdown menu.

    Screenshot of project-level service connections security dialog.

  5. To remove a user or group, select the user or group and select Delete .

  6. Select Save to save your changes or Undo to revert unsaved changes.

To add project users or groups that aren't listed in the security dialog, do the following steps:

  1. Select Add.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.

Set object-level service connection security

You can set security roles for users and groups, as well as pipeline and project access, to the service connection. Individual service connections inherit the project-level role assignments for users and groups by default.

To open the security dialog for an individual service connection, do the following steps:

  1. From your project, select Project settings .
  2. Select Service connections under Pipelines.
  3. Select a service connection.
  4. Select More actions and select Security.

Set service connection security roles for users and groups

You can override the inherited roles for users and groups. Inheritance must be disabled to remove an inherited user or group or to lower the privilege level of an inherited role.

To manage security roles for an individual service connection, do the following steps:

  1. In the User permissions section of the Security dialog, select Project to manage project-level users and groups, or Organization to manage organization- or collection-level users and groups.

    Screenshot of user permissions dialog for individual service connections.

  2. Select users and groups and change their roles. To lower the privilege level of an inherited role, inheritance must be disabled.

  3. To remove a user or group, select the user or group and select Delete . Inherited users and groups can't be removed unless inheritance is disabled.

  4. Select Save to save your changes or Undo to revert unsaved changes.

When you explicitly set a role, the inheritance for that user or group is turned off. To disable inheritance for all users and groups, turn off the Inheritance setting. When you re-enable inheritance, the roles for all users and groups revert to their project-level assignments.

To add project users or groups that aren't listed in the security dialog:

  1. Select Add.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.

Set service connection pipeline permissions

You can set the pipeline permissions to Open access, allowing all pipelines to use the service connection, or you can restrict access to specific pipelines.

When the pipeline permissions are set to Open access, you can limit access by selecting the Restrict access option.

Screenshot of restrict access option for an individual service connection.

To add pipelines to the restricted service connection, select Add pipeline and select a pipeline from the dropdown menu.

To change a service connection from restricted to open access, select More actions and then Open access.

Screenshot of open access option for an individual service connection.

Set service connection project permissions

Access is restricted to the current project by default. To grant access to other projects in the organization or collection, select Add projects.

Screenshot of project permissions selection for individual service connections.

Set security roles for individual service connections

To set the security role for users and groups for individual connections, do the following steps:

  1. From your project, select Project settings .

  2. Select Service connections under Pipelines.

  3. Select a service connection.

    Screenshot of individual service connection security selection.

  4. Select a user or group and change the role to User or Administrator. To lower the privilege level of an inherited role, inheritance must be disabled for the service connection.

  5. Select Save changes to save your changes or Reset changes to revert unsaved changes.

When you explicitly set a role, the inheritance for that user or group is turned off. To disable inheritance for all users and groups, turn off the Inheritance setting. When you re-enable inheritance, the roles for all users and groups revert to their project-level assignments.

To add project users or groups that aren't listed in the security dialog, do the following steps:

  1. Select Add.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.

To remove a user or group from the list, select the user or group and select Delete . Inherited users and groups can't be removed unless inheritance is disabled.

If you're having trouble with permissions and service connections, see Troubleshoot Azure Resource Manager service connections.

Set task group permissions in Azure Pipelines

The permissions for task groups follow a hierarchical model. By default, all task groups inherit the project-level permissions. Once a task group is created, you can modify the project-level permissions and the object-level permissions for individual task groups.

The following table show permissions for task groups:

Permission Description
Administer task group permissions Can add and remove users or groups to task group security.
Delete task group Can delete a task group.
Edit task group Can create, modify, or delete a task group.

The following table shows default permissions for security groups:

Task Readers Contributors Build Admins Project Admins Release Admins
Administer task group permissions ✔️ ✔️ ✔️
Delete task group ✔️ ✔️ ✔️
Edit task group ✔️ ✔️ ✔️ ✔️

The creator of a task group has all permissions to the task group.

Note

Task groups aren't supported in YAML pipelines, but templates are. For more information, see YAML schema reference.

Set project-level task group permissions

To set permissions for project-level task groups, do the following steps:

  1. From your project, select Pipelines > Task groups.

    Screenshot of task group menu item.

  2. Select Security.

    Screenshot of task groups security selection.

  3. Select users and groups to set their permissions to Allow, Deny, or Not set.

    Screenshot of task group security dialog.

  4. When you're done, close the dialog to save your changes.

Add users or groups to the permissions dialog

To add users and groups that aren't listed in the permissions dialog, do the following steps:

  1. Enter the user or group in the search bar, then select the user or group from the search result.
  2. Set the permissions.
  3. Close the dialog.

When you open the security dialog again, the user or group is listed.

Remove users or groups from the permissions dialog

To remove a user from the permissions list, do the following steps:

  1. Select the user or group.

  2. Select Remove and clear explicit permissions.

    Screenshot of remove user or group selection.

  3. When you're done, close the dialog to save your changes.

To set permissions for project-level task groups, do the following steps:

  1. From your project, select Pipelines > Task groups.

    Screenshot of task group selection.

  2. Select Security.

    Screenshot of task groups security selection.

  3. To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.

  4. Select a user or group to set the permissions to Allow, Deny or Not set.

    Screenshot of pipeline task groups security dialog.

  5. Select Save changes or you can select Undo changes to undo the changes. You must save the changes to apply the permissions before selecting another user or group.

  6. You can select more users and groups to change their permissions.

  7. Select Close when you're finished.

Set object-level task group permissions

To set permissions for individual task groups, do the following steps:

  1. From your project, select Pipelines > Task groups.

    Screenshot of Task group selection.

  2. Select a task group.

  3. Select More commands and select Security.

  4. Select users and groups to set their permissions to Allow, Deny, or Not set.

    Screenshot of object-level task group security dialog.

  5. When you're done, close the dialog to save your changes.

When a permission for an inherited user or group is explicitly set, inheritance is disabled for that specific permission. Change the permission to Not set to restore inheritance. To disable inheritance for all user and group permissions, turn off the Inheritance setting. Upon re-enabling inheritance, the settings for all permissions revert to the project level.

Add users or groups to the permissions dialog

To add users and groups that aren't listed in the permissions dialog, do the following steps:

  1. Enter the user or group in the search bar, then select the user or group from the search result.
  2. Set the permissions.
  3. Close the dialog.

When you open the security dialog again, the user or group is listed.

Remove users or groups from the permissions dialog

Users and groups can be removed from the task group. Inherited users and groups can't be removed unless inheritance is disabled.

  1. Select the user or group.

  2. Select Remove and clear explicit permissions.

    Screenshot of remove user or group selection.

  3. When you're done, close the dialog to save your changes.

You can set the permissions to Allow, Deny, or to Not set if the permission is not inherited. If inheritance is enabled you can change an explicitly set permission back to the inherited value.

To set permissions for individual task groups, do the following steps:

  1. From your project, select Pipelines > Task groups.

    Screenshot of Task group selection.

  2. Select a task group.

  3. Select More commands and select Security.

  4. Select users and groups to set their permissions to Allow, Deny, or Not set.

    Screenshot of object-level task group security dialog.

  5. When you're done, close the dialog to save your changes.

When a permission for an inherited user or group is explicitly set, inheritance is disabled for that specific permission. Change the permission to Not set to restore inheritance. To disable inheritance for all user and group permissions, turn off the Inheritance setting. Upon re-enabling inheritance, the settings for all permissions revert to the project level.

Add users or groups to the permissions dialog

To add users and groups that aren't listed in the permissions dialog, do the following steps:

  1. Enter the user or group in the search bar, then select the user or group from the search result.
  2. Set the permissions.
  3. Close the dialog.

When you open the security dialog again, the user or group is listed.

Remove users or groups from the permissions dialog

Users and groups can be removed from the task group. Inherited users and groups can't be removed unless inheritance is disabled.

  1. Select the user or group.

  2. Select Remove and clear explicit permissions.

    Screenshot of remove user or group selection.

  3. When you're done, close the dialog to save your changes.

You can set the permissions to Allow, Deny, or to Not set if the permission is not inherited. If inheritance is enabled you can change an explicitly set permission back to the inherited value.

To set permissions for a task group, do the following steps:

  1. From your project, select Pipelines > Task groups.

    Screenshot of task group menu item.

  2. Select a task group.

  3. Select More commands > Security.

  4. To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.

  5. Select users and groups to set their permissions to Allow, Deny or Not set.

    Screenshot of object-level task group security dialog.

  6. Select Save changes or you can select Undo changes to undo the changes. You must save the changes to apply the permissions before selecting another user or group.

  7. You can select more users and groups to change their permissions.

  8. To remove a user or group, select the user or group and select Remove. Inherited users and groups can't be removed unless inheritance is disabled.

  9. Select OK when you're finished.

When a permission for an inherited user or group is explicitly set, inheritance is disabled for that specific permission. Change the permission to Not set to restore inheritance. Select Clear explicit permissions to reset all explicitly set permissions to their inherited settings. To disable inheritance for all user and group permissions, turn off the Inheritance setting. Upon re-enabling inheritance, the settings for all permissions revert to the project level.

Set agent pool security in Azure Pipelines

Agent pools are a collection of agents that you use to run build and release jobs.

You can create agent pools with either organization scope or project scope. Organization-scoped agent pools are accessible to all existing or new projects in the organization, and by default, each organization has two agent pools: Azure Pipelines and Default. These default pools are accessible by all projects in the organization.

Project-scoped agent pools are created at the project level and are accessible only to that project.

From the organization settings, you can manage the organization-level security settings for all agent pools in the organization, and for individual agent pools. Both organization- and project-level security roles can be managed from the project settings.

You can create agent pools with either collection scope or project scope. Collection scoped agent pools are accessible to all existing or new projects in the collection, and by default, each collection has two agent pools: Azure Pipelines and Default. These default pools are accessible by all projects in the collection.

Project-scoped agent pools are created at the project level and are accessible only to that project.

From the collection settings, you can manage the collection-level security settings for all agent pools in the collection, and for individual agent pools. Both collection- and project-level security roles can be managed at the object level from the project settings.

Use predefined security roles to manage security for agent pools.

The following table shows security roles for agent pools:

Role Purpose
Reader Can view agent pools.
User Can use agent pools in classic and YAML build and release pipelines.
Creator Can create agent pools in the project. This role is a project-level role only.
Service Account Can view agents, create sessions, and listen for jobs from the agent pool. This role is set at the organization/collection level only.
Administrator Can manage and use agent pools and manage roles for other users and groups.

The following table shows default project and object security roles for agent pools:

Group Role
[project name]\Project Administrators Administrator
[project name]\Build Administrators Administrator
[project name]\Project Valid Users Reader
[project name]\Release Administrators Administrator
The user who created the agent pool Administrator

Set organization security for agent pools

You can manage collection-level users and groups for all agent pools in the organization or for individual project-scoped agent pools. The security roles for agent pools are Reader, Service Account, and Administrator. The User and Creator roles aren't available at the organization level.

Set organization security for all agent pools

By default, no users or groups have explicit roles for all pools at the organization level. You can add organization-level users and groups and manage security roles for all agent pools in the organization.

To manage security roles for all agent pools in the organization, do the following steps:

  1. Go to Organization settings : and select Agent pools.

  2. Select Security.

    Screenshot of organization-level security selection for all agent pools.

  3. To add users and groups:

    1. Select Add

    2. Enter a user or group and select it from the search results.

    3. Repeat the previous step to add more users and groups.

    4. Select a role and select Add

      Screenshot of organization-level add user for all agent pools.

  4. To remove a user or group from the list, select the user or group and select Delete .

  5. To change a security role, select the user or group and select the role from the dropdown list.

  6. Select Save changes to save your changes or Reset changes to revert unsaved changes.

    Screenshot of organization-level security dialog for all agent pools.

  7. Close the dialog.

Set organization security for individual agent pools

Individual agent pools inherit the organization-level security assignments. The Default and Azure Pipelines agent pools include the Project Valid Users group for each project in the organization.

Agent pools created at the project-level are automatically assigned the [<project name>]\Project Valid Users group and the creator of the agent pool. The creator can't be deleted or modified. Any organization-level users and groups that are added from the project settings are listed here.

You can add and remove organization-level users and groups and set security roles for an individual agent pool. The security roles at this level are Reader, Service Account, and Administrator.

To manage security roles for all agent pools in the collection, do the following steps:

  1. Go to Organization settings : and select Agent pools.
  2. Select an agent pool.
  3. Select Security.
  4. To add users and groups:
    1. Select Add
    2. Enter a user or group and select it from the search results.
    3. Repeat the previous step to add more users and groups.
    4. Select a role and select Add.
      Screenshot of organization-level add user for an agent pool.
  5. To remove a user or group, select the user or group and select Delete .
  6. To change a security role, select the user or group and select the role from the dropdown list.
  7. Select Save changes to save your changes or Reset changes to revert unsaved changes. Screenshot of organization-level security dialog for an individual agent pool.
  8. Close the dialog.

Set collection security for agent pools

You can manage collection-level users and groups for all agent pools in the collection or at the object-level for project-scoped agent pools. The security roles for agent pools are, Reader, Service Account, and Administrator. The User and Creator roles aren't available at the collection level.

Set collection security for all agent pools

By default, no users or groups have explicit roles for all pools in the collection. You can add collection-level users and groups and manage security roles for all agent pools in the collection.

To manage security roles for all agent pools in the collection, do the following steps:

  1. Go to Collection settings : and select Agent pools.

  2. Select Security.

    Screenshot of collection-level security selection for all agent pools.

  3. To add users and groups:

    1. Select Add

    2. Enter a user or group and select it from the search results.

    3. Repeat the previous step to add more users and groups.

    4. Select a role and select Add.

      Screenshot of add user dialog for all agent pools.

  4. To remove a user or group from the list, select the user or group and select Delete . Inheritance must be turned off or the user or group must not be inherited from the project-level security settings.

  5. To change a security role, select the user or group and select the role from the dropdown list.

  6. Select Save changes to save your changes or Reset changes to revert unsaved changes.

    Screenshot of collection-level security dialog for all agent pools.

  7. Close the dialog.

Set collection security for individual agent pools

Individual agent pools inherit the collection-level security assignments. The Default and Azure Pipelines agent pools include the Project Valid Users group for each project in the collection.

Agent pools created at the project-level are automatically assigned the [<project name>]\Project Valid Users group and the creator of the agent pool. The creator can't be deleted or modified. Any collection-level users and groups that are added from the project settings are listed here.

You can add and remove collection-level users and groups and set security roles for an individual agent pool. The security roles at this level are Reader, Service Account, and Administrator. To lower the privilege level of an inherited role, inheritance must be disabled.

To manage security roles for all agent pools in the collection, do the following steps:

  1. Go to Collection settings : and select Agent pools.

  2. Select an agent pool.

  3. Select Security.

  4. To add users and groups:

    1. Select Add

    2. Enter a user or group and select it from the search results.

    3. Repeat the previous step to add more users and groups.

    4. Select a role and select Add.

      Screenshot of collection-level add user dialog.

  5. To remove a user or group, select the user or group and select Delete .

  6. To change a security role, select the user or group and select the role from the dropdown list.

  7. Select Save changes to save your changes or Reset changes to revert unsaved changes.

    Screenshot of collection-level security dialog for an individual agent pool.

  8. Close the dialog.

Set collection security for agent pools

You can manage collection-level users and groups for all agent pools in the collection or at the object level, specifically for project-scoped agent pools. The security roles for agent pools are Reader, Service Account, and Administrator. The User and Creator roles aren't available at the collection level.

Set collection security for all agent pools

By default, no users or groups have explicit roles for all pools in the collection. You can add collection-level users and groups and manage security roles for all agent pools in the collection.

To manage security roles for all agent pools in the collection, do the following steps:

  1. Go to Collection settings : and select Agent pools.

  2. Select All agent pools.

  3. To add users and groups:

    1. Select Add

    2. Enter a user or group and select it from the search results.

    3. Repeat the previous step to add more users and groups.

    4. Select a role and select Add.

      Screenshot of collection-level add user dialog.

  4. To remove a user or group from the list, select the user or group and select Delete .

  5. To change a security role, select the user or group and select the role from the dropdown list.

  6. Select Save changes to save your changes or Reset changes to revert unsaved changes.

Set collection security for individual agent pools

Individual agent pools inherit their user and group roles from the collection-level assignments by default.

You can add and remove users and groups and set security roles for an individual agent pool. To remove an inherited user or group, or to lower the privilege level of an inherited role, you must disable inheritance.

The security roles at this level are Reader, Service Account, and Administrator.

To manage security roles for all agent pools in the collection, do the following steps:

  1. Go to Collection settings : and select Agent pools.

  2. Select an agent pool.

  3. Select the Roles tab.

  4. To add users and groups:

    1. Select Add

    2. Enter a user or group and select it from the search results.

    3. Repeat the previous step to add more users and groups.

    4. Select a role and select Add.

      Screenshot of collection-level add user dialog.

  5. To remove a user or group from the list, select the user or group and select Delete .

  6. To change a security role, select the user or group and select the role from the dropdown list.

  7. Select Save changes to save your changes or Reset changes to revert unsaved changes.

Set project-level agent pool security

To set project-level security roles for all agent pools, do the following steps:

  1. From your project, select Project settings and select Agent pools.

  2. Select Security.

    Screenshot of security selection for all agent pools.

  3. Select a user or group and set the role to Reader, User, Creator, or Administrator.

    Screenshot of security dialog for all agent pools.

  4. To remove a user or group, select the user or group and select Delete .

  5. Select Save changes to save your changes or Reset changes to revert unsaved changes.

To add project users or groups that aren't listed in the security dialog:

  1. Select Add.

  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.

  3. Select the Role.

  4. Select Add to save the changes.

    Screenshot of add user dialog.

Set object-level agent pool security

You can override project-level user and group role assignments and set pipeline permissions for an individual agent pool. To remove an inherited user or group, or lower the privilege level of an inherited role, you must disable inheritance.

To open the security dialog:

  1. From your project, select Project settings and select Agent pools.

  2. Select an agent pool.

  3. Select Security.

Set pipeline permissions for an individual agent pool

To set pipeline permissions for an individual agent pool:

  1. Select Restrict permission. This option is only available if the pool isn't restricted to specific pipelines.

    Screenshot of pipeline permissions dialog for an individual agent pool.

  2. Select Add pipeline .

    Screenshot of the button to add a pipeline.

  3. Select the pipeline you want to add to the agent pool from the dropdown menu.

To open access to all pipelines, select More actions , then select Open access.

Screenshot of agent pool open access for all pipelines selection.

Set object-level agent pool user permissions

From the User permissions section of the security dialog:

  1. Select a user or group and set the role to Reader, User, or Administrator.

    Screenshot of user permissions dialog for an individual agent pool.

  2. To remove a user or group, select the user or group and select Delete . Inherited users and groups can't be removed unless inheritance is disabled.

  3. Select Save changes to save your changes or Reset changes to revert unsaved changes.

When you explicitly set a role, the inheritance for that user or group is turned off. To disable inheritance for all users and groups, turn off the Inheritance setting. When you re-enable inheritance, the roles for all users and groups revert to their project-level assignments.

To add project users or groups that aren't listed in the security dialog, do the following steps:

  1. Select Add.

  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.

  3. Select the Role.

  4. Select Add to save the changes.

    Screenshot of add user dialog.

To set pipeline and user security roles and pipeline permissions for an individual agent pool, do the following steps.

  1. Go to your agent pool and select Security.

  2. Use the Grant access permissions to all pipelines switch to enable or disable permissions to all pipelines in the project:

    Screenshot of agent Grant access permissions to all pipelines switch.

To set object-level user and group roles for an agent pool:

  1. From the User permissions section of the security dialog:

  2. Select a user or group and set the role to Reader, User, or Administrator.

    Screenshot of object-level user permissions dialog for an agent pool.

  3. To remove a user or group, select the user or group and select Delete . Inherited users and groups can't be removed unless inheritance is disabled.

  4. Select Save changes to save your changes or Reset changes to revert unsaved changes.

When you explicitly set a role, the inheritance for that user or group is turned off. To disable inheritance for all users and groups, turn off the Inheritance setting. When you re-enable inheritance, the roles for all users and groups revert to their project-level assignments.

To add project users or groups that aren't listed in the security dialog, do the following steps:

  1. Select Add.

  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.

  3. Select the Role.

  4. Select Add to save the changes.

    Screenshot of add user dialog.