Edit

Share via

Configure library security in Azure Pipelines

  • Article

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019

This article describes how to manage security for the project library and its assets in Azure Pipelines. The library can be used to share assets among the build and release pipelines in a project. Assets in the library can include variable groups and secure files.

All assets defined in the library share a common security model. Security roles can be assigned to users and groups to control who can manage, create, and use assets. Security assignments set for the library are inherited by assets in the library. The inherited settings for individual assets can be overridden.

Role Description
Administrator Can edit/delete and manage security for library assets. The creator of an asset is automatically given this role for the asset.
Creator Can create library assets.
Reader Can only read library assets.
User Can consume library assets in pipelines.

The default roles are:

Group Role
[project name]\Project Administrators Administrator
[project name]\Build Administrators Administrator
[project name]\Project Valid Users Reader
[project name]\Contributors Creator (project-level) Reader (object-level)
[project name]\Release Administrators Administrator
project name Build Service (collection or organization name) Reader

For individual library assets, the creator is automatically assigned the Administrator role.

Prerequisites

  • You must be a member of an administrator group or be assigned an administrator role to manage Library security.
  • You must be an administrator or have the appropriate role to manage permissions for individual library assets.

Set project-level library security roles

Here are the steps to manage access for all library assets, such as variable groups and secure files:

  1. From your project, select Pipelines > Library.

    Screenshot of the Library menu item.

  2. Select Security.

    Screenshot of the library Security button.

  3. Select a user or group and change the role to Reader, User, Creator, or Administrator.

    Screenshot of the library security dialog.

  4. To remove a user or group, select the user or group and select the delete button .

  5. Select the Save changes button to save your changes or the Reset changes button to revert unsaved changes.

To add project users or groups that aren't listed in the security dialog:

  1. Select the Add button.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.

You can manage access for all library assets, such as variable groups and secure files, from the project-level library security settings.

Set secure file security roles

Security roles for Secure files are inherited from the project-level library role assignments by default. You can override these assignments for an individual file. To remove an inherited user or group, or lower the privilege level of an inherited role, you must disable inheritance.

The creator of the secure file is automatically assigned the Administrator role for that file, which can't be changed.

To set permissions for a secure file, follow these steps:

  1. From within your project, select Pipelines > Library.

  2. Select Secure files.

  3. Select a file.

  4. Select Security.

    Screenshot of secure file permission dialog.

  5. Set the desired role for users and groups.

  6. To remove a user or group, select the user or group and select the delete button . Inherited users and groups can't be removed unless inheritance is disabled.

  7. Select the Save changes button to save your changes or the Reset changes button to revert unsaved changes.

When you explicitly set a role, the inheritance for that user or group is turned off. To disable inheritance for all users and groups, turn off the Inheritance setting. When you re-enable inheritance, the roles for all users and groups revert to their project-level assignments.

To add project users or groups that aren't listed in the security dialog:

  1. Select the Add button.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.

Set variable group security roles

Security roles for variable groups are inherited from the project-level library role assignments by default. You can override these assignments for an individual variable group. To remove an inherited user or group, or lower the privilege level of an inherited role, you must disable inheritance.

The creator of the variable group is automatically assigned the Administrator role for that group, which can't be changed.

To set access for a variable group, follow these steps:

  1. From within your project, select Pipelines > Library.

  2. Select a variable group.

  3. Select Security.

    Screenshot of variable group permission dialog.

  4. Set the desired role for users and groups.

  5. To remove a user or group, select the user or group and select the delete button . Inherited users and groups can't be removed unless inheritance is disabled.

  6. Select the Save changes button to save your changes or the Reset changes button to revert unsaved changes.

When you explicitly set a role, the inheritance for that user or group is turned off. To disable inheritance for all users and groups, turn off the Inheritance setting. When you re-enable inheritance, the roles for all users and groups revert to their project-level assignments.

To add project users or groups that aren't listed in the security dialog:

  1. Select the Add button.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.