Configure library security in Azure Pipelines
Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019
This article describes how to manage security for the project library and its assets in Azure Pipelines. The library can be used to share assets among the build and release pipelines in a project. Assets in the library can include variable groups and secure files.
All assets defined in the library share a common security model. Security roles can be assigned to users and groups to control who can manage, create, and use assets. Security assignments set for the library are inherited by assets in the library. The inherited settings for individual assets can be overridden.
Role | Description |
---|---|
Administrator | Can edit/delete and manage security for library assets. The creator of an asset is automatically given this role for the asset. |
Creator | Can create library assets. |
Reader | Can only read library assets. |
User | Can consume library assets in pipelines. |
The default roles are:
Group | Role |
---|---|
[project name]\Project Administrators | Administrator |
[project name]\Build Administrators | Administrator |
[project name]\Project Valid Users | Reader |
[project name]\Contributors | Creator (project-level) Reader (object-level) |
[project name]\Release Administrators | Administrator |
project name Build Service (collection or organization name) | Reader |
For individual library assets, the creator is automatically assigned the Administrator role.
Prerequisites
- You must be a member of an administrator group or be assigned an administrator role to manage Library security.
- You must be an administrator or have the appropriate role to manage permissions for individual library assets.
Set project-level library security roles
Here are the steps to manage access for all library assets, such as variable groups and secure files:
From your project, select Pipelines > Library.
Select Security.
Select a user or group and change the role to Reader, User, Creator, or Administrator.
To remove a user or group, select the user or group and select the delete button
.
Select the Save changes button
to save your changes or the Reset changes button
to revert unsaved changes.
To add project users or groups that aren't listed in the security dialog:
- Select the Add button.
- Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
- Select the Role.
- Select Add to save the changes.
You can manage access for all library assets, such as variable groups and secure files, from the project-level library security settings.
Set secure file security roles
Security roles for Secure files are inherited from the project-level library role assignments by default. You can override these assignments for an individual file. To remove an inherited user or group, or lower the privilege level of an inherited role, you must disable inheritance.
The creator of the secure file is automatically assigned the Administrator role for that file, which can't be changed.
To set permissions for a secure file, follow these steps:
From within your project, select Pipelines > Library.
Select Secure files.
Select a file.
Select Security.
Set the desired role for users and groups.
To remove a user or group, select the user or group and select the delete button
. Inherited users and groups can't be removed unless inheritance is disabled.
Select the Save changes button
to save your changes or the Reset changes button
to revert unsaved changes.
When you explicitly set a role, the inheritance for that user or group is turned off. To disable inheritance for all users and groups, turn off the Inheritance setting. When you re-enable inheritance, the roles for all users and groups revert to their project-level assignments.
To add project users or groups that aren't listed in the security dialog:
- Select the Add button.
- Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
- Select the Role.
- Select Add to save the changes.
Set variable group security roles
Security roles for variable groups are inherited from the project-level library role assignments by default. You can override these assignments for an individual variable group. To remove an inherited user or group, or lower the privilege level of an inherited role, you must disable inheritance.
The creator of the variable group is automatically assigned the Administrator role for that group, which can't be changed.
To set access for a variable group, follow these steps:
From within your project, select Pipelines > Library.
Select a variable group.
Select Security.
Set the desired role for users and groups.
To remove a user or group, select the user or group and select the delete button
. Inherited users and groups can't be removed unless inheritance is disabled.
Select the Save changes button
to save your changes or the Reset changes button
to revert unsaved changes.
When you explicitly set a role, the inheritance for that user or group is turned off. To disable inheritance for all users and groups, turn off the Inheritance setting. When you re-enable inheritance, the roles for all users and groups revert to their project-level assignments.
To add project users or groups that aren't listed in the security dialog:
- Select the Add button.
- Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
- Select the Role.
- Select Add to save the changes.
Related articles
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for