Help to determine why Azure Devops repository permissions are not showing all groups

Question

Help to determine why Azure Devops repository permissions are not showing all groups

EJ Marmonti 161

We are transitioning to a single Azure Devops project (https://learn.microsoft.com/en-us/azure/devops/organizations/projects/about-projects?view=azure-devops#use-a-single-project), from multiple projects. For the sake of this, let's call the single project 'foobar' The idea here is that not all users should see every repository, so I don't think we can really use the default Contributors group across the project as it's meant to be used, but that's outside of scope with this particular problem I'm reporting. As I move external teams into this foobar single project, I have been essentially performing the following for every project I consolidate (note: for the sake of this ticket, I'm not mentioning anything about how I'm restoring the repos + work items, as that is out of scope with the problem I'm seeing) :

Create the Teams (Team A, B, C, etc), via Project Settings -> Teams -> New Team
For each repo that the team should have access to, I grant the group permission via Project Settings -> Repositories -> repositoryX -> Security -> (select the respectful group here)

The above process worked well for the first 2-3 teams I created. However, now that I have many teams (only 4 or 5 so far), I am running into an issue.
The problem is that when I go to Project Settings -> Repositories -> repositoryD -> Security, I do not see group D in the "Search for users or groups" drop-down, as seen below. Although I can still see groups A, B, and C. I even see some groups that I deleted and no longer show up under Settings/Permissions/Groups, yet they still show up in this drop-down. User's image

Note that I have not even got to the part where I'll need to test modifying the default Contributor access here, so I know that's not related (and that itself could cause me a whole bunch of other permissions problems - but like I mentioned, that's outside the scope of this problem here).
The problem as you can see is that groups I can see under Settings/Permissions/Groups, are not showing up when I try to add them to a specific repository. The search in the drop down is also useless. Anything I search for - I get zero results, even if it's one of the groups that I actually can click on when I otherwise have nothing typed into this search box. For example, when I click on it, I see a group called FOO. I can click on FOO and assign permissions. But if I type FOO, I get zero results. Is there a limit to the number of security groups allowed in Azure Devops? Or is this a bug with Devops? It definitely feels very buggy, especially since the old groups are still showing up in the search bar, and search not working. I even waited overnight and these groups are still not showing up in that drop down. PS - can you please add an 'azure devops' tag in here?

EJ Marmonti 161 Reputation points

2023-04-11T18:01:30.0166667+00:00

~~Please disregard, I think I've figured out the problem. When I created each team (A, B, C, etc), it was by default a member of the Contributor + "A" (group name).~~ Then when I went to repositoryA's security settings, it did not even list group A, because it already had access via the Contributor inherited permission role. As soon as I removed Contributor as a group member of group A, I was then able to back to repositoryA's security settings and add group A directly as a Contributor. Edit: nevermind, it's still happening. I'm not able to search for certain groups or people in that pop-up.
EJ Marmonti 161 Reputation points

2023-04-12T13:21:29.96+00:00

To reiterate a bit more, under https://dev.azure.com/foobar/Technology/_settings/permissions, I have the default Devops groups, and I also have 11 Teams listed. Then when I go Settings -> Repositories -> (select any of the 12+ repos) -> Security, I only see 7/11 of those Teams listed here in the "Search for users and groups" box. Trying to search for the missing groups yields zero results in the search (whatever I search for, I get zero results, even if I can type one of the teams that I actually can see in the list).
Sven Erik Matzen 91 Reputation points

2023-04-21T14:15:42.3166667+00:00

The problem seems to be still there - I can search only for a fraction of my users and teams in that box - when typing "s" I get 2 users in the selection list - when not typing anything (just clicking into that box), I get 5 more starting with "S". The search for that box is very strange. We have a customer that needs access to one of the repos, so I need to change security settings for that customer. Also, funny: I see in the search results groups from other Team Projects (which I think is not ok), but not from the Team Project where the repo is stored.

1 answer

Your answer

EJ Marmonti 161 Reputation points

2023-04-11T18:01:30.0166667+00:00

~~Please disregard, I think I've figured out the problem. When I created each team (A, B, C, etc), it was by default a member of the Contributor + "A" (group name).~~ Then when I went to repositoryA's security settings, it did not even list group A, because it already had access via the Contributor inherited permission role. As soon as I removed Contributor as a group member of group A, I was then able to back to repositoryA's security settings and add group A directly as a Contributor. Edit: nevermind, it's still happening. I'm not able to search for certain groups or people in that pop-up.
EJ Marmonti 161 Reputation points

2023-04-12T13:21:29.96+00:00

To reiterate a bit more, under https://dev.azure.com/foobar/Technology/_settings/permissions, I have the default Devops groups, and I also have 11 Teams listed. Then when I go Settings -> Repositories -> (select any of the 12+ repos) -> Security, I only see 7/11 of those Teams listed here in the "Search for users and groups" box. Trying to search for the missing groups yields zero results in the search (whatever I search for, I get zero results, even if I can type one of the teams that I actually can see in the list).
Sven Erik Matzen 91 Reputation points

2023-04-21T14:15:42.3166667+00:00

The problem seems to be still there - I can search only for a fraction of my users and teams in that box - when typing "s" I get 2 users in the selection list - when not typing anything (just clicking into that box), I get 5 more starting with "S". The search for that box is very strange. We have a customer that needs access to one of the repos, so I need to change security settings for that customer. Also, funny: I see in the search results groups from other Team Projects (which I think is not ok), but not from the Team Project where the repo is stored.

Answer 1

I figured out the problem to my initial issue. Like I mentioned, my goal is to limit access to certain repositories for members of a team. When you create a new team, the default permission is the Contributors group. I don't want to select the Readers group here either, because that still provides access to all of the repositories. What I did was:

create a team, leave permissions as default (Contributors)
Go to Settings -> Permissions -> Select the team I just created -> Member of -> (remove Contributors, add "<TeamName> team").
Go to Settings -> Repositories -> (Select a repo this team should have access to) -> Security -> (type the name of the team you just created) and now it pops up in the quick find and you can add it.

I've found that if you leave only the "Project Valid Users" group as a member of the team you created, this team will NOT show up in the search box. But if you add this team to the default "<TeamName> Team" group (Readers, or Contributors, etc), only then will you actually be able to assign permissions to the team. Somewhat related: If you were to add a new user as a team member, but they are not part of the "<TeamName> Team" (at minimum), that user will not have access to the repositories even though they are on the Team you added them to, which inherently puts them in the Valid Project Users group).

Share via

Help to determine why Azure Devops repository permissions are not showing all groups

1 answer

Your answer