Manage extension permissions

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019 | TFS 2018

Learn how to manage permissions for users or groups, so they can manage extensions.

Prerequisites

  • You must be a member of the Project Collection Administrators group to manage permissions for users or groups. Organization owners are automatically members of this group.
  • Private extensions must be shared with your organization to be installed. Check out the publishing documentation for information on how to share private extensions.
  • You must be a member of the Project Collection Administrators group or have "Edit collection-level information" permissions to manage permissions for users or groups. Organization owners are automatically members of the Project Collection Administrators group.

Manage permissions

  1. Sign in to your organization (https://dev.azure.com/{yourorganization}).

  2. Select gear icon Organization settings.

    Open Organization settings

  3. Select Extensions.

    Extension settings hub

  4. Select Security.

    Extension security page

  5. Add users or update permission settings.

    Extension security permission setting

  1. Sign in to your organization (https://dev.azure.com/{yourorganization}).

  2. Select gear icon Admin settings.

    Open Admin settings

  3. Select Extensions, and then select Security.

    Select Extensions, and then select Security.

  4. Add users or update permission settings.

    Extension security

To grant permissions for publishing or updating to users or groups, use the TFSSecurity command-line tool.

  1. At the server level, create a group, for example, "TFS Extension Publishers".

    tfssecurity /gcg "TFS Extension Publishers" "publishers who can manage extensions for the server" /server:ServerURL
    
  2. Grant access to the "TFS Extension Publishers" group to manage extensions.

    tfssecurity /a+ Publisher "//" CreatePublisher n:"[TEAM FOUNDATION]\TFS Extension Publishers" allow /server:ServerURL
    tfssecurity /a+ Publisher "//" PublishExtension n:"[TEAM FOUNDATION]\TFS Extension Publishers" allow /server:ServerURL
    tfssecurity /a+ Publisher "//" UpdateExtension n:"[TEAM FOUNDATION]\TFS Extension Publishers" allow /server:ServerURL
    tfssecurity /a+ Publisher "//" DeleteExtension n:"[TEAM FOUNDATION]\TFS Extension Publishers" allow /server:ServerURL
    
  1. Add existing users and groups to the "TFS Extension Publishers" group.

    tfssecurity /g+ "[TEAM FOUNDATION]\TFS Extension Publishers" n:User /server:ServerURL
    
    
    

You can add users later to "TFS Extension Publishers". This permission is a server-level permission. When you update or delete an extension, it affects all the project collections that use the extension.