Share via

az devops security permission

Note

This reference is part of the azure-devops extension for the Azure CLI (version 2.30.0 or higher). The extension will automatically install the first time you run an az devops security permission command. Learn more about extensions.

Manage security permissions.

Commands

Name Description Type Status
az devops security permission list

List tokens for given user/group and namespace.

 Extension GA
az devops security permission namespace

Manage security namespaces.

 Extension GA
az devops security permission namespace list

List all available namespaces for an organization.

 Extension GA
az devops security permission namespace show

Show details of permissions available in each namespace.

 Extension GA
az devops security permission reset

Reset permission for given permission bit(s).

 Extension GA
az devops security permission reset-all

Clear all permissions of this token for a user/group.

 Extension GA
az devops security permission show

Show permissions for given token, namespace and user/group.

 Extension GA
az devops security permission update

Assign allow or deny permission to given user/group.

 Extension GA

az devops security permission list

List tokens for given user/group and namespace.

az devops security permission list --id --namespace-id
                                   --subject
                                   [--detect {false, true}]
                                   [--org --organization]
                                   [--recurse]
                                   [--token]

Required Parameters

--id --namespace-id

ID of security namespace.

--subject

User Email ID or Group descriptor.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--detect

Automatically detect organization.

Property Value
Accepted values: false, true
--org --organization

Azure DevOps organization URL. You can configure the default organization using az devops configure -d organization=ORG_URL. Required if not configured as default or picked up via git config. Example: https://dev.azure.com/MyOrganizationName/.

--recurse

If true and this is a hierarchical namespace, return child ACLs of the specified token.

Property Value
Default value: False
--token

Security token.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az devops security permission reset

Reset permission for given permission bit(s).

az devops security permission reset --id --namespace-id
                                    --permission-bit
                                    --subject
                                    --token
                                    [--detect {false, true}]
                                    [--org --organization]

Required Parameters

--id --namespace-id

ID of security namespace.

--permission-bit

Permission bit or addition of permission bits which needs to be reset for given user/group and token.

--subject

User Email ID or Group descriptor.

--token

Security token.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--detect

Automatically detect organization.

Property Value
Accepted values: false, true
--org --organization

Azure DevOps organization URL. You can configure the default organization using az devops configure -d organization=ORG_URL. Required if not configured as default or picked up via git config. Example: https://dev.azure.com/MyOrganizationName/.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az devops security permission reset-all

Clear all permissions of this token for a user/group.

az devops security permission reset-all --id --namespace-id
                                        --subject
                                        --token
                                        [--detect {false, true}]
                                        [--org --organization]
                                        [--yes]

Required Parameters

--id --namespace-id

ID of security namespace.

--subject

User Email ID or Group descriptor.

--token

Security token.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--detect

Automatically detect organization.

Property Value
Accepted values: false, true
--org --organization

Azure DevOps organization URL. You can configure the default organization using az devops configure -d organization=ORG_URL. Required if not configured as default or picked up via git config. Example: https://dev.azure.com/MyOrganizationName/.

--yes -y

Do not prompt for confirmation.

Property Value
Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az devops security permission show

Show permissions for given token, namespace and user/group.

az devops security permission show --id --namespace-id
                                   --subject
                                   --token
                                   [--detect {false, true}]
                                   [--org --organization]

Required Parameters

--id --namespace-id

ID of security namespace.

--subject

User Email ID or Group descriptor.

--token

Security token.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--detect

Automatically detect organization.

Property Value
Accepted values: false, true
--org --organization

Azure DevOps organization URL. You can configure the default organization using az devops configure -d organization=ORG_URL. Required if not configured as default or picked up via git config. Example: https://dev.azure.com/MyOrganizationName/.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az devops security permission update

Assign allow or deny permission to given user/group.

Learn more at https://aka.ms/azure-devops-cli-security-permission.

az devops security permission update --id --namespace-id
                                     --subject
                                     --token
                                     [--allow-bit]
                                     [--deny-bit]
                                     [--detect {false, true}]
                                     [--merge {false, true}]
                                     [--org --organization]

Examples

Assign view, edit and delete permission for team projects.

az devops security permission update  --allow-bit 7 --namespace-id            52d39943-cb85-4d7f-8fa8-c6baac873819 --subject user@fabrikam.com            --token "`$PROJECT:vstfs:///Classification/TeamProject/e479xxxx-2be8-xxxx-bb0b-3a0209cxxxx"

You would need to add the bit value of the various permission bits to
simultaneously allow/deny multiple permissions.

Required Parameters

--id --namespace-id

ID of security namespace.

--subject

User Email ID or Group descriptor.

--token

Security token.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--allow-bit

Allow bit or addition of bits. Required if --deny-bit is missing.

Property Value
Default value: 0
--deny-bit

Deny bit or addition of bits. Required if --allow-bit is missing.

Property Value
Default value: 0
--detect

Automatically detect organization.

Property Value
Accepted values: false, true
--merge

If set, the existing ACE has its allow and deny merged with the incoming ACE's allow and deny. If unset, the existing ACE is displaced.

Property Value
Default value: True
Accepted values: false, true
--org --organization

Azure DevOps organization URL. You can configure the default organization using az devops configure -d organization=ORG_URL. Required if not configured as default or picked up via git config. Example: https://dev.azure.com/MyOrganizationName/.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False