az devops security permission
Note
This reference is part of the azure-devops extension for the Azure CLI (version 2.30.0 or higher). The extension will automatically install the first time you run an az devops security permission command. Learn more about extensions.
Manage security permissions.
Commands
Name | Description | Type | Status |
---|---|---|---|
az devops security permission list |
List tokens for given user/group and namespace. |
Extension | GA |
az devops security permission namespace |
Manage security namespaces. |
Extension | GA |
az devops security permission namespace list |
List all available namespaces for an organization. |
Extension | GA |
az devops security permission namespace show |
Show details of permissions available in each namespace. |
Extension | GA |
az devops security permission reset |
Reset permission for given permission bit(s). |
Extension | GA |
az devops security permission reset-all |
Clear all permissions of this token for a user/group. |
Extension | GA |
az devops security permission show |
Show permissions for given token, namespace and user/group. |
Extension | GA |
az devops security permission update |
Assign allow or deny permission to given user/group. |
Extension | GA |
az devops security permission list
List tokens for given user/group and namespace.
az devops security permission list --id --namespace-id
--subject
[--detect {false, true}]
[--org --organization]
[--recurse]
[--token]
Required Parameters
ID of security namespace.
User Email ID or Group descriptor.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Automatically detect organization.
Property | Value |
---|---|
Accepted values: | false, true |
Azure DevOps organization URL. You can configure the default organization using az devops configure -d organization=ORG_URL. Required if not configured as default or picked up via git config. Example: https://dev.azure.com/MyOrganizationName/
.
If true and this is a hierarchical namespace, return child ACLs of the specified token.
Property | Value |
---|---|
Default value: | False |
Security token.
Global Parameters
Increase logging verbosity to show all debug logs.
Property | Value |
---|---|
Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
Property | Value |
---|---|
Default value: | False |
Output format.
Property | Value |
---|---|
Default value: | json |
Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Property | Value |
---|---|
Default value: | False |
az devops security permission reset
Reset permission for given permission bit(s).
az devops security permission reset --id --namespace-id
--permission-bit
--subject
--token
[--detect {false, true}]
[--org --organization]
Required Parameters
ID of security namespace.
Permission bit or addition of permission bits which needs to be reset for given user/group and token.
User Email ID or Group descriptor.
Security token.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Automatically detect organization.
Property | Value |
---|---|
Accepted values: | false, true |
Azure DevOps organization URL. You can configure the default organization using az devops configure -d organization=ORG_URL. Required if not configured as default or picked up via git config. Example: https://dev.azure.com/MyOrganizationName/
.
Global Parameters
Increase logging verbosity to show all debug logs.
Property | Value |
---|---|
Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
Property | Value |
---|---|
Default value: | False |
Output format.
Property | Value |
---|---|
Default value: | json |
Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Property | Value |
---|---|
Default value: | False |
az devops security permission reset-all
Clear all permissions of this token for a user/group.
az devops security permission reset-all --id --namespace-id
--subject
--token
[--detect {false, true}]
[--org --organization]
[--yes]
Required Parameters
ID of security namespace.
User Email ID or Group descriptor.
Security token.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Automatically detect organization.
Property | Value |
---|---|
Accepted values: | false, true |
Azure DevOps organization URL. You can configure the default organization using az devops configure -d organization=ORG_URL. Required if not configured as default or picked up via git config. Example: https://dev.azure.com/MyOrganizationName/
.
Do not prompt for confirmation.
Property | Value |
---|---|
Default value: | False |
Global Parameters
Increase logging verbosity to show all debug logs.
Property | Value |
---|---|
Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
Property | Value |
---|---|
Default value: | False |
Output format.
Property | Value |
---|---|
Default value: | json |
Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Property | Value |
---|---|
Default value: | False |
az devops security permission show
Show permissions for given token, namespace and user/group.
az devops security permission show --id --namespace-id
--subject
--token
[--detect {false, true}]
[--org --organization]
Required Parameters
ID of security namespace.
User Email ID or Group descriptor.
Security token.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Automatically detect organization.
Property | Value |
---|---|
Accepted values: | false, true |
Azure DevOps organization URL. You can configure the default organization using az devops configure -d organization=ORG_URL. Required if not configured as default or picked up via git config. Example: https://dev.azure.com/MyOrganizationName/
.
Global Parameters
Increase logging verbosity to show all debug logs.
Property | Value |
---|---|
Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
Property | Value |
---|---|
Default value: | False |
Output format.
Property | Value |
---|---|
Default value: | json |
Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Property | Value |
---|---|
Default value: | False |
az devops security permission update
Assign allow or deny permission to given user/group.
Learn more at https://aka.ms/azure-devops-cli-security-permission.
az devops security permission update --id --namespace-id
--subject
--token
[--allow-bit]
[--deny-bit]
[--detect {false, true}]
[--merge {false, true}]
[--org --organization]
Examples
Assign view, edit and delete permission for team projects.
az devops security permission update --allow-bit 7 --namespace-id 52d39943-cb85-4d7f-8fa8-c6baac873819 --subject user@fabrikam.com --token "`$PROJECT:vstfs:///Classification/TeamProject/e479xxxx-2be8-xxxx-bb0b-3a0209cxxxx"
You would need to add the bit value of the various permission bits to
simultaneously allow/deny multiple permissions.
Required Parameters
ID of security namespace.
User Email ID or Group descriptor.
Security token.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Allow bit or addition of bits. Required if --deny-bit is missing.
Property | Value |
---|---|
Default value: | 0 |
Deny bit or addition of bits. Required if --allow-bit is missing.
Property | Value |
---|---|
Default value: | 0 |
Automatically detect organization.
Property | Value |
---|---|
Accepted values: | false, true |
If set, the existing ACE has its allow and deny merged with the incoming ACE's allow and deny. If unset, the existing ACE is displaced.
Property | Value |
---|---|
Default value: | True |
Accepted values: | false, true |
Azure DevOps organization URL. You can configure the default organization using az devops configure -d organization=ORG_URL. Required if not configured as default or picked up via git config. Example: https://dev.azure.com/MyOrganizationName/
.
Global Parameters
Increase logging verbosity to show all debug logs.
Property | Value |
---|---|
Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
Property | Value |
---|---|
Default value: | False |
Output format.
Property | Value |
---|---|
Default value: | json |
Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Property | Value |
---|---|
Default value: | False |