Security namespace and permission reference for Azure DevOps
Azure DevOps Services | Azure DevOps Server 2020 | Azure DevOps Server 2019 | TFS 2018 - TFS 2013
Security namespaces are used to store access control lists (ACLs) on tokens. Data stored in security namespaces determines the level of access the following entities have to perform a specific action on a specific resource.
- Azure DevOps user
- Azure DevOps Organization owner
- Member of an Azure DevOps security group
- Azure DevOps service account
- Azure DevOps service principal
Each family of resources, such as work items or Git repositories, is secured through a unique namespace. Each security namespace contains zero or more ACLs. Each ACL contains a token, an inherit flag, and a set of zero or more access control entries (ACEs). Each ACE contains an identity descriptor, an allowed permissions bitmask, and a denied permissions bitmask. Tokens are arbitrary strings representing resources in Azure DevOps.
Note
Namespaces and tokens are valid for all versions of Azure DevOps. Those listed here are valid for Azure DevOps 2019 and later versions. Namespaces are subject to change over time. To get the latest list of namespaces, exercise one of the command line tools or REST API. Some namespaces have been deprecated as listed in the Deprecated and read-only namespaces section later in this article.
Permission management tools
The recommended method for managing permissions is through the web portal. However, if you need to set a permission that isn't surfaced through the web portal or to set more granular permissions, you can use one of the command line tools or REST API.
- For Azure DevOps Server 2020 and Azure DevOps Services, you can use the
az devops security permission
commands. - For on-premises Azure DevOps instances, you can use the TFSSecurity commands.
- For Azure DevOps git repositories,Tf git permission command-line tool
- For Team Foundation Version Control (TFVC) repositories, Tf TFVC permission command-line tool
For all Azure DevOps instances, you can use the Security REST API.
Security namespaces and their IDs
This article describes the valid namespaces, lists the associated permissions, and provides links to more information. Many security namespaces correspond to permissions you set through a Security or Permissions web portal page. Other namespaces or select permissions aren't surface through the web portal. They grant access by default to members of security groups or Azure DevOps service principals. Namespaces have been grouped into the following categories based on how they're managed through the web portal.
- Object-level
- Project-level
- Organization or collection-level
- Server-level (on-premises only)
- Role-based
- Internal only
Hierarchy and tokens
A security namespace can be either hierarchical or flat. Tokens in a hierarchical namespace exist in a hierarchy with effective permissions inherited from parent tokens to child tokens. Tokens in a flat namespace have no concept of a parent-child relationship between any two tokens.
Tokens in a hierarchical namespace either have a fixed length for each path part, or variable length. If the tokens have variable-length path parts, then a separator character is used to distinguish where one path part ends and another begins.
Security tokens are case-insensitive. Token examples for different namespaces are provided in the following sections.
Object-level namespaces and permissions
The following table describes the namespaces that manage object-level permissions. Most of the listed permissions are managed through the web portal page for each object. Permissions are set at the project-level and inherited at the object-level unless changed.
Namespace
Permissions
Description
Build
ViewBuilds
EditBuildQuality
RetainIndefinitely
DeleteBuilds
ManageBuildQualities
DestroyBuilds
UpdateBuildInformation
QueueBuilds
ManageBuildQueue
StopBuilds
ViewBuildDefinition
EditBuildDefinition
DeleteBuildDefinition
OverrideBuildCheckInValidation
AdministerBuildPermissions
Manages build permissions at the project-level and object-level.
Token format for project-level build permissions: PROJECT_ID
If you need to update permissions for a particular build definition ID, for example, 12, security token for that build definition looks as follows:
Token format for project-level, specific build permissions: PROJECT_ID/12
Example: xxxxxxxx-a1de-4bc8-b751-188eea17c3ba/12
ID: 33344d9c-fc72-4d6f-aba5-fa317101a7e9
CSS
GENERIC_READ
GENERIC_WRITE
CREATE_CHILDREN
DELETE
WORK_ITEM_READ
WORK_ITEM_WRITE
MANAGE_TEST_PLANS
MANAGE_TEST_SUITES
Manages area path object-level permissions to create, edit, and delete child nodes and set permissions to view or edit work items in a node. You can manage these permissions through the Set permissions and access for work tracking, Create child nodes, modify work items under an area path.
ID: 83e28ad4-2d72-4ceb-97b0-c7726d5502c3
Administer
GenericRead
GenericContribute
ForcePush
CreateBranch
CreateTag
ManageNote
PolicyExempt
CreateRepository
DeleteRepository
RenameRepository
EditPolicies
RemoveOthersLocks
ManagePermissions
PullRequestContribute
PullRequestBypassPolicy
Manages Git repository permissions at the project-level and object-level. You can manage these permissions through the Project settings, Repositories administrative interface.
Token format for project-level permissions: repoV2/PROJECT_ID
You need to append RepositoryID
to update repository-level permissions.
Token format for repository-specific permissions: repoV2/PROJECT_ID/REPO_ID
ID: 2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87
Iteration
GENERIC_READ
GENERIC_WRITE
CREATE_CHILDREN
DELETE
Manages iteration path object-level permissions to create, edit, and delete child nodes and view child node permissions. To manage through the web portal, see Set permissions and access for work tracking, Create child nodes.
Token format: 'vstfs:///Classification/Node/Iteration_Identifier/'
Suppose, you have the following iterations configured for your team.
– ProjectIteration1
TeamIteration1
– TeamIteration1ChildIteration1
– TeamIteration1ChildIteration2
– TeamIteration1ChildIteration3
TeamIteration2
– TeamIteration2ChildIteration1
– TeamIteration2ChildIteration2
To update permissions for ProjectIteration1\TeamIteration1\TeamIteration1ChildIteration1
, the security token looks as follows:
vstfs:///Classification/Node/ProjectIteration1_Identifier:vstfs:///Classification/Node/TeamIteration1_Identifier:vstfs:///Classification/Node/TeamIteration1ChildIteration1_Identifier
ID: bf7bfa03-b2b7-47db-8113-fa2e002cc5b1
MetaTask
Administer
Edit
Delete
Manages task group permissions to edit and delete task groups, and administer task group permissions. To manage through the web portal, see Pipeline permissions and security roles, Task group permissions.
Token format for project-level permissions: PROJECT_ID
Token format for metaTask-level permissions: PROJECT_ID/METATASK_ID
If MetaTask has parentTaskId then the Security token looks as follows:
Token Format: PROJECT_ID/PARENT_TASK_ID/METATASK_ID
ID: f6a4de49-dbe2-4704-86dc-f8ec1a294436
WorkItemQueryFolders
Read
Contribute
Delete
ManagePermissions
FullControl
RecordQueryExecutionInfo
Manages permissions for work item queries and query folders. To manage these through the web portal, see Set permissions and access for work tracking, Set permissions on queries or query folders.
ID: 71356614-aad7-4757-8f2c-0fb3bff6f680
Project-level namespaces and permissions
The following table describes the namespaces that manage project-level permissions. Most of the listed permissions are managed through the web portal admin context. Project Administrators are granted all project-level permissions. Other project-level groups have select permission assignments.
Namespace
Permissions
Description
Project
GENERIC_READ
GENERIC_WRITE
DELETE
PUBLISH_TEST_RESULTS
ADMINISTER_BUILD
START_BUILD
EDIT_BUILD_STATUS
UPDATE_BUILD
DELETE_TEST_RESULTS
VIEW_TEST_RESULTS
MANAGE_TEST_ENVIRONMENTS
MANAGE_TEST_CONFIGURATIONS
WORK_ITEM_DELETE
WORK_ITEM_MOVE
WORK_ITEM_PERMANENTLY_DELETE
RENAME
MANAGE_PROPERTIES
MANAGE_SYSTEM_PROPERTIES
BYPASS_PROPERTY_CACHE
BYPASS_RULES
SUPPRESS_NOTIFICATIONS
UPDATE_VISIBILITY
CHANGE_PROCESS
AGILETOOLS_BACKLOG
AGILETOOLS_PLANS
Manages Project-level permissions.
The AGILETOOLS_BACKLOG
permission manages access to Azure Boards backlogs. This is an internal permission setting and shouldn't be changed.
Root token format: $PROJECT
Token to secure permissions for each project in your organization.
$PROJECT:vstfs:///Classification/TeamProject/PROJECT_ID
.
Assume you have a project named Test Project 1
.
You can get the project ID for this project by using the az devops project show
command.
az devops project show --project "Test Project 1"
The command returns a project-id, for example, xxxxxxxx-a1de-4bc8-b751-188eea17c3ba
.
Therefore, the token to secure project-related permissions for Test Project 1
is:
'$PROJECT:vstfs:///Classification/TeamProject/xxxxxxxx-a1de-4bc8-b751-188eea17c3ba'
ID: 52d39943-cb85-4d7f-8fa8-c6baac873819
Tagging
Enumerate
Create
Update
Delete
Manages permissions to create, delete, enumerate, and use work item tags. You can manage the Create tag definition permission through the Project settings, Permissions administrative interface.
Token format for project-level permissions: /PROJECT_ID
Example: /xxxxxxxx-a1de-4bc8-b751-188eea17c3ba
ID: bb50f182-8e5e-40b8-bc21-e8752a1e7ae2
VersionControlItems
Read
PendChange
Checkin
Label
Lock
ReviseOther
UnlockOther
UndoOther
LabelOther
AdminProjectRights
CheckinOther
Merge
ManageBranch
Manages permissions for a Team Foundation Version Control (TFVC) repository. There is only one TFVC repository for a project. You can manage these permissions through the Project settings, Repositories administrative interface.
ID: a39371cf-0841-4c16-bbd3-276e341bc052
Collection-level namespaces and permissions
The following table describes the namespaces that manage organization-level permissions. Most of the listed permissions are managed through the web portal Collection settings context. Members of the Project Collection Administrators group are granted most of these permissions. To learn more, see Change project collection-level permissions.
Namespace
Permissions
Description
BuildAdministration
ViewBuildResources
ManageBuildResources
UseBuildResources
AdministerBuildResourcePermissions
Manages access to view, manage, use, or administer permissions for build resources.
ID: 302acaca-b667-436d-a946-87133492041c
Collection
GENERIC_READ
GENERIC_WRITE
CREATE_PROJECTS
TRIGGER_EVENT
MANAGE_TEMPLATE
DIAGNOSTIC_TRACE
SYNCHRONIZE_READ
MANAGE_TEST_CONTROLLERS
DELETE_FIELD
MANAGE_ENTERPRISE_POLICIES
Manages permissions at the organization or collection-level.
ID: 3e65f728-f8bc-4ecd-8764-7e378b19bfa7
Workspaces
Read
Use
Checkin
Administer
Manages permissions for administering shelved changes, workspaces, and the ability to create a workspace at the organization or collection level. The Workspaces namespace applies to the TFVC repository.
Root token format: /
Token format for a specific workspace: /{workspace_name};{owner_id}
ID: 93bafc04-9075-403a-9367-b7164eac6b5c
VersionControlPrivileges
CreateWorkspace
AdminWorkspaces
AdminShelvesets
AdminConnections
AdminConfiguration
Manages permissions for Team Foundation Version Control (TFVC) repository.
The
AdminConfiguration
permission grants users the ability to edit server-level permissions for users and groups. TheAdminConnections
permission grants users the ability to read the contents of a file or folder of an on-premises, server-level repository. ID:66312704-deb5-43f9-b51c-ab4ff5e351c3
Server-level namespaces and permissions
The following table describes those security namespaces and permissions defined for on-premises instances of Azure DevOps Server. You can manage these permissions, which are granted to members of the Team Foundation Administrators group, through the Azure DevOps Server administration console. For descriptions of these permissions, see Permissions and groups, Server-level permissions.
Namespace
Permissions
Description
CollectionManagement
CreateCollection
DeleteCollection
Manages permissions set at the server-level to create and delete project collections.
ID: 52d39943-cb85-4d7f-8fa8-c6baac873819
Server
GenericRead
GenericWrite
Impersonate
TriggerEvent
Manages permissions set at the server-level. This includes permissions to edit instance-level information, make requests on behalf of others, and trigger events.
ID: 1f4179b3-6bac-4d01-b421-71ea09171400
Warehouse
Administer
Grants permission to process or change settings for the data warehouse or SQL Server Analysis cube by using the Warehouse Control Web Service.
ID: b8fbab8b-69c8-4cd9-98b5-873656788efb
Role-based namespaces and permissions
The following table describes the security namespaces and permissions used to manage role-based security. You can manage role assignments through the web portal for pipeline resources as described Pipeline permissions and security roles.
Namespace
Permissions
Description
DistributedTask
View
Manage
Listen
AdministerPermissions
Use
Create
Manages permissions to access agent pool resources. By default, the following roles and permissions are assigned at the project level and inherited for each agent pool that is created:
- Reader role (
View
permissions only) to all members of the Project Valid Users group - Administrator role (all permissions) to members of the Build Administrators, Project Administrators, and Release Administrators groups.
- User role (
View
,Use
, andCreate
permissions) to all members of the Contributor group - Creator role (
View
,Use
, andCreate
permissions) to all members of the Contributor group
ID:101eae8c-1709-47f9-b228-0e476c35b3ba
Environment
View
Manage
ManageHistory
Administer
Use
Create
Manages permissions to create and manage Environments. By default, the following permissions are assigned:
- Reader role (
View
permissions only) to all members of the Project Valid Users group - Creator role (
View
,Use
, andCreate
permissions) to all members of the Contributor group - Creator role (
View
,Use
, andCreate
permissions) to all members of the Project Administrators group - Administrator role (all permissions) to the user who created a specific Environment.
ID:83d4c2e6-e57d-4d6e-892b-b87222b7ad20
ExtensionManagement
ViewExtensions
ManageExtensions
ManageSecurity
The Manager role is the only role used to manage the security of Marketplace extensions. Members of the Manager role can install extensions and respond to requests for extensions to be installed. The other permissions are assigned automatically to members of default security groups and service principals. To add users to the Manager role, see Manage extension permissions.
ID: 5d6d7b80-3c63-4ab0-b699-b6a5910f8029
Library
View
Administer
Create
ViewSecrets
Use
Owner
Manages permissions to create and manage library items, which include secure files and variable groups. Role memberships for individual items are automatically inherited from those of the Library node. By default, the following permissions are assigned:
- Reader role (
View
permissions only) to all members of the Project Valid Users group and the Project Collection Build Service account - Creator role (
View
,Use
, andCreate
permissions) to all members of the Contributors group - Creator role (
View
,Use
,Create
, andOwner
permissions) to the member who created the library item - Administrator role (all permissions) to members of the Build Administrators, Project Administrators, and Release Administrators groups.
To learn more, see Library asset security roles.
ID:b7e84409-6553-448a-bbb2-af228e07cbeb
ServiceEndpoints
Use
Administer
Create
ViewAuthorization
ViewEndpoint
Manages permissions to create and manage service connections. Role memberships for individual items are automatically inherited from those defined at the project-level. By default, the following roles are assigned:
- Reader role (
View
permissions only) to all members of the Project Valid Users group and the Project Collection Build Service account - Creator role (
View
,Use
, andCreate
permissions) to to members of the Endpoint Creators service security group. - Administrator role (all permissions) to members of the Endpoint Administrators service security group.
Roles are assigned through Service connection security roles.
ID:49b48001-ca20-4adc-8111-5b60c903a50c
Internal namespaces and permissions
The following table describes the security namespaces and permissions that aren't surfaced through the web portal. They are primarily used to grant access to members of default security groups or to internal resources. We strongly recommend that you don't alter these permission settings in any way.
Namespace
Permissions
Description
AccountAdminSecurity
Read
Create
Modify
Manages permissions to read or modify the organization account owner. These permissions are assigned to the organization owner and members of the Project Collection Administrator group.
ID: 11238e09-49f2-40c7-94d0-8f0307204ce4
BlobStoreBlobPrivileges
Read
Delete
Create
SecurityAdmin
Sets permissions to read, create, and manage the security of the data store. These permissions are assigned to several Azure DevOps service principals.
ID: 11238e09-49f2-40c7-94d0-8f0307204ce4
Boards
View
Create
ChangeMetadata
MoveCard
Delete
Manage
Manages permissions and access to Kanban boards.
ID: 251e12d9-bea3-43a8-bfdb-901b98c0125e
EventPublish
Read
Write
Grants read and write access for notification handler.
ID: 7cd317f2-adc6-4b6c-8d99-6074faeaf173
EventSubscriber
GENERIC_READ
GENERIC_WRITE
Grants read and write access for notification subscribers.
ID: 2bf24a2b-70ba-43d3-ad97-3d9e1f75622f
EventSubscription
GENERIC_READ
GENERIC_WRITE
UNSUBSCRIBE
CREATE_SOAP_SUBSCRIPTION
Manages member permissions to view, edit, and unsubscribe from notifications or create a SOAP subscription.
ID: 58b176e7-3411-457a-89d0-c6d0ccb3c52b
Identity
Read
Write
Delete
ManageMembership
CreateScope
RestoreScope
Manages permissions to read, write, and delete user account identity information; manage group membership and create and restore identity scopes. The ManageMembership
permission is automatically granted to members of the Project Administrators and Project Collection Administrators groups.
Token format for project-level permissions: PROJECT_ID
Example: xxxxxxxx-a1de-4bc8-b751-188eea17c3ba
To modify group level permissions for Group Origin ID [2b087996-2e64-4cc1-a1dc-1ccd5e7eb95b]:
Token: xxxxxxxx-a1de-4bc8-b751-188eea17c3ba\2b087996-2e64-4cc1-a1dc-1ccd5e7eb95b
ID: 5a27515b-ccd7-42c9-84f1-54c998f03866
Licensing
Read
Create
Modify
Delete
Assign
Revoke
Manages the ability to view, add, modify, and remove license levels. These permissions are automatically granted to members of the Project Collection Administrators groups.
ID: 453e2db3-2e81-474f-874d-3bf51027f2ee
PermissionLevel
Read
Create
Update
Delete
Manages the ability to create and download permission reports.
ID: 25fb0ed7-eb8f-42b8-9a5e-836a25f67e37
PipelineCachePrivileges
Read
Write
Manages permissions to read and write pipeline cache entries. These permissions are only assigned to internal Azure DevOps service principles.
ID: 62a7ad6b-8b8d-426b-ba10-76a7090e94d5
ReleaseManagement
ViewTaskEditor
ViewCDWorkflowEditor
ExportReleaseDefinition
ViewLegacyUI
DeploymentSummaryAcrossProjects
ViewExternalArtifactCommitsAndWorkItems
Manages access to Release Management user interface elements.
ID: 7c7d32f7-0e86-4cd6-892e-b35dbba870bd
WorkItemTrackingAdministration
ManagePermissions
DestroyAttachments
Manages permissions for administrating work tracking and destroying attachments.
ID: 445d2788-c5fb-4132-bbef-09c4045ad93f
WorkItemTrackingProvision
Administer
ManageLinkTypes
Manages permissions for changing work tracking processes and managing link types. The WorkItemTrackingProvision namespace is an older security namespace that is mostly used for TFS-2018 and earlier versions.
Root token format: /$
Token format for a specific project: $/PROJECT_ID
ID: 5a6cd233-6615-414d-9393-48dbb252bd23
Deprecated and read-only namespaces
The following namespaces are either deprecated or read-only. You shouldn't use them.
CrossProjectWidgetView
DataProvider
Favorites
Graph
Identity2
IdentityPicker
Job
Location
ProjectAnalysisLanguageMetrics
Proxy
Publish
Registry
Security
ServicingOrchestration
SettingEntries
Social
StrongBox
TeamLabSecurity
TestManagement
VersionControlItems2
ViewActivityPaneSecurity
WebPlatform
WorkItemsHub
WorkItemTracking
WorkItemTrackingConfiguration