Default permissions quick reference
Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019
To use Azure DevOps features, users must be added to a security group with the appropriate permissions and granted access to the web portal. Limitations to select features are based on the access level and security group to which a user is assigned. The Basic access level and higher supports full access to most Azure DevOps services, except for Azure Test Plans. Stakeholder access level provides partial support to Azure Boards and Azure Pipelines. To learn more about access levels, see About access levels and Stakeholder access quick reference.
Assign users to a security group
The most common built-in security groups—Readers, Contributors, and Project Administrators—and team administrator role grant permissions to specific features.
In general, use the following guidance when assigning users to a security group:
- Add to the Contributors security group full-time workers who contribute to the code base or manage projects.
- Add to the Project Administrators security group users tasked with managing project resources.
- Add to the Project Collection Administrators security group users tasked with managing organization or collection resources.
To learn more about administrative tasks see About user, team, project, and organization-level settings. For a complete reference of all built-in groups and permissions, see Permissions and groups. For information about access levels, see About access levels.
In the tables provided in this article, a ✔️ (checkmark) indicates that the corresponding access level or security group has access to a feature by default.
To assign or change an access level, see Add users and assign licenses. If you need to grant specific users select permissions, you can do so.
Azure Boards
You can plan and track work from the web portal Boards hub, and using Visual Studio, Excel, and other clients. For an overview of work tracking features, see About Agile tools. To change permissions, see Set permissions and access for work tracking. In addition to the permissions set at the project level via the built-in groups, you can set permissions for the following objects: area and iteration paths and individual queries and query folders.
Note
Team administrators can configure settings for their team's tools. Organization owners and members of the Project Administrators group can configure settings for all teams. To be added as an administrator, see Add team administrators or Change project-level permissions.
Each user's access level or permission assignment controls access to the following tasks. Members of the Readers, Contributors, or Project Administrators group are assumed to have Basic access or greater.
General work item permissions
You can use work items to track anything you need to track. For more information, see Understand how work items are used to track issues, tasks, and epics.
Note
You can change the work item type or move work items to another project within a project collection. These features require that the data warehouse is disabled. With the data warehouse disabled, you can use the Analytics Service to support your reporting needs. To learn more about disabling the data warehouse, see Disable the data warehouse and cube.
Task or permission
Readers
Contributors
Project admins
View work items in this node (Area Path permission)
✔️
✔️
✔️
Edit work items in this node (Area Path permission)
✔️
✔️
Edit work item comments in this node (Area Path permission)
✔️
✔️
Create tag definition
✔️
✔️
Change work item type (Project-level permission)
✔️
✔️
Move work items out of this project (Project-level permission)
✔️
✔️
Email work items
✔️
✔️
✔️
Apply a work item template
✔️
✔️
Delete and restore work items (Project-level permission) (able to restore from the Recycle bin)
✔️
✔️
Permanently delete work items (Project-level permission)
✔️
Provide feedback (through the Microsoft Feedback client)
✔️
✔️
✔️
✔️
Note
Work items are subject to rules applied to them. Conditional rules based on user or group membership are cached for your web browser. If you find yourself restricted to update a work item, you may have encountered one of these rules. If you believe you've encountered an issue that doesn't apply to you, see Work item form IndexDB caching issues. For more information, see Rules and rule evaluation.
Boards
You use Boards to implement Kanban/Agile methods. Boards present work items as cards and support quick status updates through drag-and-drop.
Task
Readers
Contributors
Team admins
Project admins
View boards and open work items
✔️
✔️
✔️
Add work items to a board; update status through drag-and-drop
✔️
✔️
Reorder work items or reparent child items through drag-and-drop; update a field on a card
✔️
✔️
Add work items to a board; update status, reorder, or reparent child items through drag-and-drop; update a field on a card
✔️
✔️
Add child items to a checklist
✔️
✔️
Assign to a sprint (from card field)
✔️
✔️
Configure board settings
✔️
Backlogs features access
Backlogs display work items as lists. A product backlog represents your project plan and a repository of all the information you need to track and share with your team. Portfolio backlogs allow you to group and organize your backlog into a hierarchy.
Task
Readers
Contributors
Team admins
Project admins
View backlogs and open work items
✔️
✔️
✔️
Add work items to a backlog
✔️
✔️
Use bulk edit features
✔️
✔️
Add child items to a backlog item; prioritize or reorder a backlog; parent items using the Mapping pane; Assign items to a sprint using the Planning pane
✔️
✔️
Configure team settings, backlog levels, show bugs, work days off
✔️
Sprints
You use sprint tools to implement Scrum methods. The Sprints set of tools provide filtered views of work items that a team has assigned to specific iteration paths or sprints.
Task
Readers
Contributors
Team admins Project admins
View sprint backlogs, taskboards, and open work items
✔️
✔️
✔️
Add work items to a sprint backlog or taskboard
✔️
✔️
Prioritize/reorder a sprint backlog or taskboard; add child items to a backlog item; reassign items to a sprint using the Planning pane
✔️
✔️
View team capacity and work details
✔️
✔️
Set team capacity
✔️
Use bulk edit features
✔️
✔️
Define team sprints
✔️
Queries
Queries are filtered lists of work items based on criteria that you define by using a query editor. Adhoc searches are powered by a semantic search engine.
Task
Readers
Contributors
Project admins
View and run managed queries, view query charts
✔️
✔️
✔️
Create and save managed My queries, query charts
✔️
✔️
Create, delete, and save Shared queries, charts, folders
✔️
Delivery plans
Delivery plans display work items as cards against a calendar view. This format can be an effective communication tool with managers, partners, and stakeholders for a team.
Task
Readers
Contributors
Team admins
Project admins
View delivery plans
✔️
✔️
✔️
Create, edit, or delete a delivery plan, Contributors can only edit or delete plans that they create
✔️
✔️
Manage permissions for a delivery plan, Contributors can only manage permissions for plans that they create
✔️
✔️
Azure Repos
You can manage your source code from the web portal Repos hub, or using Xcode, Eclipse, IntelliJ, Android Studio, Visual Studio, or Visual Studio Code.
Stakeholders for private projects have no access to Repos. Stakeholders for public projects have the same access to Repos as Contributors.
Advanced Security
You can use Advanced Security to identify security vulnerabilities in your repository.
Permission
Readers
Contributors
Build Admins
Project Admins
View alerts (ability to view all security alerts under the Advanced Security tab)
✔️
✔️
✔️
Manage and dismiss alerts (ability to dismiss any Advanced Security alert)
✔️
Manage settings (toggle on Advanced Security and/or enable push protection for a repository)
Code: Source control
You can connect to your code from the web portal Code hub, or using Xcode, Eclipse, IntelliJ, Android Studio, Visual Studio, or Visual Studio Code. Stakeholders for private projects have no access to Code.
Git
You can use Git repositories to host and collaborate on your source code. For an overview of code features and functions.
Permission
Readers
Contributors
Build Admins
Project Admins
Read (clone, fetch, and explore the contents of a repository); also, can create, comment on, vote, and Contribute to pull requests
✔️
✔️
✔️
✔️
Contribute, Create branches, Create tags, and Manage notes
✔️
✔️
✔️
Create repository, Delete repository, and Rename repository
✔️
Edit policies, Manage permissions, Remove others' locks
✔️
Bypass policies when completing pull requests, Bypass policies when pushing, Force push (rewrite history, delete branches and tags)
(not set for any security group)
TFVC
Team Foundation Version Control (TFVC) provides a centralized version control system to manage your source control.
Note
Tasks such as create, delete, or rename a TFVC repository are not supported. Once a TFVC repository is created you can't delete it. Also, you can only have one TFVC repository per project. This is different from Git repositories which allow for adding, renaming, and deleting multiple repositories.
Permission
Readers
Contributors
Build Admins
Project Admins
Check in, Label, Lock, Merge, Pend a change in a server workspace, Read
Read only
✔️
✔️
✔️
Administer labels, Manage branches, Manage permissions, Revise other users' changes, Undo other users' changes, Unlock other users' changes
✔️
Azure Pipelines
You can define and manage your builds and releases from the web portal Pipelines hub. For an overview of pipelines features and functions, see Continuous integration on any platform.
Task | Readers | Contributors | Build Admins | Project Admins | Release Admins |
---|---|---|---|---|---|
View release pipelines | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
Define builds with continuous integration | ✔️ | ✔️ | ✔️ | ||
Define releases and manage deployments | ✔️ | ✔️ | ✔️ | ||
Approve releases | ✔️ | ✔️ | ✔️ | ✔️ | |
Azure Artifacts (5 users free) | ✔️ | ✔️ | ✔️ | ||
Queue builds, edit build quality | ✔️ | ✔️ | ✔️ | ||
Manage build queues and build qualities | ✔️ | ✔️ | |||
Manage build retention policies, delete and destroy builds | ✔️ | ✔️ | ✔️ | ||
Administer build permissions | ✔️ | ✔️ | |||
Manage release permissions | ✔️ | ✔️ | |||
Create and edit task groups | ✔️ | ✔️ | ✔️ | ✔️ | |
Manage task group permissions | ✔️ | ✔️ | ✔️ | ||
Can view library items such as variable groups | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
Use and manage library items such as variable groups | ✔️ | ✔️ | ✔️ |
Build
Task | Readers | Contributors | Build Admins | Project Admins |
---|---|---|---|---|
View builds | ✔️ | ✔️ | ✔️ | ✔️ |
View build pipeline | ✔️ | ✔️ | ✔️ | ✔️ |
Administer build permissions | ✔️ | ✔️ | ||
Create build pipeline | ✔️ | ✔️ | ✔️ | |
Delete or edit build pipeline | ✔️ | ✔️ | ✔️ | |
Delete or destroy builds | ✔️ | ✔️ | ||
Edit build quality | ✔️ | ✔️ | ✔️ | |
Manage build qualities | ✔️ | ✔️ | ||
Manage build queue | ✔️ | ✔️ | ||
Override check-in validation by build | ✔️ | |||
Queue builds | ✔️ | ✔️ | ✔️ | |
Retain indefinitely | ✔️ | ✔️ | ✔️ | ✔️ |
Stop builds | ✔️ | ✔️ | ||
Update build information | ✔️ |
Release
Task | Stakeholders | Readers | Contributors | Project Admins | Release Admins |
---|---|---|---|---|---|
Approve releases | ✔️ | ✔️ | ✔️ | ✔️ | |
View releases | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
View release pipeline | ✔️ | ✔️ | ✔️ | ✔️ | |
Administer release permissions | ✔️ | ✔️ | |||
Delete release pipeline or stage | ✔️ | ✔️ | ✔️ | ||
Delete releases | ✔️ | ✔️ | ✔️ | ||
Edit release pipeline | ✔️ | ✔️ | ✔️ | ||
Edit release stage | ✔️ | ✔️ | ✔️ | ||
Manage deployments | ✔️ | ✔️ | ✔️ | ||
Manage release approvers | ✔️ | ✔️ | ✔️ | ||
Manage releases | ✔️ | ✔️ | ✔️ |
Task groups
You use task groups to encapsulate a sequence of tasks already defined in a build or a release pipeline into a single reusable task. Task group permissions follow a hierarchical model. You can set defaults for all permissions at the project-level and over-write on an individual task group pipeline. You define and manage task groups in the Task groups tab in Azure Pipelines.
Task | Readers | Contributors | Build Admins | Project Admins | Release Admins |
---|---|---|---|---|---|
Administer task group permissions | ✔️ | ✔️ | ✔️ | ||
Delete task group | ✔️ | ✔️ | ✔️ | ||
Edit task group | ✔️ | ✔️ | ✔️ | ✔️ |
Azure Test Plans
Users granted Basic + Test Plans or Visual Studio Enterprise access level can define and manage manual tests from the web portal. For an overview of manual test features and functions, see Testing overview. You set several test permissions at the project level from Project Settings>Permissions.
Permission
Level
Readers
Contributors
Project Admins
View test runs
Project-level
✔️
✔️
✔️
Create test runs
Delete test runs
Project-level
✔️
✔️
Manage test configurations
Manage test environments
Project-level
✔️
✔️
Create tag definition
Delete and restore work items
Project-level
✔️
✔️
Permanently delete work items
Project-level
✔️
View work items in this node
Area Path
✔️
✔️
✔️
Edit work items in this node
Manage test plans
Manage test suites
Area Path
✔️
✔️
Note
The Change work item type permission doesn't apply to test-specific work items. Even if you choose this feature from the work item form, changing the work item type is disallowed.
Azure Artifacts
You can manage feeds from the web portal, Artifacts. Users with Stakeholder or Basic access, or higher can access Azure Artifacts features. To set permissions, see Secure feeds using permissions.
You can manage feeds from the web portal, Artifacts. Users with Basic access or higher can access Azure Artifacts features. Users with Stakeholder access can't. To set permissions, see Secure feeds using permissions.
Feeds have four permission roles: Feed Reader, Feed and Upstream Reader (Collaborator), Feed Publisher (Contributor), and Feed Owner. Feed Owners can add user accounts or security groups to any role.
Permission | Feed Reader | Feed and Upstream Reader (Collaborator) | Feed Publisher (Contributor) | Feed Owner |
---|---|---|---|---|
List packages in the feed | ✔️ | ✔️ | ✔️ | ✔️ |
Download/install/restore packages | ✔️ | ✔️ | ✔️ | ✔️ |
Save packages from upstream sources | ✔️ | ✔️ | ✔️ | |
Publish packages | ✔️ | ✔️ | ||
Promote packages to a view | ✔️ | ✔️ | ||
Deprecate/unlist/yank packages | ✔️ | ✔️ | ||
Delete/unpublish packages | ✔️ | |||
Add/remove upstream sources | ✔️ | |||
Allow external package versions | ✔️ | |||
Edit feed settings and permissions | ✔️ |
By default, the Project Collection Build Service is a Contributor and your project team is a Reader.
Note
In Azure Artifacts, feeds may be scoped to a single project or to the entire organization. To access a project-scoped feed, a user must also have access to the project containing that feed.
Feeds have three permission roles: Readers, Contributors, and Owners. Owners can add user accounts or security groups -to any role.
Permission | Reader | Contributor | Owner |
---|---|---|---|
List and restore/install packages | ✔️ | ✔️ | ✔️ |
Push packages | ✔️ | ✔️ | |
Unlist/deprecate packages | ✔️ | ✔️ | |
Delete/unpublish package | ✔️ | ||
Edit feed permissions | ✔️ | ||
Rename and delete feed | ✔️ |
By default, the Project Collection Build Service is a Contributor and your project team is a Reader.
Note
In Azure Artifacts, feeds may be scoped to a single project or to the entire organization. To access a project-scoped feed, a user must also have access to the project containing that feed.
Notifications, alerts, and team collaboration tools
To manage notifications, see Manage personal notifications and Manage team notifications.
Note
There are no UI permissions associated with managing notifications. Instead, you can manage them using the TFSSecurity command line tool.
Task
Readers
Contributors
Team admins
Project admins Project Collection admins
View the project page, navigate using the project page
✔️
✔️
✔️
✔️
Edit the project page
✔️
Set personal notifications or alerts
✔️
✔️
✔️
Set team notifications or alerts
✔️
✔️
Set project-level notifications or alerts
✔️
View Project READMEs
✔️
✔️
✔️
✔️
View Project wikis or code wikis
✔️
✔️
✔️
✔️
Provision or create a project wiki
✔️
✔️
✔️
Publish code as a wiki
✔️
✔️
✔️
Request feedback
✔️
✔️
✔️
Provide feedback
✔️
✔️
✔️
✔️
Search across projects, organizations, collections
✔️
✔️
✔️
✔️
Dashboards, charts, reports, and widgets
You can define and manage team and project dashboards from the web portal, Dashboards. For an overview of dashboard and chart features, see Dashboards. You can set individual dashboard permissions to grant or restrict the ability to edit or delete dashboards.
Users granted Stakeholder access to private projects can't view or create query charts. Stakeholder access to public projects can view and create query charts.
You can define and manage team dashboards from the web portal, Dashboards. For an overview of dashboard and chart features, see Dashboards. You set dashboard permissions at the team level from the team dashboard page.
Task
Readers
Contributors
Team admins
Project admins
View team and project dashboards
✔️
✔️
✔️
✔️
View team dashboards
✔️
✔️
✔️
Add and configure project dashboards
✔️
✔️
Add and configure team dashboards
✔️
✔️
✔️
Power BI Integration and Analytics views
From the web portal Analytics views, you can create and manage Analytics views. An Analytics view provides a simplified way to specify the filter criteria for a Power BI report based on the Analytics Service data store. The Analytics Service is the reporting platform for Azure DevOps. For more information, see What is the Analytics Service?.
You set permissions for the service at the project level, and for shared Analytics views at the object level. Users with Stakeholder access have no access to view or edit Analytics views.
Task
Readers
Contributors
Project admins
View Analytics
✔️
✔️
✔️
View a shared Analytics view
✔️
✔️
Add a private or shared Analytics view
✔️
✔️
Edit and delete shared Analytics views
✔️