Permissions lookup guide for Azure DevOps
TFS 2017 | TFS 2015 | TFS 2013
Use this index to locate the article on how to manage a specific permission. Most permissions are managed through the user interface for an object, project, or collection. Other permissions are managed by adding users and groups to a role.
Note
You can manage permissions through a command line tool or REST API. Some permissions are only managed through these tools. To learn more, see Security and permission management tools and Security namespace and permission reference.
If you're new to Azure DevOps, review Get started with permissions, access, and security groups and About security roles.
Values in parenthesis indicate what level the permission is managed:
- Object: Permissions are managed at the object-level
- Project: Permissions are managed at the project level
- Collection: Permissions are managed at the account or project collection level
- Role: Permissions are managed through a security role.
- Server: Permissions are managed at the instance level for a server
- Team: Permissions are managed via the team administrator role.
A
- Administer build permissions (Object)
- Administer release permissions (Object)
- Administer task group permissions (Object)
- Administer warehouse (Server)
- Agent queues (Project, Role)
- Agent pools (Collection, Role)
- Alerts (Collection)
- Alerts (Team)
- Area path (Object)
- Azure Artifacts
B
- Branches, Git (Object)
- Branches, TFVC (Object)
- Build pipelines (Object)
- Build quality, manage (Object)
- Build queue, manage (Object)
- Build resources (Collection)
- Build permissions, manage (Object)
- Builds, manage (Object)
- Bypass policies when completing pull requests (Object)
- Bypass policies when pushing (Object)
C
- Check ins, TFVC (Object)
- Collection-level information
- Configure Agile tools (Team)
- Contribute (Git branch, Object)
- Contribute (Query, Object)
- Create project collection (Server)
- Create releases (Object)
D
- Dashboards, manage (Team)
- Delete build pipeline (Object)
- Delete builds (Object)
- Delete field from account
- Delete project collection (Server)
- Delete release pipeline (Object)
- Delete release stage (Object)
- Delete releases (Object)
- Delete task group(Object)
- Delete test artifacts
- Delete work items
- Delivery plans (Object)
- Deployment groups (Object, Role)
- Deployment pools (Collection, Role)
- Destroy builds (Object)
E
- Edit build definition (Object)
- Edit build quality (Object)
- Edit collection-level information (Collection)
- Edit policies (Git branch, Object)
- Edit project-level information (Project)
- Edit release pipeline (Object)
- Edit release state (Object)
- Edit task group (Object)
- Edit work items in this node (Area Path, Object)
- Events (Collection)
- Extensions (Collection, Role)
F-L
M-N
- Make requests on behalf of others (Collection)
- Make requests on behalf of others (Server)
- Manage build resources (Collection)
- Manage build qualities (Object)
- Manage deployments (Object)
- Manage enterprise policies (Collection)
- Manage permissions (Git branch, Object)
- Manage permissions (Query, Object)
- Manage project properties (Project)
- Manage release approvers (Object)
- Manage releases (Object)
- Manage test plans (Area Path, Object)
- Manage test suites (Area Path, Object)
- Manage test configurations (Project)
- Manage test environments (Project)
- Manage test controllers (Collection)
- Marketplace extensions (Collection, Role)
- Merge, TFVC (Object)
- Move work items out of this project (Project)
- Notes, Git (Object)
- Notifications (Collection)
O-P
- Override check-in validation by build (Object)
- Policies, Git branch (Object)
- Policies, Git repository (Object)
- Project collection (Server)
- Project properties (Project)
- Project-level information
Q-R
- Queue builds (Object)
- Query (Object)
- Query folder (Object)
- Read (Query, Object)
- Rename team project (Project)
- Release pipelines (Object)
- Remove other's locks (Git branch, Object)
- Repository, Git (Object)
- Retain (build) indefinitely (Object)
S
- Secure files (Object, Role)
- Service endpoints (Collection, Role)
- Service hooks
- Shelvesets, TFVC (Collection)
- Sprints, define (Object)
- Sprints, select (Team)
- Stop builds (Object)
- Suppress notifications for work item updates (Project)
T
- Tags, Git (Object)
- Tags, work items (Project)
- Task groups (Object)
- Team projects (Collection)
- Test artifacts, delete
- Test configurations (Project)
- Test controllers (Project)
- Test environments (Project)
- Test runs (Project)
- TFVC repositories (Object)
- Trace settings (Collection)
- Trigger events (Collection)
U
- Update build information (Object)
- Update build queue (Object)
- Update tag definition (Project)
- Use full Web Access features (Server)
V
- Update build information (Object)
- Update build queue (Object)
- Use full Web Access features (Server)
- Variable groups (Object, Role)
- View builds (Object)
- View release pipeline (Object)
- View releases (Object)
- View system synchronization information (Collection)
W
Edit project-level information
The Edit project-level information permission is set through the Project settings page. It includes the ability to perform the following tasks for the selected project defined in an organization or collection.
Note
The permission to add or remove project-level security groups and add and manage project-level group membership is assigned to all members of the Project Administrators group. It isn't controlled by a permissions surfaced within the user interface.
Edit instance-level or collection-level information
The Edit instance-level information (formerly Edit collection level information) permission is set through the Organizations settings or Collection settings page. It includes the ability to perform the following tasks for all projects defined in the organization or collection:
- Add and administer teams and all team-related features
- Edit collection-level permissions for users and groups in the collection
- Add or remove collection-level security groups from the collection
- Implicitly allows the user to modify version control permissions
- Edit project level and collection level permission ACLs
- Edit event subscriptions or alerts for teams, projects, or collection level events.