Change permissions at the organization or collection-level

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019

Several permissions are set at the organization or collection level. You can grant these permissions by adding a user or group to the Project Collection Administrators group. Or, you can grant specific collection-level permissions to a custom security group or user.

An organization is the container for several projects that share resources. For more information, see Plan your organizational structure.

The following articles provide related information:

• Look up a project collection administrator
• Manage users, groups, and security groups
• Request an increase in permission levels
• Change project-level permissions
• Set object-level permissions
• Employ security best practices

Note

Security groups are managed at the organization level, even if they are used for specific projects. Depending on user permissions, some groups might be hidden in the web portal. To view all group names within an organization, you can use the Azure DevOps CLI tool or our REST APIs. For more information, see Add and manage security groups.

Collection-level permissions

The following table lists the permissions assigned at the organization or collection level. All of these permissions, except for the Make requests on behalf of others permission, are granted to members of the Project Collection Administrators group. For more information, see Permissions and groups reference, Groups.

General

• Alter trace settings
• Create new projects
• Delete team project
• Edit instance-level information
• View instance-level information

Service Account

• Make requests on behalf of others
• Trigger events
• View system synchronization information

Boards

• Administer process permissions
• Create process
• Delete field from organization or account
• Delete process
• Edit process

Repos (TFVC)

• Administer shelved changes
• Administer workspaces
• Create a workspace

Pipelines

• Administer build resource permissions
• Manage build resources
• Manage pipeline policies
• Use build resources
• View build resources

Test Plans

• Manage test controllers

Auditing

• Delete audit streams
• Manage audit streams
• View audit log

Policies

• Manage enterprise policies

Note

Project Collection Administrators have the permission to manage organization or collection-level security groups, group membership, and edit permission ACLs. This permission isn’t controlled through the user interface.

Prerequisites

• To manage permissions or groups at the organization or collection level, you must be a member of the Project Collection Administrators security group. If you created the organization or collection, you're automatically a member of this group. To get added to this group, you need to request permissions from a member of the Project Collection Administrators group.
• Ensure security groups in Microsoft Entra ID or Active Directory are defined before adding them. For more information, see Add Active Directory / Microsoft Entra users or groups to a built-in security group.

Note

Users added to the Project-Scoped Users group can't access most Organization settings pages, including Permissions. For more information, see Manage your organization, Limit user visibility for projects and more.

Users with Stakeholder access can't access specific features even if they have permissions to those features. For more information, see Stakeholder access quick reference.

Add members to the Project Collection Administrators group

You can add users from a project, organization, or collection to the Project Collection Administrators group or any other group at the organization or collection level. To add a custom security group, first create the group.

In the following steps, we show how to add a user to the Project Collection Administrators group at the organization or collection level. The method is similar to adding a Microsoft Entra ID or Active Directory group. You can also add a user to the Project Collection Administrators group at the project level.

Note

To enable the Organization Permissions Settings Page v2 preview page, see Enable preview features.

Preview page

1. Sign in to your organization (https://dev.azure.com/{Your_Organization}).

2. Select Organization settings > Permissions.

   

3. Select Project Administrators group, Members, and then Add.

   

4. Enter the name of the user account or custom security group into the text box and select the matching result. You can enter multiple identities into the Add users and/or groups box, and the system automatically searches for matches. Select the appropriate matches.

   

5. Select Save.

Current page

1. Sign in to your organization (https://dev.azure.com/{Your_Organization}).

2. Select Project Settings and then Security.

   To see the full image, select to expand.

   

3. Select Project Administrators group, Members, and then Add.

   

4. Enter the name of the user account into the text box. You can enter several identities into the text box, separated by commas. The system automatically searches for matches. Select one or more matches.

   

5. Select Save changes. Select the refresh icon and the additions reflect.

Change permissions for a group

You can change the permissions for any organization or collection-level group, except the Project Collection Administrators group. Adding security groups to a collection is similar to adding them to a project. For more information, see Add or remove users or groups, manage security groupsand About permissions, Permission states.

Note

To enable the Organization Permissions Settings Page v2 preview page, see Enable preview features.

Preview page

1. Go to the Permissions page as described in the previous section, Add a user or group to the Project Administrators group.

   Note

   By design, you can't change the permission settings for the Project Collection Administrators group.

2. Choose the group whose permissions you want to change.

   In the following example, we choose the Stakeholders Limited group, and change several permissions.

   

   Your changes automatically save.

Current page

1. Go to the Security page as described in the previous section, Add a user or group to the Project Collection Administrators group.

2. Choose the group whose permissions you want to change.

   In the following example, we choose the Stakeholders Limited group, and change several permissions.

   

3. Select Save changes.

Change permissions for a user

You can change the collection-level permissions for a specific user. For more information, see About permissions, Permission states.

Note

To enable the Organization Permissions Settings Page v2 preview page, see Enable preview features.

Preview page

1. Go to the Permissions page as described in the previous section, Add a user or group to the Project Administrators group.

2. Select Users, then choose the user whose permissions you want to change.

   

3. Change the assignment for one or more permissions.

   In the following example, we change the Edit project-level information for Christie Church.

   

   Dismiss the dialog and your changes automatically save.

Current page

1. Go to the Security page as described in the previous section, Add a user or group to the Project Administrators group.

2. In the Filter users and groups text box, enter the name of the user whose permissions you want to change.

3. Change the assignment for one or more permissions.

   In the following example, we change the Edit project-level information for Christie Church.

   

4. Select Save changes.

Next steps

Manage projects

Related articles

• Look up a project collection administrator
• Manage users, groups, and security groups
• Request an increase in permission levels
• Change project-level permissions
• Set object-level permissions