Configure pipeline permissions in Azure Pipelines
Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019
This article explains how to secure your build pipelines by setting user and group permissions to control access to specific functions and tasks.
Pipeline security follows a hierarchical model of user and group permissions. Project-level permissions are inherited at the object level by all pipelines in the project. You can change inherited and default user and group permissions for all pipelines at the project- and object-levels. You can't change permissions set by the system.
The default security groups for pipelines are:
| Group | Description |
|---|---|
| Build Administrators | Administer build permissions and manage pipelines and builds. |
| Contributors | Manage pipelines and builds, but not build queues. This group includes all team members. |
| Project Administrators | Administer build permissions and manage pipelines and builds. |
| Readers | View pipeline and builds. |
| Project Collection Administrators | Administer build permissions and manage pipelines and builds. |
| Project Collection Build Administrators | Administer build permissions and manage pipelines and builds. |
| Project Collection Build Service Accounts | Manage builds. |
| Project Collection Test Service Accounts | View pipelines and builds. |
The system automatically creates the <project name> Build Service (collection name) user, a member of the Project Collection Build Service Accounts group. This user executes build services within the project.
Depending on the resources you use in your pipelines, your pipeline could include other built-in users. For instance, if you're using a GitHub repository for your source code, a GitHub user is included.
The default permissions for security groups are:
| Task | Readers | Contributors | Build Admins | Project Admins |
|---|---|---|---|---|
| View builds | ✔️ | ✔️ | ✔️ | ✔️ |
| View build pipeline | ✔️ | ✔️ | ✔️ | ✔️ |
| Administer build permissions | ✔️ | ✔️ | ||
| Delete or edit build pipeline | ✔️ | ✔️ | ✔️ | |
| Delete or destroy builds | ✔️ | ✔️ | ||
| Edit build quality | ✔️ | ✔️ | ✔️ | |
| Manage build qualities | ✔️ | ✔️ | ||
| Manage build queue | ✔️ | ✔️ | ||
| Override check-in validation by build | ✔️ | |||
| Queue builds | ✔️ | ✔️ | ✔️ | |
| Retain indefinitely | ✔️ | ✔️ | ✔️ | ✔️ |
| Stop builds | ✔️ | ✔️ | ||
| Update build information | ✔️ |
For a description of pipeline permissions, see Pipeline or Build permissions.
Prerequisites
- You must be a member of the Project Collection Administrators group to manage project collection groups.
- You must be a member of an administrator group or be allowed Administer build permissions to manage project level users and groups.
Set project-level pipeline permissions
Follow these steps to configure project-level permissions for users and groups across all build pipelines in your project:
From your project, select Pipelines.
Select More actions
and select Manage security.
Select users or groups and set permissions to Allow, Deny, or Not set.
Repeat the previous step to change the permissions for more groups and users.
Close permissions dialog to save the changes.
Add users or groups to the permissions dialog
To add users and groups that aren't listed in the permissions dialog:
- Enter the user or group in the search bar, then select the user or group from the search result.
- Set the permissions.
- Close the dialog.
When you open the security dialog again, the user or group is listed.
Remove users or groups from the permissions dialog
To delete a user from the permissions list:
Select the user or group.
Select Remove and clear explicit permissions.
When finished, close the dialog to save your changes.
Follow these steps to configure project-level permissions for users and groups across all build pipelines in your project:
From your project, select Pipelines.
Select More actions
and select Manage security.
To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.
Select a user or group and set the permissions.
Repeat the previous step to change the permissions for more groups and users.
Select Save changes or you can select Undo changes to undo the changes.
To remove a user or group from the list, select the user or group and select Remove.
Select Close.
Your project-level pipelines permissions are set.
Follow these steps to configure project-level permissions for users and groups across all build pipelines in your project:
Go to your project, select the Builds from the menu.
Select the folders icon and select the All build pipelines folder.
Select More actions
> Security.
To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.
Select a user or group and set the permissions.
Select Save changes or you can select Undo changes to undo the changes.
Repeat the previous step to change the permissions for more groups and users.
To remove a user or group from the list, select the user or group and select Remove.
Select Close.
Set object-level pipeline permissions
By default, object-level permissions for individual pipelines inherit the project-level permissions. You can override the inherited project-level permissions.
You can set the permissions to Allow, Deny, or to Not set if the permission is not inherited. If inheritance is enabled you can change an explicitly set permission back to the inherited value.
Complete the following steps to configure permissions for a pipeline.
From within your project, select Pipelines .
Select a pipeline, then select More actions
and select Manage security.
Select a user or group and set the permissions.
Repeat the previous step to change the permissions for more groups and users.
When you're finished, close the dialog to save your changes.
Add users or groups to the permissions dialog
To add users and groups that aren't listed in the permissions dialog:
- Enter the user or group in the search bar, then select the user or group from the search result.
- Set the permissions.
- Close the dialog.
When you open the security dialog again, the user or group is listed.
Remove users or groups from the permissions dialog
Users and groups can be removed from the pipeline's permissions. Inherited users and groups can't be removed unless inheritance is disabled.
Select the user or group.
Select Remove and clear explicit permissions.
When finished, close the dialog to save your changes.
By default, object-level permissions for individual pipelines inherit the project-level permissions. You can override the inherited permissions.
You can set the permissions to Allow, Deny, or to Not set if the permission is not inherited. If inheritance is enabled you can change an explicitly set permission back to the inherited value.
Follow these steps to set permissions for an individual pipeline:
From within your project, select Pipelines .
Select a pipeline, then select More actions
and select Manage security.
To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.
Select users and groups and set the permissions.
Select Save changes or you can select Undo changes to undo the changes.
To remove a user or group, select the user or group and select Remove. Inherited users and groups can't be removed unless inheritance is disabled.
Select Close when you're finished.
When you explicitly set an inherited user or group permission, inheritance is disabled for that specific permission. To restore inheritance, set the permission to Not set. Select Clear explicit permissions to reset all explicitly set permissions to their inherited settings. To disable inheritance for all user and group permissions, turn off the Inheritance setting. Upon re-enabling inheritance, the permissions for all users and groups revert to their project-level settings.
Object-level permissions for individual pipelines inherit the project-level permissions by default. You can override these inherited permissions for an individual pipeline.
You can set the permissions to Allow, Deny, or to Not set if the permission is not inherited. If inheritance is enabled you can change an explicitly set permission back to the inherited value.
Follow these steps to set object-level permissions for a pipeline:
Go to your project, select the Builds from the menu.
Select the folders icon and select the All build pipelines folder.
Select More actions
> Security.
To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.
Select a user or group and set the permissions.
You can select more users and groups to change their permissions.
Select Save changes or you can select Undo changes to undo the changes.
To remove a user or group, select the user or group and select Remove. Inherited users and groups can't be removed unless inheritance is disabled.
Select Close when you're finished.
When you explicitly set an inherited user or group permission, inheritance is disabled for that specific permission. To restore inheritance, set the permission to Not set. Select Clear explicit permissions to reset all explicitly set permissions to their inherited settings. To disable inheritance for all user and group permissions, turn off the Inheritance setting. Upon re-enabling inheritance, the permissions for all users and groups revert to their project-level settings.
Related articles
Povratne informacije
Stiže uskoro: Tijekom 2024. postupno ćemo ukinuti servis Problemi sa servisom GitHub kao mehanizam za povratne informacije za sadržaj i zamijeniti ga novim sustavom za povratne informacije. Dodatne informacije potražite u članku: https://aka.ms/ContentUserFeedback.
Pošaljite i pogledajte povratne informacije za