Git permission command
Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019
Visual Studio 2019 | Visual Studio 2022
The tf git permission command modifies the user access control list (ACL) and displays authorization settings for a Git repository or branch within a Git repository.
Prerequisites
To view permissions, you must be able to view the artifact for the type of information you're requesting: View collection-level information for project collections, View project-level information for projects, and Read for repository and branch if you're viewing branch permissions.
To manage permissions, you must have Manage permissions for the desired artifact.
For more information, see Default Git permissions.
Syntax
tf git permission [/allow:(* |perm1[,perm2,...]]
[/deny:(* |perm1[,perm2,...])]
[/remove:(* |perm1[,perm2,...])]
[/user:username1[,username2,...]]
[/group:groupname1[,groupname2,...]]
/collection:TeamProjectCollectionUrl
[/teamproject:TeamProjectIdentifier]
[/repository:RepositoryIdentifier]
[/branch:BranchName]
[/login:username,[password]]
Parameters
| Parameter | Description |
|---|---|
/allow:(* |<perm1>[,<perm2>,...]) |
The permissions to allow. |
/deny:(* |<perm1>[,<perm2>,...]) |
The permissions to deny. |
/remove:(* |<perm1>[,<perm2>,...]) |
The permissions to remove, sometimes referred to as not set. You can use all three of /allow, /deny, and /remove in the same invocation. For more information on how the allow, deny, and remove settings interact, see Permission settings. |
/user:<username1>[,<username2>,...] |
The user or users for which to allow, deny, or remove permissions. You must specify at least one user or group. |
/group:<groupname1>[,<groupname2>,...] |
The groups or groups for which to allow, deny, or remove permissions. You must specify at least one user or group. Groups and individuals can be used together. |
/collection:<TeamProjectCollectionUrl> |
Specifies the URL of the project collection that contains the permissions to view or modify. For example: http://myserver:8080/tfs/DefaultCollection or https://fabrikam-fiber.visualstudio.com. This parameter is required. |
/teamproject:<TeamProjectIdentifier> |
Specifies the name of the project that contains the permissions to view or modify. |
/repository:<RepositoryIdentifier> |
Specifies the name of the repo that contains the permissions to view or modify. |
/branch:<BranchName> |
Specifies the name of the branch that contains the permissions to view or modify. If you specify /branch, you must also specify /repository. |
/login:<username>[,<password>] |
Specifies the user account to run the command. See Use Team Foundation version control commands. |
See Git repository permission namespaces for a list of the permissions that can be administered by the tf git permission command.
Examples
Note
The following examples are broken into multiple lines for readability. To copy and paste them into the command line and run them, first copy them and paste them into Notepad or another tool and edit them so the commands are contained on a single line.
View collection level permissions
The following example lists the permissions for the fabrikam-fiber collection.
tf git permission /collection:https://dev.azure.com/fabrikam-fiber
/login:FabrikamUser@hotmail.com,FabrikamPassword
View project level permissions
The following example lists the project level permissions for the FabrikamFiber project, which is in the fabrikam-fiber collection.
tf git permission /collection:https://dev.azure.com/fabrikam-fiber
/teamproject:FabrikamFiber
/login:FabrikamUser@hotmail.com,FabrikamPassword
View repository level permissions
The following example lists the project level permissions for the FabrikamFiber repository, which is in the FabrikamFiber project.
tf git permission /collection:https://dev.azure.com/fabrikam-fiber
/teamproject:FabrikamFiber
/repository:FabrikamFiber
/login:FabrikamUser@hotmail.com,FabrikamPassword
Require branch folders commands
The following examples show how to create a branch policy that enforces the following constraints:
- Only
maincan exist at the repository root. - All users will be allowed to create branches under the
features/andusers/folders. - Administrators will be able to create branches under the
releases/folder.
In this example you use the following collection, project, and repository:
/collection: https://fabrikam-fiber.visualstudio.com/teamproject: FabrikamProject/repository FabrikamRepo
First, block the CreateBranch permission at the repository root for the project's contributors.
tf git permission /deny:CreateBranch
/group:[FabrikamProject]\Contributors
/collection:https://dev.azure.com/fabrikam-fiber/
/teamproject:FabrikamProject
/repository:FabrikamRepo
Then, allow contributors to create branches under features and users.
tf git permission /allow:CreateBranch
/group:[FabrikamProject]\Contributors
/collection:https://dev.azure.com/fabrikam-fiber/
/teamproject:FabrikamProject
/repository:FabrikamRepo
/branch:features
tf git permission /allow:CreateBranch
/group:[FabrikamProject]\Contributors
/collection:https://dev.azure.com/fabrikam-fiber/
/teamproject:FabrikamProject
/repository:FabrikamRepo
/branch:users
Allow administrators to create branches under releases.
tf git permission /allow:CreateBranch
/group:"[FabrikamProject]\Project Administrators"
/collection:https://dev.azure.com/fabrikam-fiber/
/teamproject:FabrikamProject
/repository:FabrikamRepo
/branch:releases
Finally, allow administrators to create a branch called main, in case it ever gets deleted accidentally.
tf git permission /allow:CreateBranch
/group:"[FabrikamProject]\Project Administrators"
/collection:https://dev.azure.com/fabrikam-fiber/
/teamproject:FabrikamProject
/repository:FabrikamRepo
/branch:main