Configure permissions
TFS 2017
With Azure Artifacts you can publish, consume, and store different types of packages in your feed. Setting up permissions for your feed allows you to control who can access your packages.
Configure Azure Artifacts settings
Feed owners can specify who can create and administer Artifacts feeds. To access Azure Artifacts settings, select the Azure Artifacts settings icon on the right.
Note
The Azure Artifacts settings icon will not be visible if you don't have the right permissions.
By default, users in an Azure DevOps organization can create new feeds in that organization. A user who creates a feed is both an owner and an administrator of that feed.
Users in this Azure DevOps organization can create new feeds.
Only feed administrators and users or groups specified here are able to create new feeds.
Users or groups added here become administrators of all the feeds in the organization.
Note
It's very important to understand the difference between feeds, project, and project collection administrators.
A Feed Administrator can perform all operations on the feed (edit feed permissions, delete packages, promote packages, etc.).
A Project Administrator on the other hand has permissions to manage all project/team related operations (update project visibility, delete project, manage test environments etc.).
Project Collection Administrators are granted all collection-level permissions to manage resources for projects and project-collections (add/delete projects, trigger events, manage build resources, audit streams etc.).
Configure feed settings
Select the gear icon to navigate to your feed's settings.
Select Permissions.
In the edit feed dialog:
- Choose to make each person or team an Owner, Contributor, Collaborator, or Reader.
- When you're done, select Save.
Permissions table
In Azure Artifacts, feeds can be grouped into two categories: project-scoped and organization-scoped feeds. All feeds created through the web UI are project-scoped feeds. By default, every users in the same organization have the permissions to create a new feed. A user who creates a feed is both an owner and an administrator of that feed. Below are the four different access levels for a feed
| Permission | Reader | Collaborator | Contributor | Owner | Administrator |
|---|---|---|---|---|---|
| List/install/restore packages | ✓ | ✓ | ✓ | ✓ | ✓ |
| Publish packages | ✓ | ✓ | ✓ | ||
| Unlist packages | ✓ | ✓ | ✓ | ||
| Promote packages to a view | ✓ | ✓ | ✓ | ||
| Delete packages | ✓ | ✓ | |||
| Add/remove upstream sources | ✓ | ✓ | |||
| Allow external package versions | ✓ | ✓ | |||
| Save packages from upstream sources | ✓ | ✓ | ✓ | ✓ | |
| Edit feeds settings | ✓ | ✓ |
Note
To access a project-scoped feed, a user must also have access to the project hosting that feed.
Views permissions
Feed views enable users to share certain packages while keeping others private. A common scenario for using a feed view is sharing a package version that has already been tested and validated but keeping packages under development private.
By default, there are three views in a feed: @local, @prerelease, and @release view. The latter two are suggested views that you can rename or delete as desired.
The @local view is the default view and it includes all the packages published to the feed as well as all the packages downloaded from upstream sources.
Important
Users who have access a specific view are able to access and download packages from the feed through that view even if they don't have direct access to that feed. If you want to completely hide your packages, you must restrict access to both feed and views.
To restrict access to your feed, simply select a user or group from the permission table in your Feed Settings and select Delete.
You can restrict access to a view by changing its visibility to specific people as shown below.
After restricting your view's visibility to specific people, the access permissions column should reflect your changes.
Important
Views inherit their permissions from the parent feed. Setting a view's visibility to Specific people without specifying users or groups will default the view's permissions back to its parent's feed permissions.
Pipelines permissions
To access packages from your pipelines, the appropriate build identity must have access to your feed. By default, feeds have the Project Collection Build Service role set to Contributor. If you have changed your pipeline to run at project-scope, you will need to add the project-level build identity as a Reader or Contributor.
The project-level build identity is named as follows: [Project name] Build Service ([Organization name]). Example: FabrikamFiber Build Service (codesharing-demo).
From within your feed, select the gear icon
to navigate to Feed settings.Select the Permissions tab.
Select Add users/groups, and then add your build identity as a Contributor.
Note
If you want to access a feed in a different project from your pipeline, you must set up the other project to grant read/write access to the build service.
Share packages with all users in your organization
If you want to make certain packages in your feed available to all users in your organization, create or select a view that contains the packages you want to share and ensure its visibility is set to People in my organization.