Permissions grant access to perform a specific action on a specific resource as described in Get started with permissions, access, and security groups. You manage most permissions through the web portal. However, you can manage permissions using command line tools or the REST API.
Azure DevOps grants many permissions by default to members of default security groups. You can add and manage permissions at a more granular level with the az devops security permission commands. Use these commands to:
View the permissions associated with security namespaces
View details about those permissions
Update or reset permissions
Piezīme
Namespaces and tokens are valid for all versions of Azure DevOps. Namespaces are subject to change over time. To get the latest list of namespaces, exercise one of the command line tools or REST API. Some namespaces have been deprecated as listed in the Security namespace and permission reference, Deprecated and read-only namespaces.
Azure DevOps CLI extension. - Sign in using az login. - For the examples in this article, set the default organization as follows: - Azure DevOps Services: az devops configure --defaults organization=YourOrganizationURL. - Azure DevOps Server: az devops configure --defaults organization=https://ServerName/CollectionName
Security permission commands
Enter the following command to list all available commands.
org: Azure DevOps organization URL. You can configure the default organization using az devops configure -d organization=ORG_URL. Required if not configured as default or picked up via git config. Example: --org https://dev.azure.com/MyOrganizationName/.
az devops security permission namespace list [--local-only]
Parameters
local-only: Optional. If true, retrieve only local security namespaces.
Security namespaces might have their data managed in one microservice, but still be visible in other microservices. If a security namespace's data is managed in microservice X, it's local to that microservice. Otherwise, it's remote.
Enter az devops security permission namespace list to list the namespaces defined for your organization or on-premises server.
subject: Required. The email address or group descriptor of the user.
recurse: Optional. If true, and the namespace is hierarchical, this parameter returns the child ACLs of the tokens.
token: Optional. Specify an individual security token.
Example
The following command lists the tokens in table format for the specified namespace, which corresponds to Analytics, and associated with the user contoso@contoso.com.
az devops security permission namespace show --namespace-id<NAMESPACE_ID>
Parameters
id or namespace-id: Required. ID of security namespace.
Example
The following command shows details of the available permissions for the specified namespace ID and returns the results in table format.
Azure CLI
az devops security permission namespace show --namespace-id58450c49-b02d-465a-ab12-59ae512d6531 --output table
Name Permission Description Permission Bit
------------------------------------------------------------------------------------------------
Read View analytics 1
Administer Manage analytics permissions 2
Stage Push the data to staging area 4
ExecuteUnrestrictedQuery Execute query without any restrictions on the query form 8
ReadEuii Read EUII data 16
az devops security permission reset --id--permission-bit--subject--token
Parameters
id or namespace-id: Required. ID of security namespace.
permission-bit: Required. Permission bit or addition of permission bits which needs to be reset for given user or group and token.
subject: Required. The email address or group descriptor of the user.
token: Required. Individual security token.
Example
The following command resets a token's permission bit 8 for the user contoso@contoso.com in the specified namespace and returns the results in table format.
Azure CLI
az devops security permission reset --id58450c49-b02d-465a-ab12-59ae512d6531 --permission-bit8--subject contoso@contoso.com --token0611925a-b287-4b0b-90a1-90f1a96e9f1f --output table
Name Bit Permission Description Permission Value
-------------------------------------------------------------------------------------------------------
ExecuteUnrestrictedQuery 8 Execute query without any restrictions on the query form Not set
az devops security permission reset-all --id--subject--token[--yes]
Parameters
id or namespace-id: Required. ID of security namespace.
subject: Required. The email address or group descriptor of the user.
token: Required. Individual security token.
yes: Optional. Don't prompt for confirmation.
Example
The following command clears all permissions for the user contoso@contoso.com in the specified namespace without requiring confirmation. The result is shown in the CLI.
Azure CLI
az devops security permission reset-all --id58450c49-b02d-465a-ab12-59ae512d6531 --subject contoso@contoso.com --token0611925a-b287-4b0b-90a1-90f1a96e9f1f --yes--output table
Result
--------
True
az devops security permission show --id--subject--token
Parameters
id or namespace-id: Required. ID of security namespace.
subject: Required. The email address or group descriptor of the user.
token: Required. Individual security token.
Example
The following command shows a token's permission details for the user contoso@contoso.com in the specified namespace and returns the results in table format.
Azure CLI
az devops security permission show --id58450c49-b02d-465a-ab12-59ae512d6531 --subject contoso@contoso.com --token0611925a-b287-4b0b-90a1-90f1a96e9f1f --output table
Name Bit Permission Description Permission Value
-------------------------------------------------------------------------------------------------------
Read 1 View analytics Not set
Administer 2 Manage analytics permissions Allow
Stage 4 Push the data to staging area Not set
ExecuteUnrestrictedQuery 8 Execute query without any restrictions on the query form Not set
ReadEuii 16 Read EUII data Deny
az devops security permission update --id--subject--token[--allow-bit][--deny-bit]
[--merge {false, true}]
Parameters
id or namespace-id: Required. The ID of the security namespace.
subject: Required. The email address or group descriptor of the user.
token: Required. An individual security token.
allow-bit: Optional. Specifies the allow bit or adds more bits. Required if deny-bit isn't provided.
deny-bit: Optional. Specifies the deny bit or adds other bits. Required if allow-bit isn't provided.
merge: Optional. Determines whether to merge with existing access control entries (ACE).
If set to true, the existing ACEs allow and deny permissions merge with those permissions of the incoming ACE.
If set to false or omitted, the existing ACE is replaced.
Accepted values are true or false.
Example
The following command updates the permissions for ExecuteUnrestrictedQuery (bit 8) for the user contoso@contoso.com in the specified namespace, and shows the results in table format.
Azure CLI
az devops security permission update --allow-bit8--id58450c49-b02d-465a-ab12-59ae512d6531 --subject contoso@contoso.com --token56af920d-393b-4236-9a07-24439ccaa85c --output table
Name Bit Permission Description Permission Value
-------------------------------------------------------------------------------------------------------
ExecuteUnrestrictedQuery 8 Execute query without any restrictions on the query form Allow
Pievienojieties meetup sērijai, lai kopā ar citiem izstrādātājiem un ekspertiem izveidotu mērogojamus AI risinājumus, kuru pamatā ir reālas lietošanas gadījumi.