Rediger

Del via


About pipeline security roles

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019

Security for build and release pipelines, and task groups, is managed using task-based permissions. Several pipeline resources use role-based permissions, which can be assigned to users or groups. Each role defines the operations a user can perform.

Role-based permissions apply to all resources of a specific type within a project, organization, or collection. Individual resources inherit permissions from project-level settings, but you can turn off inheritance for specific artifacts if needed.

Default role assignments

By default, all project contributors are members of the User role for each hosted queue. This role allows them to author and run build and release pipelines using hosted queues.

Agent pool security roles, project-level

You can add users to security roles from the project-level admin context on the Agent Pools page. For information on adding and managing agent pools, see Agent pools.

Role (project-level) Description
Reader View the pool. Typically, add operators to this role to monitor build and deployment jobs in the pool.
User View and use the pool when authoring build or release pipelines.
Creator Create and use the pool when authoring build or release pipelines.
Administrator Manage membership for all roles of the pool, and view and use the pools. The user who created a pool is automatically added to the Administrator role for that pool.

Manage the security of all project agent pools from the Security tab. Role memberships for individual project agent pools automatically inherit from these roles.

By default, the following groups are added to the Administrator role of 'All agent pools':

  • Build Administrators
  • Release Administrators
  • Project Administrators.

Manage role settings for a project agent pool on the Project settings > Agent Pools page.

  • To set permissions for all pools within the project, select Security, then add a user and choose their role.
  • To set permissions for a specific pool, select the pool and then Security. Under Pipeline permissions, view which pipelines have access to the pool. Explicitly allow a pipeline using the + button or allow all pipelines using the button. Under User permissions, add a user or group and choose their role.

Agent pool security roles, organization or collection-level

Add users to the following security roles from the Organization settings > Agent Pools page. For information on adding and managing agent pools, see Agent pools.

Role (organization-level) Description
Reader View the pool and agents. Typically, add operators to this role to monitor the agents and their health.
Service Account Use the pool to create an agent in a project. Following the guidelines for creating new pools usually means you don't need to add members to this role.
Administrator Register or unregister agents from the pool, manage membership for all pools, and view and create pools. Use the agent pool when creating an agent in a project. The system automatically adds the user who created the pool to the Administrator role for that pool.

Manage role settings for organization or collection-level agent pools from the Organization settings > Agent Pools page.

  • To set permissions for all pools within the organization or collection, select Security, then add a user or group and choose their role.
  • To set permissions for a specific pool, select the pool and then Security. Add a user or group and choose their role.

Deployment group security roles

Add users to the following roles from the Pipelines or Build and Release page. For information on adding and managing deployment groups, see Deployment groups.

Role Description
Reader View deployment groups.
Creator View and create deployment groups.
User View and use deployment groups, but cannot manage or create them.
Administrator Administer roles, manage, view, and use deployment groups.

Deployment pool security roles

Add users to the following roles from the Deployment Pools page. For information on creating and managing deployment pools, see Deployment groups.

Role Description
Reader View deployment pools.
Service Account View agents, create sessions, and listen for jobs from the agent pool.
User View and use the deployment pool to create deployment groups.
Administrator Administer, manage, view, and use deployment pools.

Library asset security roles: Variable groups and secure files

Add users to a library role from Pipelines or Build and Release. For more information about using these library assets, see Variable groups and Secure files.

Role Description
Administrator Edit, delete, and manage security for library assets. The creator of an asset is automatically assigned this role for the asset.
Creator Create library assets.
Reader Read library assets.
User Consume library assets in pipelines.

Service connection security roles

Add users to the following roles from the Services page. For information about creating and managing these resources, see Service connections for build and release.

Role Description
User Use the endpoint when authoring build or release pipelines.
Administrator Manage membership of all other roles for the service connection and use the endpoint to author build or release pipelines. The system automatically assigns the user who created the service connection to the Administrator role for that pool.