Access Control Entries - Set Access Control Entries
Add or update ACEs in the ACL for the provided token. The request body contains the target token, a list of ACEs and a optional merge parameter. In the case of a collision (by identity descriptor) with an existing ACE in the ACL, the "merge" parameter determines the behavior. If set, the existing ACE has its allow and deny merged with the incoming ACE's allow and deny. If unset, the existing ACE is displaced.
POST https://dev.azure.com/{organization}/_apis/accesscontrolentries/{securityNamespaceId}?api-version=6.0URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
security
|
path | True |
string uuid |
Security namespace identifier. |
|
organization
|
path |
string |
The name of the Azure DevOps organization. |
|
|
api-version
|
query | True |
string |
Version of the API to use. This should be set to '6.0' to use this version of the api. |
Request Body
| Name | Type | Description |
|---|---|---|
| item |
string |
|
| type |
string |
Gets the node type for this JToken. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
successful operation |
Security
oauth2
Type:
oauth2
Flow:
accessCode
Authorization URL:
https://app.vssps.visualstudio.com/oauth2/authorize&response_type=Assertion
Token URL:
https://app.vssps.visualstudio.com/oauth2/token?client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
Scopes
| Name | Description |
|---|---|
| vso.security_manage | Grants the ability to read, write, and manage security permissions. |
Examples
| Merge |
| Replace |
Merge
Sample request
POST https://dev.azure.com/fabrikam/_apis/accesscontrolentries/5a27515b-ccd7-42c9-84f1-54c998f03866?api-version=6.0
{
"token": "newToken",
"merge": true,
"accessControlEntries": [
{
"descriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-2",
"allow": 8,
"deny": 0,
"extendedinfo": {}
}
]
}
Sample response
{
"count": 1,
"value": [
{
"descriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-2",
"allow": 13,
"deny": 0,
"extendedInfo": {}
}
]
}Replace
Sample request
POST https://dev.azure.com/fabrikam/_apis/accesscontrolentries/5a27515b-ccd7-42c9-84f1-54c998f03866?api-version=6.0
{
"token": "newToken",
"merge": false,
"accessControlEntries": [
{
"descriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-1",
"allow": 8,
"deny": 0,
"extendedinfo": {}
}
]
}
Sample response
{
"count": 1,
"value": [
{
"descriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-1",
"allow": 8,
"deny": 0,
"extendedInfo": {}
}
]
}Definitions
| Name | Description |
|---|---|
|
Access |
Class for encapsulating the allowed and denied permissions for a given IdentityDescriptor. |
|
Ace |
Holds the inherited and effective permission information for a given AccessControlEntry. |
|
Identity |
An Identity descriptor is a wrapper for the identity type (Windows SID, Passport) along with a unique identifier such as the SID or PUID. |
| JObject |
Represents a JSON object. |
AccessControlEntry
Class for encapsulating the allowed and denied permissions for a given IdentityDescriptor.
| Name | Type | Description |
|---|---|---|
| allow |
integer |
The set of permission bits that represent the actions that the associated descriptor is allowed to perform. |
| deny |
integer |
The set of permission bits that represent the actions that the associated descriptor is not allowed to perform. |
| descriptor |
The descriptor for the user this AccessControlEntry applies to. |
|
| extendedInfo |
This value, when set, reports the inherited and effective information for the associated descriptor. This value is only set on AccessControlEntries returned by the QueryAccessControlList(s) call when its includeExtendedInfo parameter is set to true. |
AceExtendedInformation
Holds the inherited and effective permission information for a given AccessControlEntry.
| Name | Type | Description |
|---|---|---|
| effectiveAllow |
integer |
This is the combination of all of the explicit and inherited permissions for this identity on this token. These are the permissions used when determining if a given user has permission to perform an action. |
| effectiveDeny |
integer |
This is the combination of all of the explicit and inherited permissions for this identity on this token. These are the permissions used when determining if a given user has permission to perform an action. |
| inheritedAllow |
integer |
These are the permissions that are inherited for this identity on this token. If the token does not inherit permissions this will be 0. Note that any permissions that have been explicitly set on this token for this identity, or any groups that this identity is a part of, are not included here. |
| inheritedDeny |
integer |
These are the permissions that are inherited for this identity on this token. If the token does not inherit permissions this will be 0. Note that any permissions that have been explicitly set on this token for this identity, or any groups that this identity is a part of, are not included here. |
IdentityDescriptor
An Identity descriptor is a wrapper for the identity type (Windows SID, Passport) along with a unique identifier such as the SID or PUID.
| Name | Type | Description |
|---|---|---|
| identifier |
string |
The unique identifier for this identity, not exceeding 256 chars, which will be persisted. |
| identityType |
string |
Type of descriptor (for example, Windows, Passport, etc.). |
JObject
Represents a JSON object.
| Name | Type | Description |
|---|---|---|
| item |
string |
|
| type |
string |
Gets the node type for this JToken. |