Add users or groups to an access level
TFS 2017 | TFS 2015 | TFS 2013
Users must be added to a group with the appropriate permissions, to connect and use the functions and features that Azure DevOps Server provides. To use select web portal features, they must also belong to the access level that enables access to that feature. For an overview of each access level, see About access levels.
This article applies to managing access levels for project collections defined on an on-premises Azure DevOps. To manage access levels for the Azure DevOps Services (the cloud service), see Add users to your organization or project.
Important
Make sure that you select the correct version of this article for Azure DevOps Services or Azure DevOps Server, renamed from Team Foundation Server (TFS). The version selector is located above the table of contents.
For a simplified overview of the permissions that are assigned to the most common groups—Readers, Contributors, and Project Administrators—and the Stakeholder access group, see Permissions and access.
Note
Even if you set a user or group's access level, you must add them to a project for them to connect to a project and access features available through a supported client or the web portal.
Make sure to set each user's access level based on what you've purchased for that user. Basic access includes all Stakeholder features - Basic + Test Plans, Advanced and Visual Studio Enterprise subscriber access levels include all Basic features. In the images provided below, the circled features indicate the features made available from the previous access level.
Prerequisites
- You must be a member of the Administrators group. If you aren't a member, get added now.
- If you're managing access for a large group of users, it's a best practice to first create either a Windows group, a group in Active Directory, or Azure DevOps security group, and then add individuals to those groups.
Open access levels
You manage access levels for the collections defined on the application tier. The default access level you set applies to all projects defined for all collections. Users or groups that you add to teams, projects, or collections are granted the access level that you set as the default. To change the access level for a specific group or user, add them specifically to a non-default access level.
From the web portal home page for a project (for example,
http://MyServer:8080/tfs/DefaultCollection/MyProject/), open administration settings.
Add a user or group to an access level
Changes you make to the access level settings take affect immediately. You can add or change the access level for a user or group through this interface.
From the Access levels page, select the access level you want to manage. For example, here we add a group to Stakeholder access.
If you don't see Access levels, you aren't an administrator and don't have permission. Learn more about how to get permissions.
Change the access level for a user or group
To change the access level for a user or group, first remove them from their existing access level, and then add them to the access level you want them to have.
Choose the user or group and then select Remove.
Add the user or group to the other access level following the steps provided in the previous section.
Change the default access level
Change the default access level to match the access you have licenses for. If you change the default access level to Stakeholder, all users not explicitly added to the Basic or an advanced level are limited to the features provided through Stakeholder access.
You set an access level from its page. Choose Set as default access level as shown.
Important
Service accounts are added to the default access level. If you set Stakeholder as the default access level, you must add the Azure DevOps service accounts to the Basic or an advanced access level group.
Guide to features and access levels
For details on the features available to each access level, see About access levels.