About pipeline security roles
Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019
Security for build and release pipelines, and task groups, is managed using task-based permissions. Several pipeline resources use role-based permissions, which can be assigned to users or groups. Each role defines the operations a user can perform.
Role-based permissions apply to all resources of a specific type within a project, organization, or collection. Individual resources inherit permissions from project-level settings, but you can turn off inheritance for specific artifacts if needed.
Default role assignments
By default, all project contributors are members of the User role for each hosted queue. This role allows them to author and run build and release pipelines using hosted queues.
Agent pool security roles, project-level
You can add users to security roles from the project-level admin context on the Agent Pools page. For information on adding and managing agent pools, see Agent pools.
| Role (project-level) | Description |
|---|---|
| Reader | View the pool. Typically, add operators to this role to monitor build and deployment jobs in the pool. |
| User | View and use the pool when authoring build or release pipelines. |
| Creator | Create and use the pool when authoring build or release pipelines. |
| Administrator | Manage membership for all roles of the pool, and view and use the pools. The user who created a pool is automatically added to the Administrator role for that pool. |
Manage the security of all project agent pools from the Security tab. Role memberships for individual project agent pools automatically inherit from these roles.
By default, the following groups are added to the Administrator role of 'All agent pools':
- Build Administrators
- Release Administrators
- Project Administrators.
Manage role settings for a project agent pool on the Project settings > Agent Pools page.
- To set permissions for all pools within the project, select Security, then add a user and choose their role.
- To set permissions for a specific pool, select the pool and then Security. Under Pipeline permissions, view which pipelines have access to the pool. Explicitly allow a pipeline using the
+button or allow all pipelines using the⋮button. Under User permissions, add a user or group and choose their role.
Agent pool security roles, organization or collection-level
Add users to the following security roles from the Organization settings > Agent Pools page. For information on adding and managing agent pools, see Agent pools.
| Role (organization-level) | Description |
|---|---|
| Reader | View the pool and agents. Typically, add operators to this role to monitor the agents and their health. |
| Service Account | Use the pool to create an agent in a project. Following the guidelines for creating new pools usually means you don't need to add members to this role. |
| Administrator | Register or unregister agents from the pool, manage membership for all pools, and view and create pools. Use the agent pool when creating an agent in a project. The system automatically adds the user who created the pool to the Administrator role for that pool. |
Manage role settings for organization or collection-level agent pools from the Organization settings > Agent Pools page.
- To set permissions for all pools within the organization or collection, select Security, then add a user or group and choose their role.
- To set permissions for a specific pool, select the pool and then Security. Add a user or group and choose their role.
Deployment group security roles
Add users to the following roles from the Pipelines or Build and Release page. For information on adding and managing deployment groups, see Deployment groups.
| Role | Description |
|---|---|
| Reader | View deployment groups. |
| Creator | View and create deployment groups. |
| User | View and use deployment groups, but cannot manage or create them. |
| Administrator | Administer roles, manage, view, and use deployment groups. |
Deployment pool security roles
Add users to the following roles from the Deployment Pools page. For information on creating and managing deployment pools, see Deployment groups.
| Role | Description |
|---|---|
| Reader | View deployment pools. |
| Service Account | View agents, create sessions, and listen for jobs from the agent pool. |
| User | View and use the deployment pool to create deployment groups. |
| Administrator | Administer, manage, view, and use deployment pools. |
Library asset security roles: Variable groups and secure files
Add users to a library role from Pipelines or Build and Release. For more information about using these library assets, see Variable groups and Secure files.
| Role | Description |
|---|---|
| Administrator | Edit, delete, and manage security for library assets. The creator of an asset is automatically assigned this role for the asset. |
| Creator | Create library assets. |
| Reader | Read library assets. |
| User | Consume library assets in pipelines. |
Service connection security roles
Add users to the following roles from the Services page. For information about creating and managing these resources, see Service connections for build and release.
| Role | Description |
|---|---|
| User | Use the endpoint when authoring build or release pipelines. |
| Administrator | Manage membership of all other roles for the service connection and use the endpoint to author build or release pipelines. The system automatically assigns the user who created the service connection to the Administrator role for that pool. |