Set Git repository permissions
TFS 2017 | TFS 2015 | TFS 2013
You grant or restrict access to repositories to lock down who can contribute to your source code and manage other features. You can set permissions across all Git repositories by making changes to the top-level Git repositories entry. Individual repositories inherit permissions from the top-level Git Repositories entry.
Note
Branches inherit a subset of permissions from assignments made at the repository level. For branch permissions and policies, see Set branch permissions and Improve code quality with branch policies.
For guidance on who to provide greater permission levels, see Grant or restrict access using permissions.
Prerequisites
- You must have a project. If you don't have a project yet, create one in Azure DevOps or set one up in an on-premises Azure DevOps.
- You must be a member of the Project Administrators Group or have your Manage permissions set to Allow for Git repositories.
To contribute to the source code, you must be granted Basic access level or greater. Users granted Stakeholder access have no access to source code. To learn more, see About access levels.
Default repository permissions
By default, members of the project Contributors group have permissions to contribute to a repository. This includes the ability to create branches, create tags, and manage notes. For a description of each security group and permission level, see Permissions and group reference.
By default, the project-level Readers groups have read-only permissions.
Permission
Contributors
Build Admins
Project Admins
Branch Creation: At the repository level, can push their changes to branches in the repository. Does not override restrictions in place from branch policies. At the branch level, can push their changes to the branch and lock the branch.
✔️
✔️
✔️
Contribute: At the repository level, can push their changes to branches in the repository. Does not override restrictions in place from branch policies. At the branch level, can push their changes to the branch and lock the branch.
✔️
✔️
✔️
Note Management: Can push and edit Git notes to the repository. They can also remove notes from items if they have the Force permission.
✔️
✔️
✔️
Tag Creation: Can push tags to the repository, and can also edit or remove tags if they have the Force permission.
✔️
✔️
✔️
Administer: Delete and rename repositories: If assigned to the top-level Git repositories entry, can add additional repositories. At the branch level, users can set permissions for the branch and unlock the branch. The Administer permission set on an individual Git repository does not grant the ability to rename or delete the repository. These tasks require Administer permissions at the Git repositories top-level.
✔️
Rewrite and destroy history (force push): Can force an update to a branch and delete a branch. A force update can overwrite commits added from any user. Users with this permission can modify the commit history of a branch.
✔️
Set permissions for a repository
You can grant or restrict access to a repository by setting the permission state to Allow or Deny for a single user or a security group.
Individual repositories inherit permissions from the top-level Git Repository security settings. Branches inherit permissions from assignments made at the repository level.
Open the web portal and choose the project where you want to add users or groups. To choose another project, see Switch project, repository, team.
Choose the
gear icon to open the administrative context.Choose Version Control.
To set the set the permissions for all Git repositories for a project, (1) choose Git Repositories and then (2) choose the security group whose permissions you want to manage.
Otherwise, choose a specific repository and choose the security group whose permissions you want to manage.
Choose the setting for the permission you want to change.
When done, choose Save changes.