Azure Pipelines security
Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019
Azure Pipelines security helps you control access to your pipelines and pipeline resources. Access is managed through a hierarchical system of built-in and custom security groups and users.
Pipeline resources are features and objects that are used in pipelines, but exist outside of the pipeline itself. For example, release pipelines, task groups, agent pools, and service connections are all pipeline resources.
Upon the creation of a pipeline or resource, a set of built-in security groups and users are assigned access permissions or roles at the project level. These project-level security settings are then inherited at the object level for individual objects. For instance, when you create a pipeline, a default set of users and groups is assigned permissions at the project level. These security settings are then inherited at the object level for all pipelines within the project.
Commonly, administrator groups are given full access to all pipelines and resources. Contributors are often granted access to manage resources and pipelines, while readers are given view-only access. Users are assigned to security groups based on their role in the project and the permissions they need to perform their tasks.
You can add and delete users and groups and change their permissions and roles at both the project- and object-levels. Object-level inheritance can be enabled and disabled.
You must be a member of the Project Administrators group to manage security settings at the project level and be a member of an administrator group or be assigned an Administrator security role to manage security for object-level pipelines and resources.
Permission and role settings
Pipelines, release pipelines, and task groups use task-based permissions. The permissions for users and groups can be set to:
| Permission | Description |
|---|---|
| Allow | Grants permission for feature or task. |
| Deny | Denies permission for feature or task. |
| Not set | Implicitly denies permission, but allows permission to be inherited from the closest ancestor that has the permission explicitly set. |
For more information, see About permissions and inheritance.
Libraries, agent pools, service connections, deployment groups, and environments use role-based access. The roles for users and groups are:
| Role | Purpose |
|---|---|
| Reader | Can view resource. |
| User | Can use resource. |
| Creator | Can create the resource. This role is a project-level role only. |
| Administrator | Can use and manage the resource and set its security. The creator of a resource is automatically assigned this role. |
| Service Account | Used for agent and deployment pools, can view agents, create sessions, listen for jobs. This role available at the collection- or organization-level only. |
For more information, see About pipeline security roles.
Set permissions for Azure Pipelines and resources
For information about configuring security for pipelines and pipeline resources, see the following articles:
- Pipeline permissions
- Release pipeline permissions
- Task group permissions
- Agent pool security
- Service connection security
- Library security
- Deployment group security
- Environment security
FAQs
See the following frequently asked questions (FAQs) about pipeline permissions.
Q: Why can't I create a new pipeline?
A: You need Edit build pipeline permissions to create a new pipeline. To add permission, open the security settings for all pipelines and verify that Edit build pipeline is set to Allow for your security group.
If you still can't create a pipeline, check to see if your access level is set to Stakeholder. If you have stakeholder access, change your access to Basic.
Q: Why do I see the message that I need to authorize a resource before the run can continue?
A: You need to authorize resources before you can use them. The exception to this rule is when you create a pipeline for the first time and all the resources referenced in the YAML file are automatically authorized. The resources are authorized for the pipeline as long as the user running the pipeline has access to the resource.
To authorize All pipelines to access a resource like an agent pool, follow these steps:
From your project, select Settings
> Pipelines > Agent Pools.Select Security for a specific agent pool, and then update permissions to grant access to all pipelines.
For more information, see Resources in YAML.
Related articles
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for