How to restrict access to Pipelines in Azure DevOps
I need to restrict access so that a user can NOT:
- See or access Pipelines, or any of its sub-features, including Builds, Releases, Library, Task groups, Deployment groups
- Create or edit build pipelines
I followed this:
https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/set-permissions?view=vsts
I set all permissions to Deny. However, the user can still do both (1) and (2) above.
Question: Can I do either (1) or (2)?
azure-devops
add a comment |
I need to restrict access so that a user can NOT:
- See or access Pipelines, or any of its sub-features, including Builds, Releases, Library, Task groups, Deployment groups
- Create or edit build pipelines
I followed this:
https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/set-permissions?view=vsts
I set all permissions to Deny. However, the user can still do both (1) and (2) above.
Question: Can I do either (1) or (2)?
azure-devops
i dont know if those are additive, but you need to make sure user isn't part of some security group that gives him access to do whatever you are trying to prevent him from doing
– 4c74356b41
Nov 24 '18 at 9:21
@4c74356b41 What is the exact Security setting I need to set to restrict access? The Security settings I set following the linked article seem like they are applicable only to Builds. Releases, etc, may very well have their own security settings. I want it so that all Pipeline features are disabled/in-accessible.
– Ash
Nov 24 '18 at 9:29
The user is part of Valid Users/Contributors. I've created a group under this called Developers, and if anything, I've Denied several permissions within these groups. I've not explicitly set anything to 'Allow'.
– Ash
Nov 24 '18 at 9:34
add a comment |
I need to restrict access so that a user can NOT:
- See or access Pipelines, or any of its sub-features, including Builds, Releases, Library, Task groups, Deployment groups
- Create or edit build pipelines
I followed this:
https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/set-permissions?view=vsts
I set all permissions to Deny. However, the user can still do both (1) and (2) above.
Question: Can I do either (1) or (2)?
azure-devops
I need to restrict access so that a user can NOT:
- See or access Pipelines, or any of its sub-features, including Builds, Releases, Library, Task groups, Deployment groups
- Create or edit build pipelines
I followed this:
https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/set-permissions?view=vsts
I set all permissions to Deny. However, the user can still do both (1) and (2) above.
Question: Can I do either (1) or (2)?
azure-devops
azure-devops
edited Nov 24 '18 at 9:21
4c74356b41
25.4k42051
25.4k42051
asked Nov 24 '18 at 9:18
AshAsh
656725
656725
i dont know if those are additive, but you need to make sure user isn't part of some security group that gives him access to do whatever you are trying to prevent him from doing
– 4c74356b41
Nov 24 '18 at 9:21
@4c74356b41 What is the exact Security setting I need to set to restrict access? The Security settings I set following the linked article seem like they are applicable only to Builds. Releases, etc, may very well have their own security settings. I want it so that all Pipeline features are disabled/in-accessible.
– Ash
Nov 24 '18 at 9:29
The user is part of Valid Users/Contributors. I've created a group under this called Developers, and if anything, I've Denied several permissions within these groups. I've not explicitly set anything to 'Allow'.
– Ash
Nov 24 '18 at 9:34
add a comment |
i dont know if those are additive, but you need to make sure user isn't part of some security group that gives him access to do whatever you are trying to prevent him from doing
– 4c74356b41
Nov 24 '18 at 9:21
@4c74356b41 What is the exact Security setting I need to set to restrict access? The Security settings I set following the linked article seem like they are applicable only to Builds. Releases, etc, may very well have their own security settings. I want it so that all Pipeline features are disabled/in-accessible.
– Ash
Nov 24 '18 at 9:29
The user is part of Valid Users/Contributors. I've created a group under this called Developers, and if anything, I've Denied several permissions within these groups. I've not explicitly set anything to 'Allow'.
– Ash
Nov 24 '18 at 9:34
i dont know if those are additive, but you need to make sure user isn't part of some security group that gives him access to do whatever you are trying to prevent him from doing
– 4c74356b41
Nov 24 '18 at 9:21
i dont know if those are additive, but you need to make sure user isn't part of some security group that gives him access to do whatever you are trying to prevent him from doing
– 4c74356b41
Nov 24 '18 at 9:21
@4c74356b41 What is the exact Security setting I need to set to restrict access? The Security settings I set following the linked article seem like they are applicable only to Builds. Releases, etc, may very well have their own security settings. I want it so that all Pipeline features are disabled/in-accessible.
– Ash
Nov 24 '18 at 9:29
@4c74356b41 What is the exact Security setting I need to set to restrict access? The Security settings I set following the linked article seem like they are applicable only to Builds. Releases, etc, may very well have their own security settings. I want it so that all Pipeline features are disabled/in-accessible.
– Ash
Nov 24 '18 at 9:29
The user is part of Valid Users/Contributors. I've created a group under this called Developers, and if anything, I've Denied several permissions within these groups. I've not explicitly set anything to 'Allow'.
– Ash
Nov 24 '18 at 9:34
The user is part of Valid Users/Contributors. I've created a group under this called Developers, and if anything, I've Denied several permissions within these groups. I've not explicitly set anything to 'Allow'.
– Ash
Nov 24 '18 at 9:34
add a comment |
1 Answer
1
active
oldest
votes
In Organization Settings under Security you can set:
- Manage build resources
- Use build resources
- View build resources
I'd say those should be Deny.
I have personally encountered some permission caching issue when testing these things.
Logging out and back in often doesn't change permissions right away.
Update:
Under Pipelines->Release you can click the 3 dots and there is a security subsite there containing these:
Adding the user or group and setting Deny on those settings fixed it for me.
This unfortunatly seems to be on a Release-Pipeline basis.
Update2:
You can go into folder view when looking at releases, you can then create a folder to put all your release-pipelines into, then on a folder basis you can set the security settings to deny for you user or group, that way it will be inherited to every folder.
Developers need to remember to create release pipelines in that folder though.
You need to have pipelines in the root or you wont be able to see the security button. (tested in new and old navigation design)
After a quick test on our system my test user can still see Releases and Deployment groups but not anything build related, i'll check back later to see if thats still the case after possible caches clear.
– Jim Wolff
Nov 26 '18 at 13:03
Thanks Jim. Those were already set to Deny for the user.
– Ash
Nov 26 '18 at 13:12
@Ash I noticed that i could remove the content of Deployment groups by clicking security under the deployment group itself and removing contributors (which i had my test user inside) there isn't a Deny permission anywhere else i can find, and you can still see the menu but not the content.
– Jim Wolff
Nov 26 '18 at 13:19
@Ash see my updated answer, it restricts access also viewing, but you can still see the menu items, which means it looks like you can create release pipelines and deployment groups, they have no create button though, so it's actually not possible.
– Jim Wolff
Nov 26 '18 at 13:41
Thanks Jim. Update2 worked for me. I've tried it for Builds and my test user indeed cannot view or create any pipelines. I will test with Releases, Deployment Groups, etc, and let you know if the same technique works with those as well. On a side note, do you know if there's a way to kind of import these settings for all your projects? 'Cause these particular security settings are per project, and I need these to be organisation wide.
– Ash
Nov 26 '18 at 23:18
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53456787%2fhow-to-restrict-access-to-pipelines-in-azure-devops%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
In Organization Settings under Security you can set:
- Manage build resources
- Use build resources
- View build resources
I'd say those should be Deny.
I have personally encountered some permission caching issue when testing these things.
Logging out and back in often doesn't change permissions right away.
Update:
Under Pipelines->Release you can click the 3 dots and there is a security subsite there containing these:
Adding the user or group and setting Deny on those settings fixed it for me.
This unfortunatly seems to be on a Release-Pipeline basis.
Update2:
You can go into folder view when looking at releases, you can then create a folder to put all your release-pipelines into, then on a folder basis you can set the security settings to deny for you user or group, that way it will be inherited to every folder.
Developers need to remember to create release pipelines in that folder though.
You need to have pipelines in the root or you wont be able to see the security button. (tested in new and old navigation design)
After a quick test on our system my test user can still see Releases and Deployment groups but not anything build related, i'll check back later to see if thats still the case after possible caches clear.
– Jim Wolff
Nov 26 '18 at 13:03
Thanks Jim. Those were already set to Deny for the user.
– Ash
Nov 26 '18 at 13:12
@Ash I noticed that i could remove the content of Deployment groups by clicking security under the deployment group itself and removing contributors (which i had my test user inside) there isn't a Deny permission anywhere else i can find, and you can still see the menu but not the content.
– Jim Wolff
Nov 26 '18 at 13:19
@Ash see my updated answer, it restricts access also viewing, but you can still see the menu items, which means it looks like you can create release pipelines and deployment groups, they have no create button though, so it's actually not possible.
– Jim Wolff
Nov 26 '18 at 13:41
Thanks Jim. Update2 worked for me. I've tried it for Builds and my test user indeed cannot view or create any pipelines. I will test with Releases, Deployment Groups, etc, and let you know if the same technique works with those as well. On a side note, do you know if there's a way to kind of import these settings for all your projects? 'Cause these particular security settings are per project, and I need these to be organisation wide.
– Ash
Nov 26 '18 at 23:18
add a comment |
In Organization Settings under Security you can set:
- Manage build resources
- Use build resources
- View build resources
I'd say those should be Deny.
I have personally encountered some permission caching issue when testing these things.
Logging out and back in often doesn't change permissions right away.
Update:
Under Pipelines->Release you can click the 3 dots and there is a security subsite there containing these:
Adding the user or group and setting Deny on those settings fixed it for me.
This unfortunatly seems to be on a Release-Pipeline basis.
Update2:
You can go into folder view when looking at releases, you can then create a folder to put all your release-pipelines into, then on a folder basis you can set the security settings to deny for you user or group, that way it will be inherited to every folder.
Developers need to remember to create release pipelines in that folder though.
You need to have pipelines in the root or you wont be able to see the security button. (tested in new and old navigation design)
After a quick test on our system my test user can still see Releases and Deployment groups but not anything build related, i'll check back later to see if thats still the case after possible caches clear.
– Jim Wolff
Nov 26 '18 at 13:03
Thanks Jim. Those were already set to Deny for the user.
– Ash
Nov 26 '18 at 13:12
@Ash I noticed that i could remove the content of Deployment groups by clicking security under the deployment group itself and removing contributors (which i had my test user inside) there isn't a Deny permission anywhere else i can find, and you can still see the menu but not the content.
– Jim Wolff
Nov 26 '18 at 13:19
@Ash see my updated answer, it restricts access also viewing, but you can still see the menu items, which means it looks like you can create release pipelines and deployment groups, they have no create button though, so it's actually not possible.
– Jim Wolff
Nov 26 '18 at 13:41
Thanks Jim. Update2 worked for me. I've tried it for Builds and my test user indeed cannot view or create any pipelines. I will test with Releases, Deployment Groups, etc, and let you know if the same technique works with those as well. On a side note, do you know if there's a way to kind of import these settings for all your projects? 'Cause these particular security settings are per project, and I need these to be organisation wide.
– Ash
Nov 26 '18 at 23:18
add a comment |
In Organization Settings under Security you can set:
- Manage build resources
- Use build resources
- View build resources
I'd say those should be Deny.
I have personally encountered some permission caching issue when testing these things.
Logging out and back in often doesn't change permissions right away.
Update:
Under Pipelines->Release you can click the 3 dots and there is a security subsite there containing these:
Adding the user or group and setting Deny on those settings fixed it for me.
This unfortunatly seems to be on a Release-Pipeline basis.
Update2:
You can go into folder view when looking at releases, you can then create a folder to put all your release-pipelines into, then on a folder basis you can set the security settings to deny for you user or group, that way it will be inherited to every folder.
Developers need to remember to create release pipelines in that folder though.
You need to have pipelines in the root or you wont be able to see the security button. (tested in new and old navigation design)
In Organization Settings under Security you can set:
- Manage build resources
- Use build resources
- View build resources
I'd say those should be Deny.
I have personally encountered some permission caching issue when testing these things.
Logging out and back in often doesn't change permissions right away.
Update:
Under Pipelines->Release you can click the 3 dots and there is a security subsite there containing these:
Adding the user or group and setting Deny on those settings fixed it for me.
This unfortunatly seems to be on a Release-Pipeline basis.
Update2:
You can go into folder view when looking at releases, you can then create a folder to put all your release-pipelines into, then on a folder basis you can set the security settings to deny for you user or group, that way it will be inherited to every folder.
Developers need to remember to create release pipelines in that folder though.
You need to have pipelines in the root or you wont be able to see the security button. (tested in new and old navigation design)
edited Nov 26 '18 at 13:39
answered Nov 26 '18 at 13:00
Jim WolffJim Wolff
3,36142136
3,36142136
After a quick test on our system my test user can still see Releases and Deployment groups but not anything build related, i'll check back later to see if thats still the case after possible caches clear.
– Jim Wolff
Nov 26 '18 at 13:03
Thanks Jim. Those were already set to Deny for the user.
– Ash
Nov 26 '18 at 13:12
@Ash I noticed that i could remove the content of Deployment groups by clicking security under the deployment group itself and removing contributors (which i had my test user inside) there isn't a Deny permission anywhere else i can find, and you can still see the menu but not the content.
– Jim Wolff
Nov 26 '18 at 13:19
@Ash see my updated answer, it restricts access also viewing, but you can still see the menu items, which means it looks like you can create release pipelines and deployment groups, they have no create button though, so it's actually not possible.
– Jim Wolff
Nov 26 '18 at 13:41
Thanks Jim. Update2 worked for me. I've tried it for Builds and my test user indeed cannot view or create any pipelines. I will test with Releases, Deployment Groups, etc, and let you know if the same technique works with those as well. On a side note, do you know if there's a way to kind of import these settings for all your projects? 'Cause these particular security settings are per project, and I need these to be organisation wide.
– Ash
Nov 26 '18 at 23:18
add a comment |
After a quick test on our system my test user can still see Releases and Deployment groups but not anything build related, i'll check back later to see if thats still the case after possible caches clear.
– Jim Wolff
Nov 26 '18 at 13:03
Thanks Jim. Those were already set to Deny for the user.
– Ash
Nov 26 '18 at 13:12
@Ash I noticed that i could remove the content of Deployment groups by clicking security under the deployment group itself and removing contributors (which i had my test user inside) there isn't a Deny permission anywhere else i can find, and you can still see the menu but not the content.
– Jim Wolff
Nov 26 '18 at 13:19
@Ash see my updated answer, it restricts access also viewing, but you can still see the menu items, which means it looks like you can create release pipelines and deployment groups, they have no create button though, so it's actually not possible.
– Jim Wolff
Nov 26 '18 at 13:41
Thanks Jim. Update2 worked for me. I've tried it for Builds and my test user indeed cannot view or create any pipelines. I will test with Releases, Deployment Groups, etc, and let you know if the same technique works with those as well. On a side note, do you know if there's a way to kind of import these settings for all your projects? 'Cause these particular security settings are per project, and I need these to be organisation wide.
– Ash
Nov 26 '18 at 23:18
After a quick test on our system my test user can still see Releases and Deployment groups but not anything build related, i'll check back later to see if thats still the case after possible caches clear.
– Jim Wolff
Nov 26 '18 at 13:03
After a quick test on our system my test user can still see Releases and Deployment groups but not anything build related, i'll check back later to see if thats still the case after possible caches clear.
– Jim Wolff
Nov 26 '18 at 13:03
Thanks Jim. Those were already set to Deny for the user.
– Ash
Nov 26 '18 at 13:12
Thanks Jim. Those were already set to Deny for the user.
– Ash
Nov 26 '18 at 13:12
@Ash I noticed that i could remove the content of Deployment groups by clicking security under the deployment group itself and removing contributors (which i had my test user inside) there isn't a Deny permission anywhere else i can find, and you can still see the menu but not the content.
– Jim Wolff
Nov 26 '18 at 13:19
@Ash I noticed that i could remove the content of Deployment groups by clicking security under the deployment group itself and removing contributors (which i had my test user inside) there isn't a Deny permission anywhere else i can find, and you can still see the menu but not the content.
– Jim Wolff
Nov 26 '18 at 13:19
@Ash see my updated answer, it restricts access also viewing, but you can still see the menu items, which means it looks like you can create release pipelines and deployment groups, they have no create button though, so it's actually not possible.
– Jim Wolff
Nov 26 '18 at 13:41
@Ash see my updated answer, it restricts access also viewing, but you can still see the menu items, which means it looks like you can create release pipelines and deployment groups, they have no create button though, so it's actually not possible.
– Jim Wolff
Nov 26 '18 at 13:41
Thanks Jim. Update2 worked for me. I've tried it for Builds and my test user indeed cannot view or create any pipelines. I will test with Releases, Deployment Groups, etc, and let you know if the same technique works with those as well. On a side note, do you know if there's a way to kind of import these settings for all your projects? 'Cause these particular security settings are per project, and I need these to be organisation wide.
– Ash
Nov 26 '18 at 23:18
Thanks Jim. Update2 worked for me. I've tried it for Builds and my test user indeed cannot view or create any pipelines. I will test with Releases, Deployment Groups, etc, and let you know if the same technique works with those as well. On a side note, do you know if there's a way to kind of import these settings for all your projects? 'Cause these particular security settings are per project, and I need these to be organisation wide.
– Ash
Nov 26 '18 at 23:18
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53456787%2fhow-to-restrict-access-to-pipelines-in-azure-devops%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
i dont know if those are additive, but you need to make sure user isn't part of some security group that gives him access to do whatever you are trying to prevent him from doing
– 4c74356b41
Nov 24 '18 at 9:21
@4c74356b41 What is the exact Security setting I need to set to restrict access? The Security settings I set following the linked article seem like they are applicable only to Builds. Releases, etc, may very well have their own security settings. I want it so that all Pipeline features are disabled/in-accessible.
– Ash
Nov 24 '18 at 9:29
The user is part of Valid Users/Contributors. I've created a group under this called Developers, and if anything, I've Denied several permissions within these groups. I've not explicitly set anything to 'Allow'.
– Ash
Nov 24 '18 at 9:34