I recently had a problem assigning the right permissions to a colleague in Azure DevOps. As it turns out, the solution was hidden in a not-so-obvious, almost forgotten corner of the Pipelines interface.
I put together this list of all the places where permissions can be set, so that next time I can walk through it and find the right place to make the change.
For the sake of simplicity, I’m assuming you’re coming to this list as an admin of your Azure DevOps instance. If you’re not, I’d suggest finding someone who is, because you might not be able to make changes or even see all these permissions screens without it.
Let’s start by clicking on Organization Settings at the bottom left of the screen. There are two permissions-related tabs to be aware of.
- Overview tab: the owner of the organization is changed from here. You should very rarely, if ever, need to change this.
- Permissions tab: the project collection permissions, which includes all projects, are configurable from here. I rarely use these groups, preferring to set permissions at the project level.
Next, it’s time to look at project level permissions. Go into any project and click on the bottom left of the screen to go into Project Settings.
- Permissions tab: There are pre-built groups for common roles that are typically needed. Generally, I only need to add and remove users from groups, rather than make permission changes from here.
- Service Connections tab: It’s really easy to miss this one, and it was the root cause of the problem that spawned this article. If you click on the three dots on the top right of the tab, there will be a Security option. From there, you can set who can access and manage service connection.
- Repositories tab: Click on Security to change repository-level permissions for the pre-built groups that come with DevOps for ALL repositories. If you want to make a change for specific projects only, you need to click on the repository first, and then click through to its own security page.
Things start to get interesting from here on out, because you won’t find these permissions in the Project Settings page. Instead, go back into your project, and click on Pipelines. From there, click the three dots on the top right and you’ll be presented with a Manage Security option.
The modal that appears is where you can configure the permissions for the pipelines in your project.
Much like with Pipelines, releases have their own permissions that can be set by clicking Releases in a project, followed by clicking the three dots on the right, and finally clicking Security.
You can configure the Release pipeline permissions from here to your heart’s content.
And finally, there are permissions that can be set for the NuGet, NPM and other feeds that you create from the Artifacts tab.
This time, you need to click the gear icon on the right, and then go to the Permissions tab. You can add users and groups to different roles such as owner, contributor or reader from here.
Nine(?!) Places To Set Permissions
There are lots of places to check and change permissions in Azure Devops, and it’s easy to forgot where you set something if you don’t need to make changes too often.
Hopefully this list helps you to sort your own permissions issue!