Assigning group permissions using to Azure DevOps CLI
I am trying to assign permissions to the "build administrators" group using the cli.
The specific permission i want to update is the "Delete Team Project" permission.
The documentation is a little difficult to put together since the information is scattered, specially the parts about security tokens and permissions bits.
I am using the az devops security command. The part i am struggling with is getting the correct token and the setting the correct permission bits
I know the namespace I want to use. it is the environment namespace. Found this out by first checking all the namespaces and finding the guid for the environment namespace.
#get list of all namespaces
az devops security permission namespace list -o table
$envnamespace = <guid from above command for the environment namespace>
# first i set my org and token
$orgUrl = "https://dev.azure.com/<MYORG>"
$personalToken = "<MY_PERSONAL_TOKE>"
$projectName = "<my_project>"
# login using PAT
$personalToken | az devops login --organization $orgUrl
# set default organisation
az devops configure --defaults organization=$orgUrl
# get the group descriptor ID for the group "build administrators"
$id = az devops security group list --project $projectName --output json --query "graphGroups[?displayName == '$groupID'].descriptor | [0]" -o tsv --verbose
# now i want to add permissions for the group "build administrators"
# but i am not sure what the token should be and what permission bits to use
I run the following command to see list the permissions on the group. it returns some tokens but they don't make sense to me. How am i meant to know which token is for what permissions. for example how do i know which token is for "Delete Team Project" permission
az devops security permission list --namespace-id $envnamespace --subject $id
The aim next is to run the following command to update permissions
az devops security permission update --namespace-id $envnamespace --subject $id --token $token2 --allow-bit 4 deny-bit 1 --verbose
The --allow-bit and deny-bit i'm not sure exactly what it should be to set the permission to deny
any advice on the correct way to do this would be appreciated.
how do I know which token is for "Delete Team Project" permission
Run az devops security permission namespace list, the namespaceID of "Delete Team Project" is under the "Project" namespace.
You can get the bit and the namespaceID of the specific Delete Team Project namespace (for reference see screenshot shown below).
How am I meant to know which token is for what permissions
For the tokens, you can refer to Security tokens for permissions management for details, there are listed Token examples for different namespaces.
Another example for your reference (reference jessehouwing's blog) :
az login
az extension add --name "azure-devops"
# Find the group identifier of the group you want to set permissions for
$org = "gdbc2019-westeurope"
# There is a weird edge case here when an Azure DevOps Organization has a Team Project with the same name as the org.
# In that case you must also add a query to filter on the right domain property `?@.domain == '?'`
$subject = az devops security group list `
--org "https://dev.azure.com/$org/" `
--scope organization `
--subject-types vssgp `
--query "graphGroups[?@.principalName == '[$org]\Project Collection Administrators'].descriptor | [0]"
$namespaceId = az devops security permission namespace list `
--org "https://dev.azure.com/$org/" `
--query "[?@.name == 'Git Repositories'].namespaceId | [0]"
$bit = az devops security permission namespace show `
--namespace-id $namespaceId `
--org "https://dev.azure.com/$org/" `
--query "[0].actions[?@.name == 'PullRequestBypassPolicy'].bit | [0]"
az devops security permission update `
--id $namespaceId `
--subject $subject `
--token "repoV2/" `
--allow-bit $bit `
--merge true `
--org https://dev.azure.com/$org/
