https://learn.microsoft.com/en-us/rest/api/azure/devops/security/?view=azure-devops-server-rest-5.0 https://learn.microsoft.com/en-us/rest/api/azure/devops/security/access%20control%20entries?view=azure-devops-server-rest-5.0
Hi there, I'm having problems with trying to understand the way to set up permissions using the API in ADO 2019. I can see what the security namespace one API does. I can get bitwise that relates to, for examples, git repos. I can't see how to add permissions to a user or group. e.g. I can't see how to get a bitwise that has multiple permissions, do I just add them together? I can see the API that says how to add ACEs but that doesn't actually tell me how to add permissions really. I'll try to explain.
If I run the API for ACL , I get a pile of info back, one of which is token. Okay, so surely if I get the GUID for the git repo using the git API to list them, the GUID will match up with the ID's in the token like the namespaces do. Nope.
The examples don't seem to be actual examples. I'm looking for 'If you have a git repo , here's how you would give someone permissions to it' 'here's an example of getting the existing permissions for a group and adding another'.
Instead it's just 'here's a string of guids getting put into the API' without explaining the pieces or what specifically it was doing. I can't seem to relate what's in the GUI for adding perms, to what the security API is bringing back.
Am Azure DevOps on prem so I'm more limited in tool selection. Other people I've asked say they gave up trying to use this. AzureDevops on twitter says I can connect with the team here. I'm asking how to do things with the security API and then I can go write it up and suggest how to update the docs. I'm clearly too thick to figure it out from what's there and I don't seem to be the only one. Thanks
For Azure DevOps Service, you can manage group membership using Graph API. But this api is not available for Azure DevOps Server.
In my opinion, for on-premise TFS/Azure DevOps Server, TFSSecurity command line is easier than TFS API to add permissions for a user or a group in a server-level, collection-level, or project-level group. You may consider using TFSSecurity command line:
You may also check the following code to get the permissions:
using System;
using System.Collections.Generic;
using System.Linq;
using Microsoft.TeamFoundation.Client;
using Microsoft.TeamFoundation.Server;
using Microsoft.TeamFoundation.VersionControl.Client;
using Microsoft.TeamFoundation.Framework.Client;
namespace API
{
class Program
{
static void Main(string[] args)
{
string project = "http://xxx.xxx.xxx.xxx:8080/tfs";
TfsTeamProjectCollection tpc = new TfsTeamProjectCollection(new Uri(project));
var tps = tpc.GetService<VersionControlServer>();
var ttt = tps.GetTeamProject("ProjectName");
ISecurityService securityService = tpc.GetService<ISecurityService>();
System.Collections.ObjectModel.ReadOnlyCollection<SecurityNamespace> securityNamespaces = securityService.GetSecurityNamespaces();
IGroupSecurityService gss = tpc.GetService<IGroupSecurityService>();
Identity SIDS = gss.ReadIdentity(SearchFactor.AccountName, "GroupName", QueryMembership.Expanded);//GourName format: [ProjectName]\\GourpName
IdentityDescriptor id = new IdentityDescriptor("Microsoft.TeamFoundation.Identity", SIDS.Sid);
List<SecurityNamespace> securityList = securityNamespaces.ToList<SecurityNamespace>();
string securityToken;
foreach (SecurityNamespace sn in securityList)
{
if (sn.Description.DisplayName == "Project")
{
securityToken = "$PROJECT:" + ttt.ArtifactUri.AbsoluteUri;
sn.SetPermissions(securityToken, id, 115, 0, true);
}
}
}
}
}