How to assign organization-level permissions to create repositories across all projects in organization in Azure DevOps?
I am creating automation for Azure DevOps. I want to follow the principle of least privilege. I only need to grant permissions to create repositories across all projects in the organization. I know how to do it at the project level, but for organizations with many projects, assigning permissions at the project level would be time-consuming.
Do you know and can you give me an example of how to grant permissions to create repositories at the level of the entire organization?
you can try to use the Azure DevOps CLI "az devops security permission" to assign the permission:
Go to Organization Settings > Permissions page to create a new group (e.g.,
Create Repos). Once created, open it, you can see the group descriptor (subjectDescriptor) of this group from the address bar of the browser. Copy and remember the value of descriptor (vssgp.xxxx), it will be used in the subsequent Azure DevOps CLI.
Run the command "az devops security permission namespace list" to get the
namespaceIdandbitof the permission item "Create repository". Generally, the value of this two properties are fixed. All the repository related permission items generally have the same namespace, and each item has its owns bit.- namespaceId:
2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87 - bit:
256
- namespaceId:
Then you can run the "
az devops security permission update" to globally set the permission item "Create repository" to "Allow" for the group "Create Repos" within the organization.
Below is a sample of the Bash script to call the Azure DevOps CLI.
#!/bin/bash
organization="xxxx"
pat="xxxx"
groupDescriptor="vssgp.xxxx"
namespaceId = "2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87"
# Login the Azure DevOps organization.
echo $pat | az devops login --org https://dev.azure.com/$organization
# If you do not know the the 'namespaceId' and 'bit' of the permission item, you can run below command, and then check the values in the output json file.
# az devops security permission namespace list > namespaces.json
# Globally set the permission "Create repository" to "Allow" for the group "Create Repos" within the organization.
az devops security permission update --id $namespaceId --subject $groupDescriptor --token "repoV2" --allow-bit 256
With this way:
- The permission "Create repository" will be set to "Allow" for the group "
Create Repos" in all the projects within the organization. - When a new project is created in the organization, this permission will be automatically applied in the new project by default.
- The users added as members in the "
Create Repos" group also will automatically inherit this permission by default.
- Azure yaml trigger pipeline every 14 days on a Saturday
- How can I give a containerRegistry to a DevcontainersCi task in an Azure DevOps YAML Pipeline?
- How to assign organization-level permissions to create repositories across all projects in organization in Azure DevOps?
- Updating Node js on internal windows ADO build agent
- Authenticating using the Azure CLI is only supported as a User (not a Service Principal)
- DotNetCLI@2 pack seems to be ignoring configuration inputs
- Build a pipeline in AzureDevOps for Sql Server on prem to run sql scripts
- How to format Azure DevOps console Logs
- How to follow the entire wiki in Azure DevOps?
- Issue with Azure key vault and Azure storage account deployment
- Publishing external POM Package to Azure Artifacts Feed Error
- lionbridge-connector on Azure Artifacts gives Dependency Error
- How to allow an empty string for a runtime parameter?
- Azure - RBAC to Management Group
- Python (Dash) web app deployment on Azure with pipeline running too long with message Building wheel for pandas still running. How to optimize?
- No 'Import a pipeline' button in Azure DevOps
- ASP.NET Azure Web App Pipeline: No package found with specified pattern: D:\a\1\s\**\*.zip
- Error when creating a pipeline. "You don’t appear to have an active Azure subscription."
- ADO YAML Pipelines | How to get secret variable from a variable group based on the value of another variable
- Azure Devops - Get release definitions by agent pool ID
- Azure Pipelines using YAML for multiple environments (stages) with different variable values but no YAML duplication
- How to specify which version of nuget.exe to use with self-hosted agent in Azure DevOps?
- Login failed for user '<token-identified principal>' while authorizing to SQL Server via Service Principal from AAD group assigned
- Azure DevOps - JFrogNuget Error - Error occurred while executing task: Error: Command failed
- Access Azure DevOps Pipeline Artifacts from different organization
- Initiate Azure DevOps Release Pipeline from Logic App and Retrieve Environment Variable Output from the pipeline
- Is it necessary to switch from the Hosted XML to the Inheritance Process Model after a migration
- Why is Azure Pipelines installing the wrong .NET SDK version (according to global.json)
- Azure pipeline does't allow to git push throwing 'GenericContribute' permission is needed
- Azure Devops - How to START one stage before parallel stages?