Azure Devops - Cannot restrict Library view permissions

Question

I need to give someone access to create work items ONLY. They are a 'stakeholder' user. Currently I cannot restrict them from seeing Variable groups OR Task Groups. I cannot see any deny permmisions and the person is in no other groups. I added them to an organization group with DENY permissions in all 4 Pipelines permissions. Still the user can see them

Answer 1

I added them to an organization group with DENY permissions in all 4 Pipelines permissions. Still the user can see them

That's caused by that the permission listed here used to restrict the build view, such as build definition and etc. But, Variable group and Tasks group does not belong to build, they just be linked/called into the build. Set the View build resources as deny could not restrict these objects' permission. For example, Azure Key Vault's view permission could not be restricted by deny the permission of build. It just can be changed in Azure portal.

These function( such as variable group, task group, key vault and etc) which be linked/called into build called object. To modify its permission, you must go objects' security page to change it.

Since what you are focusing is Variable group and Task group, unfortunately, viewing these objects belong the basic permission of Stackholder and could not be restricted in security configuration.

As you can see that there's no permission to restrict View. So, restrict stackhokders view it could not be achieve.

For security, I think you can change their level as Project reader to restrict them do change to them.

Answer 2

In my case the issue was that Project Valid Users group had access by default, and any new group would also be member of this group. I fixed this by going to Library -> Security -> remove permissions for Project Valid Users.