2

I need to restrict permissions for certain branches across 50 repos for specific user groups in azure repos. This is to say, a particular group of users cannot force push to the master branch but can other branches.

This is easy enough to do in the interface, but requires going to 50+ repos and manually performing this task. I've been reading through the Azure repos API documentation and I'm struggling to see how I go about setting this?

nullabletype
  • 290
  • 3
  • 13
  • See https://stackoverflow.com/questions/56652476/azure-devops-set-git-branch-permission-for-all-repos-in-all-projects – riQQ Oct 17 '19 at 11:59
  • Sorry but that doesn't answer the question. That targets all branches, I know how to do that... i want to target a specific branch in a repo for a specific group and permission. I can do this via the UI, so hoping an API or failing that a tool could do it. – nullabletype Oct 17 '19 at 12:04
  • @nullabletype, do you still have other questions? Did my answer help for your question? – Frank Wang-MSFT Oct 21 '19 at 06:52

2 Answers2

1

As explained in the blog post https://jessehouwing.net/azure-devops-git-setting-default-repository-permissions/:

tfssecurity /a+ "Git Repositories" repoV2/<Team Project GUID>/<repository guid>/refs^heads^<branch name>/ "ForcePush" <memberIdentity> DENY /collection:https://dev.azure.com/{organization}

The repository guids can be found out via REST API, where GitRepository.id contains the guid: https://learn.microsoft.com/en-us/rest/api/azure/devops/git/repositories/list?view=azure-devops-rest-5.1#examples

See https://learn.microsoft.com/en-us/azure/devops/server/command-line/tfssecurity-cmd?view=azure-devops for more information about how to specifiy member identity.

riQQ
  • 9,878
  • 7
  • 49
  • 66
  • Thanks for the help. I've been trying out the az method instead as its the newest supported method, and it all seems to work apart from the branch specification. I sent it out as refs^heads^master but in the response it returns as refsheadsmaster and the permissions are not visible in the UI. Any idea where I may be going wrong? The token for the branch seems to match what the UI uses in the console. – nullabletype Oct 21 '19 at 12:35
0

You can use below rest api to set branch permission fors for group.

POST https://dev.azure.com/{orgname}/{projectid}/_api/_security/ManagePermissions?__v=5

Here is a sample of request body.

{"updatePackage":
"{\"IsRemovingIdentity\":false,
\"TeamFoundationId\":\"{teamfoundationId}}\",
\"DescriptorIdentityType\":\"Microsoft.TeamFoundation.Identity\",
\"DescriptorIdentifier\":\"{DescriptorIdentifier}}\",
\"PermissionSetId\":\"2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87\",
\"PermissionSetToken\":\"repoV2/{projectId}}/{repoId}}/refs^heads^{branchname}}/\",
\"RefreshIdentities\":false,
\"Updates\":
[{\"PermissionId\":1,\"PermissionBit\":32768,\"NamespaceId\":\"2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87\",
\"Token\":\"repoV2/{projectId}/{repoId}/refs/heads/{branchId}/\"}],
\"TokenDisplayName\":null}"}

Note

\"PermissionId\":1, means set the permission to Allow, \"PermissionId\":2, means set the permission to Deny, \"PermissionId\":1, means set the permission to Not Set.

\"PermissionBit\":32768 is the Bypass policies when completing pull requests permission. \"PermissionBit\":128 is the Bypass policies when pushing permission.

\"PermissionBit\":4 is the Contribute policies when pushing permission.

\"PermissionBit\":2048 is the Edit polices permission.

\"PermissionBit\":8 is the Fource push permission.

\"PermissionBit\":8192 is the Manage permissions.

\"PermissionBit\":4096 is the remove other's lock permission.

Addition

There are too many parameters in the request body, you can get there parameters by offical documentations. Or I recommand you to get these parameters by using Network Tool to manual cathch them.

Frank Wang-MSFT
  • 1,367
  • 6
  • 6