0

I've been adding permissions to a custom Azure DevOps Services group through the Azure CLI (az devops version 0.11.0) and I've usually been able to do the following:

  1. az devops security permission namespace list, find namespaceId of specific namespace (like EventSubscription)
  2. Get the Project Admin's descriptor
  3. az devops security permission list --id $namespaceId --subject $projectAdmin.descriptor...
  4. Find an allow bit in the ACES dictionary, find the respective token
  5. az devops security permission update... with the new token

But when I run security permission list for the EventSubscription namespace, it returns with empty JSON for the project admins group so I can't find the token. I've tried "$SUBSCRIPTION" as it looked like what a TFS 2010 user used, but that doesn't work.

Questions:

  1. How can I list tokens on the project admins group for the EventSubscription namespace? I tried to see if tfssecurity would pull anything up, but didn't work. Also tried using Fiddler to see if it would find a token but also nothing. Can't use Fiddler with the UI.

  2. Or what token do I use for Azure DevOps to update the EventSubscription permission for a group?

m00nbeam360.0
  • 1,342
  • 1
  • 13
  • 26

1 Answers1

1

I tested with EventSubscription namespace id and project admins group descriptor as subject parameters and got the same result as you.

enter image description here

$env:AZURE_DEVOPS_EXT_PAT = 'ckdhd6wuma5uw2h35dv37pgdum5eyjviqneineixxxxx'

$output = az devops security permission namespace list | ConvertTo-Json -Depth 100

#get descriptor
$output2 = az devops security group list --scope project | ConvertTo-Json -Depth 100

#eventSubscription namespaceId: 58b176e7-3411-457a-89d0-c6xxx/ Project namespaceId:52d39943-cb85-4d7f-8fa8-c6xxx
$output3 = az devops security permission list --namespace-id 58b176e7-3411-457a-89d0-c6xxxx --subject vssgp.Uy0xLTktMTU1MTM3NDI0NS00MjQ3MDQ2OTMyLTI2ODA1Nzg2MjktMjkxMzgyMjE4MC0yNDQ0MjYxxxxx | ConvertTo-Json -Depth 100

Write-Host $output3

But when I tested with Project namespace id and project admins group descriptor, I can get the token normally.

enter image description here

So I think this could be a problem with the association between the EventSubscription namespace and the project admins group descriptor. Can you share the corresponding operation in the UI? This will help me investigate further.

Hugh Lin
  • 17,829
  • 2
  • 21
  • 25
  • Thanks for trying this out too - according to the docs, there isn't a way to add notifications through the UI (otherwise I would have tried Fiddler). I think I did try Fiddler with TFSSecurity and that didn't show up with anything. https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions?view=azure-devops&tabs=preview-page#notifications-or-alerts – m00nbeam360.0 Mar 24 '20 at 15:43