1

I'am recently installed Azure DevOps Server 2019 in on-premises server.

However, i'am so confused : How i can set the security and the user permission in the server, such as : Deny user to view author project in the same collection , create custom group not in the azure devops default groups ...

I ask for idea to implement that

Thank you

Quentin Merlin
  • 664
  • 1
  • 6
  • 31

1 Answers1

1

According to Azure DevOps permission setting, most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.

Deny user to view author project in the same collection.

Assume you were talking about team project. In your scenario, the simplest way is not add that user to your team project. People without team project collection admin permission will not be able to see those projects which they are not added in.

If you already add users in the team project and want the user not be able to see some info such as repo/build/work items in the project .

You need to evidently deny those users for viewing some project repositories/builds/ work items.

As how to create group, you could directly click New Group in the right top corner of the page from Project Settings-- Permission

enter image description here

More details about how are permissions and groups defined, suggest you go through our official doc here-- About permissions and groups

Besides, you could also manage user permission with the help of command line. The tfssecurity command line tool allows us to manage permissions for Azure DevOps groups and users. We could use it in a PowerShell script to grant access to projects that already exists.

PatrickLu-MSFT
  • 49,478
  • 5
  • 35
  • 62
  • I'am not understand your reply, As a sample case : i create a team, this teams is a member of " Valid project users group " , i deny the action "rename team project" , in the two group , but the member of my team ; still rename the project – Quentin Merlin Apr 30 '20 at 07:55
  • @KivenWanda Did that user also be a member of the Project Administrators Group ? If so, this may override the permission setting. If not, after he rename, have you asked him to save the changes. Were he also able to save the changes? – PatrickLu-MSFT Apr 30 '20 at 08:57
  • @KivenWanda That's wired. I could not reproduce your scenario. The only difference maybe: I have signed out and sign again with the test user. Suggest you also ask him log out ,close the web portal and sign again. Moreover, what if you evidently deny the Rename Project Permission of that user. You could search the user in permission page select user and search user. Also give a try with to narrow down the issue. – PatrickLu-MSFT Apr 30 '20 at 09:59
  • It's look works , only with normal AD Account but i have some issue , a account admin AD have all permissions in the project , even though it's not added in any project – Quentin Merlin Apr 30 '20 at 11:00
  • 1
    Domain Admin Users can see and manage to all project even though it's not added in any project How i can stop them ? – Quentin Merlin Apr 30 '20 at 15:25
  • @KivenWanda Sorry for the later reply during holiday. `Domain Admin Users can see and manage to all project even though it's not added in any project ` These users may auto added as TFS sever Admin group or TFS collection Admin group. As either member of the group, it's able to see and manage to all project . If you not want some user to have this ability. Either move the specific user out of admin group. Or deny corresponding permission for each project which you do not want them to manage. – PatrickLu-MSFT May 05 '20 at 10:04