0

I create service connections via the terraform Azure DevOps module. This works well, but they are mainly accessible by myself, same as those I create manually.

My team members should also have the possibility to access and modify those service connections, and members of a different team should be able to view the service connections. Unfortunately, I have not found a way how to assign specific permissions to a service connection via azure cli.

What I have done so far: I find it quite hard to understand the documentation (for example https://learn.microsoft.com/en-us/cli/azure/ext/azure-devops/devops/security/permission?view=azure-cli-latest#ext-azure-devops-az-devops-security-permission-update):

  • I have generated the list of "namespaces" with az devops security permission namespace list --organization=https://dev.azure.com/myname. This gives me 
  {
    "actions": [
      {
        "bit": 1,
        "displayName": "Use Service Connection",
        "name": "Use",
        "namespaceId": "x-x-x-x"
      },
      {
        "bit": 2,
        "displayName": "Administer Service Connection",
        "name": "Administer",
        "namespaceId": "x-x-x-x"
      },
      {
        "bit": 4,
        "displayName": "Create Service Connection",
        "name": "Create",
        "namespaceId": "x-x-x-x"
      },
      {
        "bit": 8,
        "displayName": "View Authorization",
        "name": "ViewAuthorization",
        "namespaceId": "x-x-x-x"
      },
      {
        "bit": 16,
        "displayName": "View Service Connection",
        "name": "ViewEndpoint",
        "namespaceId": "x-x-x-x"
      }
    ],
    "dataspaceCategory": "Default",
    "displayName": "ServiceEndpoints",
    "elementLength": -1,
    "extensionType": null,
    "isRemotable": false,
    "name": "ServiceEndpoints",
    "namespaceId": "x-x-x-x",
    "readPermission": 0,
    "separatorValue": "/",
    "structureValue": 1,
    "systemBitMask": 0,
    "useTokenTranslator": true,
    "writePermission": 2
  },
  • I have created a group with az devops security group create --name 'Some group name' --description 'Something to describe this group'; this works, although it is not an AAD group.
  • I have tried to add permissions for my colleague with az devops security permission update --organization=https://dev.azure.com/myname --id="x-x-x-x" --subject="my.colleague@example.org", but it asks me for a token as a parameter. I cannot find anything about how to generate the token in the documentation, and I also do not know if it actually would help or if this command is the right one to reach my goal.

Any hints?

hey
  • 2,643
  • 7
  • 29
  • 50

1 Answers1

0

Tokens are arbitrary strings representing resources in Azure DevOps. Token format differs per resource type, however hierarchy and separator characters are common between all tokens.

For the tokens, you can refer to Security tokens for permissions management for details, there are listed Token examples for different namespaces.

Another example for your reference (reference jessehouwing's blog) :

az login

az extension add --name "azure-devops"



# Find the group identifier of the group you want to set permissions for



$org = "gdbc2019-westeurope"



# There is a weird edge case here when an Azure DevOps Organization has a Team Project with the same name as the org.

# In that case you must also add a query to filter on the right domain property `?@.domain == '?'`  



$subject = az devops security group list `

    --org "https://dev.azure.com/$org/" `

    --scope organization `

    --subject-types vssgp `

    --query "graphGroups[?@.principalName == '[$org]\Project Collection Administrators'].descriptor | [0]"



$namespaceId = az devops security permission namespace list `

    --org "https://dev.azure.com/$org/" `

    --query "[?@.name == 'Git Repositories'].namespaceId | [0]"



$bit = az devops security permission namespace show `

    --namespace-id $namespaceId `

    --org "https://dev.azure.com/$org/" `

    --query "[0].actions[?@.name == 'PullRequestBypassPolicy'].bit | [0]"



az devops security permission update `

    --id $namespaceId `

    --subject $subject `

    --token "repoV2/" `

    --allow-bit $bit `

    --merge true `

    --org https://dev.azure.com/$org/

Besides, you could also take a look the steps in this similar question: Update permissions for Azure DevOps group for EventSubscription through Azure CLI?

PatrickLu-MSFT
  • 49,478
  • 5
  • 35
  • 62