How do I give Permissions using Azure DevOps Server Rest APi

Question

https://learn.microsoft.com/en-us/rest/api/azure/devops/security/?view=azure-devops-server-rest-5.0 https://learn.microsoft.com/en-us/rest/api/azure/devops/security/access%20control%20entries?view=azure-devops-server-rest-5.0

Hi there, I'm having problems with trying to understand the way to set up permissions using the API in ADO 2019. I can see what the security namespace one API does. I can get bitwise that relates to, for examples, git repos. I can't see how to add permissions to a user or group. e.g. I can't see how to get a bitwise that has multiple permissions, do I just add them together? I can see the API that says how to add ACEs but that doesn't actually tell me how to add permissions really. I'll try to explain.

If I run the API for ACL , I get a pile of info back, one of which is token. Okay, so surely if I get the GUID for the git repo using the git API to list them, the GUID will match up with the ID's in the token like the namespaces do. Nope.

The examples don't seem to be actual examples. I'm looking for 'If you have a git repo , here's how you would give someone permissions to it' 'here's an example of getting the existing permissions for a group and adding another'.

Instead it's just 'here's a string of guids getting put into the API' without explaining the pieces or what specifically it was doing. I can't seem to relate what's in the GUI for adding perms, to what the security API is bringing back.

Am Azure DevOps on prem so I'm more limited in tool selection. Other people I've asked say they gave up trying to use this. AzureDevops on twitter says I can connect with the team here. I'm asking how to do things with the security API and then I can go write it up and suggest how to update the docs. I'm clearly too thick to figure it out from what's there and I don't seem to be the only one. Thanks

score 0 · Accepted Answer · answered Jun 04 '20 at 07:56

For Azure DevOps Service, you can manage group membership using Graph API. But this api is not available for Azure DevOps Server.

In my opinion, for on-premise TFS/Azure DevOps Server, TFSSecurity command line is easier than TFS API to add permissions for a user or a group in a server-level, collection-level, or project-level group. You may consider using TFSSecurity command line:

https://learn.microsoft.com/en-us/azure/devops/server/command-line/tfssecurity-cmd?view=azure-devops-2019

You may also check the following code to get the permissions:

    using System;
    using System.Collections.Generic;
    using System.Linq;
    using Microsoft.TeamFoundation.Client;
    using Microsoft.TeamFoundation.Server;
    using Microsoft.TeamFoundation.VersionControl.Client;
    using Microsoft.TeamFoundation.Framework.Client;

    namespace API
    {
        class Program
        {
            static void Main(string[] args)
            {
                string project = "http://xxx.xxx.xxx.xxx:8080/tfs";
                TfsTeamProjectCollection tpc = new TfsTeamProjectCollection(new Uri(project));
                var tps = tpc.GetService<VersionControlServer>();
                var ttt = tps.GetTeamProject("ProjectName");
                ISecurityService securityService = tpc.GetService<ISecurityService>();
                System.Collections.ObjectModel.ReadOnlyCollection<SecurityNamespace> securityNamespaces = securityService.GetSecurityNamespaces();
                IGroupSecurityService gss = tpc.GetService<IGroupSecurityService>();
                Identity SIDS = gss.ReadIdentity(SearchFactor.AccountName, "GroupName", QueryMembership.Expanded);//GourName format: [ProjectName]\\GourpName
                IdentityDescriptor id = new IdentityDescriptor("Microsoft.TeamFoundation.Identity", SIDS.Sid);
                List<SecurityNamespace> securityList = securityNamespaces.ToList<SecurityNamespace>();
                string securityToken;
                foreach (SecurityNamespace sn in securityList)
                {
                    if (sn.Description.DisplayName == "Project")
                    {
                        securityToken = "$PROJECT:" + ttt.ArtifactUri.AbsoluteUri;
                        sn.SetPermissions(securityToken, id, 115, 0, true);
                    }
                }                
            }
        }
    }

thank you for that @cece. apologies for slow reply, I had an injury. I assume that's C# above there. I'll have to give it a bash. I have looked at TFSsecurity and I run into the problems where I again don't really understand how to edit specific permissions. Also I don't seem to see all the namespaces that the API is uncovering for me. e.g. Git Repositories. I'm just using the tfssecurity that sits in ADO2019/tools folder — Gabriel McColl, Jun 08 '20 at 10:04
Also does that do something where it's SetPermissions rather than just bring them back? — Gabriel McColl, Jun 08 '20 at 12:30
Sorry, I don't quite understand your query, would you mind giving me an example? Regarding the namespace, do you mean this: https://learn.microsoft.com/en-us/azure/devops/server/command-line/tfssecurity-cmd?view=azure-devops-2019#permission-namespaces-and-actions? — Cece Dong - MSFT, Jun 09 '20 at 09:44
Hey there, thanks again for the reply. I think I've resolved it. You get different behaviour on the TFSSecurity tool when you target collection rather than server. As for the query RE set permissions in the tool snippet above you sent if (sn.Description.DisplayName == "Project") { securityToken = "$PROJECT:" + ttt.ArtifactUri.AbsoluteUri; sn.SetPermissions(securityToken, id, 115, 0, true); And it looks like it's setting permissions on things ? — Gabriel McColl, Jun 12 '20 at 09:16
Yes, it's an example of setting the permission "Edit project-level information", check this case: https://stackoverflow.com/questions/34640524/tfs-api-to-create-a-tfs-group-and-set-permissions. If your issue is solved and my reply helps you, you could [Accept it as an Answer](https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work), this can be beneficial to other community members reading this thread. — Cece Dong - MSFT, Jun 12 '20 at 09:54
If my reply helps you, please [Accept it as an Answer](https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work), this can be beneficial to other community members reading this thread. — Cece Dong - MSFT, Jun 17 '20 at 09:13
Heya sorry I thought I’d done this. Is it accepted now. Thanks for the help. Still muddling through the documentation on this. — Gabriel McColl, Jun 21 '20 at 16:19

How do I give Permissions using Azure DevOps Server Rest APi

1 Answers1