1

On premises AzDevOps Server 2019, version Dev17.M153.5. I have restricted default access rights to agent queues on every single project in every single collection - removed the default set (Release Admins/Build Admins/Project Admins), added some other lines (Server Admins).

Now, ever once in a while, intermittenly with no pattern that I can see, those three permissions keep coming back automagically. On different projects, through no human actions (all the humans who have the rights for that have been told), those three lines with the Administrator role reappear on the default agent queue ACL.

Is that a known behavior in AzDevOps? Any way to opt out?

EDIT: here's what it looks like. The first three lines don't belong.

Default queue ACL

EDIT: as per the advice, I'd try to track it down using the activity log. I went and made a dummy change to default queue security elsewhere. There was a log record with command SecurityRoleAssignments.SetRoleAssignments. I then filtered the activity log on the collection where the permissions have reverted, and searched for the same command. No instances. The log ends around 7/14, which is likely before the event.

Seva Alekseyev
  • 59,826
  • 25
  • 160
  • 281
  • 1
    I don't have an answer for you and not positive this would provide the detail you might need, but the RC for Server 2020 is available and they are adding *some* auditing to the agent pools. Possible it might be able to answer this question if it does capture changes to permissions. https://learn.microsoft.com/en-us/azure/devops/server/release-notes/azuredevops2020?view=azure-devops&branch=releasenotes%2FAzureDevOpsServer2020#builds-and-releases-auditing – Matt Jul 10 '20 at 23:11

2 Answers2

0

This should be caused by Inheritance permission. By default, the option Inheritance is turned on and the following groups are added to the Administrator role of 'All agent pools': Build Administrators, Release Administrators, Project Administrators.

If we turn off the option Inheritance, we can remove the default permission groups (Release Admins/Build Admins/Project Admins).

If we turn on the Inheritance, the permission group will be inherited again and the default permission groups will come back, please check the option and confirm that inheritance is always off. Please also confirm with all the humans who have the rights to update the option.

Uodate1

Login {Azure DevOps Server URL}/_oi/_diagnostics/activityLog, we can see the Activity Log and check who added the permission groups, please check it.

enter image description here

Vito Liu
  • 7,525
  • 1
  • 8
  • 17
  • The Inheritance box is disabled on the project level default queue Security window. Also, what would it inherit from? There are no collection level queues (anymore). I think you misunderstood the question. – Seva Alekseyev Jul 14 '20 at 14:15
  • It's not permissions on *specific queues* that keep reverting to the default, it's the **default queue permissions**, the ones that come up when you click "Security" on `tfs.example.com/tfs/Coll/Project/_settings/agentqueues`. – Seva Alekseyev Jul 14 '20 at 14:24
  • Will the default permission group come back in the all collection or only one collection? could you please open one agent pool in the project level and then click the tab Security, then share a screenshot with us? – Vito Liu Jul 17 '20 at 13:39
  • Several collections, I recall 3. I fix those cases as soon as I find them (there's a daily check), so there are currently no queues with the bogus security, so I can't paste a screenshot. Will do if one appears. – Seva Alekseyev Jul 17 '20 at 14:07
  • If these default permission groups come back again, please kindly share a screenshot with us. – Vito Liu Jul 21 '20 at 10:13
  • Nothing in the activity log that would be consistent with a human editing. Like I said, it's something TFS does internally, not a rogue admin. – Seva Alekseyev Jul 23 '20 at 14:35
  • If add the permission group, it will call the command SecurityRoleAssignment.SetRoleAssignments, could you please check it and kindly share the result with us? – Vito Liu Jul 24 '20 at 12:15
  • It's not there. I've filtered by the team collection, then used in-page search for "Security". No hits. – Seva Alekseyev Jul 24 '20 at 14:37
0

Installed Azure DevOps 2020. A couple of weeks in, no such behavior.

Concluding it was a bug in AzDevOps 2019 all along that they've quietly fixed.

Seva Alekseyev
  • 59,826
  • 25
  • 160
  • 281