Is there a report that can provide the security permissions for all users in Azure DevOps Server 2020 (Update 1)?
I see reference to one for Azure DevOps Services, but it doesn't seem to be available for Server (Download permissions report for a repository).
As of this time, however, the permissions report doesn't support any version of Azure DevOps Server.
The REST API Access Control Lists - Query can show all permissions but some extra work is needed.
GET https://dev.azure.com/{organization}/_apis/accesscontrollists/{securityNamespaceId}?api-version=6.0
Use 2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87 to replace {securityNamespaceId}. This will retrun all Git repository permissions settings in your organization.
You can use token URL parameters to make a more specific query. For exmaple, use token=repoV2/{project id} to retrun all Git repository permissions settings in a project or use token=repoV2/{project id}/{repo id} to retrun permissions settings in a repository. Here is an example:
GET https://dev.azure.com/{organization}/_apis/accesscontrollists/2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87?token=repoV2/{project id}/{repo id}&api-version=6.0
The query does not return inherited permissions. That is, in the web page, if a row show Allow or Deny, it will be returned. If a row shows "Not set" or marked "inherited", it will not be returned.
The query displays the permissions of users or groups as allow and deny permission bits. Here is a list:
| Name | Permission Description | Permission Bit |
|---|---|---|
| Administer | Administer | 1 |
| GenericRead | Read | 2 |
| GenericContribute | Contribute | 4 |
| ForcePush | Force push (rewrite history, delete branches and tags) | 8 |
| CreateBranch | Create branch | 16 |
| CreateTag | Create tag | 32 |
| ManageNote | Manage notes | 64 |
| PolicyExempt | Bypass policies when pushing | 128 |
| CreateRepository | Create repository | 256 |
| DeleteRepository | Delete repository | 512 |
| RenameRepository | Rename repository | 1024 |
| EditPolicies | Edit policies | 2048 |
| RemoveOthersLocks | Remove others' locks | 4096 |
| ManagePermissions | Manage permissions | 8192 |
| PullRequestContribute | Contribute to pull requests | 16384 |
| PullRequestBypassPolicy | Bypass policies when completing pull requests | 32768 |
For example, a user's allow shows 6 means that the user has "Read" and "Contribute" permissions. A user's deny shows 56 means the user isn't allowed to "Force push", "Create branch" and "Create tag".
