Current situation (if I'm not missing anything)
If Project settings --> Repos-->Repositories-> Git Repositories -> "Edit Policies" is allowed, users can edit Cross Repo Policies and add "local" policies to individual repos/branches
If Project settings --> Repos-->Repositories-> Git Repositories -> "Edit Policies" is denied , users can't edit any kind of policies (Cross Repo or "local")
If I want users to be able to edit "local" policies on specific repos/branches but not be able to edit Cross Repo Policies, I have to
On "Git Repositories", set "Edit Policies" to Denied
On each Repository, set "Edit Policies" to Allowed
Desired behavior
Is there a way to allow users to edit "Local" repository/branch policies without setting permissions on each individual repo?
Basically, I want to enforce the company wide "Cross Repo Policies" but allow teams to add additional policies own their own repos/branches if necessary.
Thanks
The behavior you described in above current situation is by design, and it is easy to understand. For the permissions you set for Git Repositories are Cross Repo, they apply to all the repos in the project.
So that if you allow the edit policy permission for a user in Git Repositories level. He will be able to edit the Cross Repo Policies. If you deny the permission, he will not be edit any kind of policy.
When a user is added to a team group of the project. He will inherit the permission settings of this group. So you can set the Edit Policies permission to Not set for a user on Git Repositories level. He will inherit the permission set for the group which he is a member of.
If you want to enforce the company wide "Cross Repo Policies" but allow teams to add additional policies own their own repos/branches if necessary. You will need to set the Edit Policies permission to Deny on Git Repositories level and set the Edit Policies permission to allow on each repo level for each individual team group.
Check the steps here to add a team in azure devops.
Related
I have created an external user in Azure DevOps (one with #outlook.com email). I have set this user as "Basic" with no access to any of the organization projects and I have also set all permissions to deny. Yet when he signs in, he is able to view organizations settings even though he cannot edit them. What am I doing wrong. The user should not be seeing anything.
How can I make this work?
I am configuring a project for a team in Azure DevOps (server).
I would like to allow some members of that team to create/manage their own iterations and areas but I can't seem to do so without granting them permission to the project's security. Even where the permissions are inherited, the user can still add/remove people from the security groups.
Do all three permissions truly come from the "Edit project-level information" setting or is there something else I can do?
Thanks!
I have since learned that being a member of "Project Administrators" is what grants access to manage security, not the "Edit project-level permissions" setting.
We have an issue. User is in the Contributors group of the VSTS project. Able to view dashboard and work items. Unable to view Repos. Need help. Any suggestions?
User needed an MSDN license to use Visual Studio in addition to being in the correct group of the VSTS project. Trial license was not good enough.
According to your description, highly doubt those users only have Stakeholder access level.
People with Stakeholder access level could not commit their work on branch and unable to view repos.
Assign Stakeholder access to those users who need to enter bugs,
view backlogs, boards, charts, and dashboards, but who don't buy basic access. Stakeholders can also view releases and manage release
approvals. Stakeholder access is free.
Source Link: About access levels
See Stakeholder access for details of features available to stakeholders.
The user should have either Basic access or Visual Studio subscription which include code feature.
Moreover, if it's still not able to see any other projects after giving them those access. There is another concept called Permissions in Azure DevOps. Double check the permission for Contributor group.
Also make sure you have not add them to any other project team group expect the contribute group.
Once deny the Read permission for repos level, user will not be able to see the repos.
Read
Can read the contents of a file or folder. If a user has Read
permissions for a folder, the user can see the contents of the folder
and the properties of the files in it, even if the user does not have
permission to open the files.
I have a custom check-in policy in TFS. I want this policy to be disabled only by Admins and not by Developers.Developers should not be allowed to remove the policy on their machines. How do I do it ?
You must have the Edit project-level information permission set to Allow if you want to Enable or Disable Check-In Policies.
You can deny Edit project-level information for Developers, so they won't be able to change the check-in policy.
I was asked to grant permissions to several TFS users.
These users must have access to one branch only. How can I do this?
I'm going to create new TFS user group and deny access to root of Source Control, then allow access to necessary branch. What do you think?
That is the correct approach.
It doesn't work. Because Deny permission has higher priority than Allow even Deny even if it exist on parent. Deny permission always override Allow permissions. If you are using TFVC as source control, you could set the permission of root to "Not Set" and in then set "Allow" access to the branch you needed.
Remember that in GitVC it's a little diffrent.