I need to add some Check-In policies to a bunch of machines. When I go to Project Settings -> Source Control I can get into the options fine, but I know I have higher permissions than most, but when I try to add them on other developers machines I get an access denied message.
Is there a way that I can roll out check-in policies to all machines and have the client "install" the policy regardless of permissions? I don't want to grant people higher access and then have to take it away.
Also, with access to Source Control settings being denied would this still run the policy as expected?
Edit: I have read that TFS Power Tools has this ability. If people are part of the same team / group, how does it automatically download the files? Or does the developer have to do a Get Latest? Source: http://www.codewrecks.com/blog/index.php/2010/12/04/distributing-visual-studio-addin-for-the-team/
Decided to have a DLL in a single location and roll out the registry keys via a batch file.
Related
I want to give a frontend developer rights only to pull/read from the GitLab container registry. In order to test some things in the frontend he needs also the backend container.
But I dont want to give access to the full gitlab project, so that he can clone the whole repo. I only want to give him access to pull the container from the registry (because how I understand it, he wont have the possibility to access the code then).
Is this even possible with GitLab? Seems like Container Registry access needs whole project access?
If this is not possible with GitLab it should somehow be possible with AWS Registry instead or? (Any suggestions for this usecase I would be very thankfull for.)
While GitLab's user permission scheme lacks some granularity, you might be able to workaround this limitation.
One would be to make the project publicly/internally accessible through its visibility settings. Users only need read ability in order to access the container registry. Obviously, this may not be acceptable if your images are intended to be more private/secret.
One other possible mechanism for granting access to container registry might be to create a project access token with just read_registry scope and distribute that token to your users that need to read the image registry for the project.
The same could be done with group access tokens, too. This may be useful to reduce management overhead if you have many projects with this need.
What are the best practices for accesses permission for programmers working in Azure DevOps? I would like the programmers to be able to use it, by for example having the possibility to create branches.
As far as I can understand by reading documents such as
https://learn.microsoft.com/en-us/azure/devops/organizations/security/set-git-tfvc-repository-permissions?view=azure-devops#git-repository
The only permission needed is a contributor? Is this correct or have I misunderstood the whole thing? The organization I’m working for have for example set the contributor to be a member of :
Build Administrators, Endpoint creators, Release Administrators
Creating users is different thing and assining rights is different thing. Your are looking for something named Policies.
Check for Branching policies in this case.
EDIT:
I was confused with the branching rights, however you can follow the Repository Permissions and Branch permissions to find how you can give permissions on your projects to users
You need to navigate to project settings and then to repositories. there you will find list of repositories and each repo can have certain rights assigned to it. some are inherited, some assigned. You can modify those to fit your likings.
this is the url: https://dev.azure.com/org_name/project_name/_settings/repositories
For more details, follow this link: https://learn.microsoft.com/en-us/azure/devops/organizations/security/set-git-tfvc-repository-permissions?view=azure-devops
thanks for you quick answer. Have digged into the documentation and repository permissions. I gave definitely som insight. My concern is that I want a predefined setting for managing the code repository on a team level, thus would no want to give project permission to the programmers. In my azure devops setup I have only on organization with hundreds of teams.
As I understand it, the permission for the repos are set at the project level. I would like to minimize the project level access since it gives to wide accesses in other cases and other teams. So my hope was that giving programmers contributor access would give the more or less all needed access for the repos out of the box. Such as:
1. Clone, fetch, contribute to pull requests, and explore the contents of a repository
2. Contribute to a repository, create branches, create tags, manage notes
Do not really understand why more access are needed. But could for example give the security control to the build admin role by granting the access to change permission. In this case the ones with build amdnin could adminitrate the security for its own team repos.
Any thoughs on this? Apologize if I have misunderstood you answer...
Azure allows partners to manage customer's resources.
But as startups serving enterprise customers, we might be asked to install our software on customer's Azure Linux server resource and manage it, but we dont want them to access the Linux box via shell or clone it entirely thereby making a copy without our knowledge. How do you solve this?
For the install, I'd write a bash script to install your application by wget'ing the binaries and setting some environment settings. If you want to take it a step further, your client can create an ARM template that spins up the VM and installs your app via custom script extension. When it comes to managing the application, you should be able to view log files in Azure using Application Insights and perform administrative functions using the app. If an issue arises that cannot be diagnosed from the log files and the built-in app diagnostics (e.g. the install failed, app cannot write to log files in local dir), I'd do a screen share with the client and troubleshoot.
You could create a web application that would talk to the OS and perform the administrative tasks you wish. This way, you only need to open one port (possiblity 443 - HTTPS) and share login credentials w/ your partner. This way your OS is protected -- administrative tasks can only be performed through a web UI.
By doing a quick Google search, you can find some open-source options:
http://ajenti.org/
http://www.webmin.com/
https://cockpit-project.org/
You need to ensure you create users for your customer with limited access. Get Webdmin as an example: https://doxfer.webmin.com/Webmin/Webmin_Users
A standard, out-of-the-box Webmin installation has only one user
(called root or admin) who can use every feature of every module. On a
home or office system used by just one person, that is all you need.
Even if your system has multiple users, there may be only one who
needed to perform system administration tasks.
However, there are many situations in which the administrator may want
to give some people access to a subset of Webmin's features. For
example, you may have a person in your organization whose job it is to
create and edit DNS zones and records. On a normal Unix system, this
person would have to be given root access so that he can edit the zone
files and re-start the DNS server when necessary. Unfortunately, once
someone is able to login as root he has full control of the system and
can do whatever he wants.
Webmin solves this kind of problem by allowing you to create
additional users who can login, but only access a few modules. You can
further restrict what the user can do within each module, so that he
cannot abuse its features to perform actions that he is not supposed
to. Because Webmin still runs with full root privileges even when used
by a restricted user, it still has access to all the configuration
files and commands that it needs.
We have customer project files on a network drive. Most users do not have write access privileges within some of the directories. I have been tasked with finding a way to allow them to create directories and files programmatically through a user front end we have developed without allowing them to manually make changes by going to the directory in windows explorer. Most of these users do not have local admin rights, nor would that change their network admin privileges.
This is in a .net programming environment.
I see numerous examples for elevating local rights, but none for elevating network rights.
Some options:
-elevate the privileges within the application.
-run an application on the/a server where the server has the necessary rights and performs the necessary task(s).
-create a windows service application that will run on the server with a listener that will receive requests and perform the necessary task(s).
The second two options would require significant hoops to jump through as my company has a very strict IM security policy. The first option would be ideal, but I am not sure it is possible. I'm not sure the second option is possible either for that matter.
Any thoughts or input would be very much appreciated.
Use Impersonation.
RE: How do you do Impersonation in .NET?
Just make sure the credentials you are using for Impersonation have rights to the folders as necessary. You can use domain or local on the file server credentials as necessary.
We're using Azure to maintain our development and QA servers.
One of the needs we have now, is to provide our QA members access to update web.config file on the server, which can be achieved via Visual Studio Server's Explorer (with the right configuration).
The problem is that you need a user with a subscription as a co-administrator within Azure (at least as far as I managed to understand), but obviously we'd like to allow our QA members only to maintain the files, with limited access via Visual Studio.
Is there any way to do it?
Following Brendan advice, I've granted the QA members FTP access. This should do the job for now, until Microsoft will come up with something better :)
Thanks Brendan!