azure-devopspermissionsaccess-controlaccess-control-list

Azure DevOps - Decode ACE permission bits


When getting Access Control Lists via the Azure DevOps API it returns a list of Access Control Entities which have fields "Allow" and "Deny".

As far as i understood from the docs, these fields contain some kind of permission bits. They look something like that: "allow": 32630, "deny": 0. Is it possible to somehow decode these values into a human readable format?


Solution

  • I am afraid that there is no out-of-box method can automatically decode the value into a human readable format.

    In order to obtain information related to the permission bit, I suggest that you can use the Azure DevOps CLI to list all Permission bit in the namespace. Refer to this doc: Manage permissions with command line tool

    For example:

    az devops security permission namespace show --namespace-id 58450c49-b02d-465a-ab12-59ae512d6531 --output table 
    

    Then it will return all related information in the namespace:

    Name                      Permission Description                                    Permission Bit
    ------------------------  --------------------------------------------------------  ----------------
    Read                      View analytics                                            1
    Administer                Manage analytics permissions                              2
    Stage                     Push the data to staging area                             4
    ExecuteUnrestrictedQuery  Execute query without any restrictions on the query form  8
    ReadEuii                  Read EUII data                                            16
    

    If you want to allow/deny multiple permissions at the same time, you can add up the permission bit values.

    For example: Allow Read and ReadEuii permission.

    The value 1 + 16= 17 -> "allow": 17, "deny": 0

    In this case, you can determine the permission bit value associated with 32630