I am creating automation for Azure DevOps. I want to follow the principle of least privilege. I only need to grant permissions to create repositories across all projects in the organization. I know how to do it at the project level, but for organizations with many projects, assigning permissions at the project level would be time-consuming.
Do you know and can you give me an example of how to grant permissions to create repositories at the level of the entire organization?
you can try to use the Azure DevOps CLI "az devops security permission" to assign the permission:
Go to Organization Settings > Permissions page to create a new group (e.g., Create Repos
). Once created, open it, you can see the group descriptor (subjectDescriptor
) of this group from the address bar of the browser. Copy and remember the value of descriptor (vssgp.xxxx
), it will be used in the subsequent Azure DevOps CLI.
Run the command "az devops security permission namespace list" to get the namespaceId
and bit
of the permission item "Create repository". Generally, the value of this two properties are fixed. All the repository related permission items generally have the same namespace, and each item has its owns bit.
2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87
256
Then you can run the "az devops security permission update
" to globally set the permission item "Create repository" to "Allow" for the group "Create Repos
" within the organization.
Below is a sample of the Bash script to call the Azure DevOps CLI.
#!/bin/bash
organization="xxxx"
pat="xxxx"
groupDescriptor="vssgp.xxxx"
namespaceId = "2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87"
# Login the Azure DevOps organization.
echo $pat | az devops login --org https://dev.azure.com/$organization
# If you do not know the the 'namespaceId' and 'bit' of the permission item, you can run below command, and then check the values in the output json file.
# az devops security permission namespace list > namespaces.json
# Globally set the permission "Create repository" to "Allow" for the group "Create Repos" within the organization.
az devops security permission update --id $namespaceId --subject $groupDescriptor --token "repoV2" --allow-bit 256
With this way:
Create Repos
" in all the projects within the organization.Create Repos
" group also will automatically inherit this permission by default.