How to add users to a particular repository using API
I am struggling in going through the API documentation for Azure devops on how to add a user to a particular repo using Rest API with read and write access to a git repository. Please guide me on this.
For Example: There are 3 Repositories. I want to restrict access to other two repositories via API. I fetched the namespaceId and used access control entitlement APIs nothing helped
Solution
Based on the further discussions, the actual requirement is to allow users' access to one single repo in a project and prevent the access to other repos in this project. For this, you may try the sample PowerShell script below, which will Deny All repositories Contribute permission for [PrjectA]\Contributors group and Allow Repo1 Contribute permission for [PrjectA]\Contributors group.
$organization = "YourADOOrgName"
$project = "ProjectA"
$groupName = "Contributors"
$allowRepo = "Repo1"
$MyPat = 'xxxxx'
$B64Pat = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":$MyPat"))
$headers = @{
'Authorization' = 'Basic ' + $B64Pat
'Content-Type' = 'application/json'
}
# Get projects GET https://dev.azure.com/{organization}/_apis/projects?api-version=7.1-preview.4
$projectsURL = "https://dev.azure.com/$organization/_apis/projects?api-version=7.1-preview.4"
$projects = Invoke-RestMethod -Uri $projectsURL -Method Get -Headers $headers
$projectA = $projects.value | Where-Object { $_.name -eq "$project" }
$projectAId = $projectA.id
Write-Host "The id of $project is $projectAId"
# Get repos GET https://dev.azure.com/{organization}/{project}/_apis/git/repositories?api-version=7.1-preview.1
$reposURL = "https://dev.azure.com/$organization/$project/_apis/git/repositories?api-version=7.1-preview.1"
$repos = Invoke-RestMethod -Uri $reposURL -Method Get -Headers $headers
$repo = $repos.value | Where-Object { $_.name -eq "$allowRepo" }
$repoId = $repo.id
Write-Host "The id of $allowRepo is $repoId"
# Get group identity GET https://vssps.dev.azure.com/{organization}/_apis/identities?searchFilter=General&filterValue=Project Collection Valid Users&queryMembership=None&api-version=7.2-preview.1
$groupIdsURL = "https://vssps.dev.azure.com/$organization/_apis/identities?searchFilter=General&filterValue=[$project]\$groupName&queryMembership=None&api-version=7.2-preview.1"
$groupIds = Invoke-RestMethod -Uri $groupIdsURL -Method Get -Headers $headers
$groupId = $groupIds.value | Where-Object { $_.providerDisplayName -eq "[$project]\$groupName" }
$groupDescriptor = $groupId.descriptor
Write-Host "The descriptor for group [$project]\$groupName is $groupDescriptor"
# All security namespaces GET https://dev.azure.com/{organization}/_apis/securitynamespaces?api-version=7.2-preview.1
$namespacesURL = "https://dev.azure.com/$organization/_apis/securitynamespaces?api-version=7.2-preview.1"
$namespaces = Invoke-RestMethod -Uri $namespacesURL -Method Get -Headers $headers
$namespaces | ConvertTo-Json -Depth 100 | Out-File "C:\Users\Alvin\Desktop\namespaces.json"
$namespaceGitRepos = $namespaces.value | Where-Object { $_.displayName -eq "Git Repositories" }
$namespaceIdGitReposContribute = $namespaceGitRepos.actions | Where-Object { $_.displayName -eq "Contribute" }
$namespaceIdGitReposContributeBit = $namespaceIdGitReposContribute.bit
$namespaceIdGitRepos = $namespaceGitRepos.namespaceId
Write-Host "The id for namespace Git Repositories is $namespaceIdGitRepos"
Write-Host "The bit for permission Contribute in namespace Git Repositories is $namespaceIdGitReposContributeBit"
# Access Control Entries - Set Access Control Entries POST https://dev.azure.com/{organization}/_apis/accesscontrolentries/{securityNamespaceId}?api-version=7.2-preview.1
$contributeACEURL = "https://dev.azure.com/$organization/_apis/accesscontrolentries/${namespaceIdGitRepos}?api-version=7.2-preview.1"
# Deny All repositories Contribute permission for [PrjectA]\Contributors group
$contributeDenyACEBody = @{
"token" = "repoV2/$projectAId"
"merge" = $true
"accessControlEntries" = @(
@{
"descriptor" = "$groupDescriptor"
"allow" = 0
"deny" = $namespaceIdGitReposContributeBit
"extendedInfo"= @{
"effectiveAllow" = 0
"effectiveDeny" = $namespaceIdGitReposContributeBit
"inheritedAllow" = 0
"inheritedDeny" = $namespaceIdGitReposContributeBit
}
}
)
} | ConvertTo-Json -Depth 100
Invoke-RestMethod -Uri $contributeACEURL -Method Post -Headers $headers -Body $contributeDenyACEBody
# Allow Repo1 Contribute permission for [PrjectA]\Contributors group
$contributeAllowACEBody = @{
"token" = "repoV2/$projectAId/$repoId"
"merge" = $true
"accessControlEntries" = @(
@{
"descriptor" = "$groupDescriptor"
"allow" = $namespaceIdGitReposContributeBit
"deny" = 0
"extendedInfo"= @{
"effectiveAllow" = $namespaceIdGitReposContributeBit
"effectiveDeny" = 0
"inheritedAllow" = $namespaceIdGitReposContributeBit
"inheritedDeny" = 0
}
}
)
} | ConvertTo-Json -Depth 100
Invoke-RestMethod -Uri $contributeACEURL -Method Post -Headers $headers -Body $contributeAllowACEBody
Once tested working, you may spread to other permissions like Read and set permissions for another group of users like Readers.
- How to Migrate TFVS project to Azure Git Repos from different Organization
- How to branch from non-default branch in Azure DevOps GitHub.com integration?
- Can't provide NuGet package source credentials to Azure Function
- Azure Pipelines: How to make a task dependent on a previous task?
- How to use multiple environments from one Azure pipeline?
- Azure DevOps pipeline continues to run despite removing schedule
- How to prevent creating a new branch of a certain branch
- Azure Active Directory App service Principal create new client secret
- Azure Devops Pipeline - Use Microsoft Visual Studio Installer Projects
- Azure DevOps yaml - Get current date with MMM (month short name)
- Accessing azure custom field using OData query
- build validation and status check policy on branch for Python code
- How to connect to Azure VM Windows Admin Center from Azure DevOps without enabling PSRemoting in VM
- Bash Task in Azure DevOps not able to recognize variable in set in Classic Release pipeline
- Is it possible to have a link to raw content of file in Azure DevOps
- USING RUNTIME VARIABLES IN AZURE YAML CHECKOUT
- How to configure Dependabot on Azure DevOps to create only one PR for minor/patch updates
- Pass an array of string to a powershell script from a yaml template
- Repository permanency between stages in an Azure DevOps pipeline
- Deploying Container App with Arm Template via Azure Devops: UNAUTHORIZED: authentication required
- NU1301: Unable to load the service index for source, even after setting up Personal Access Token
- How to deploy files to a server
- Azure Pipelines: git lfs not known with explicit declaration but UI config
- Comparison of string parameters always return false in Azure DevOps 2022
- Create Azure Devops pipeline without code checkout
- Increment Azure Pipelines version number with commits
- Azure Devops odata query returns UserEmail:Unknown
- In Azure Dev Ops, given a branch name, how I do I get the corresponding Pull Request (if one exists)
- Terraform Initialize Error on Azure Devops release pipeline
- How to use an Azure Devops Release task to execute a Azure Pipeline