How to add users to a particular repository using API
I am struggling in going through the API documentation for Azure devops on how to add a user to a particular repo using Rest API with read and write access to a git repository. Please guide me on this.
For Example: There are 3 Repositories. I want to restrict access to other two repositories via API. I fetched the namespaceId and used access control entitlement APIs nothing helped
Solution
Based on the further discussions, the actual requirement is to allow users' access to one single repo in a project and prevent the access to other repos in this project. For this, you may try the sample PowerShell script below, which will Deny All repositories Contribute permission for [PrjectA]\Contributors group and Allow Repo1 Contribute permission for [PrjectA]\Contributors group.
$organization = "YourADOOrgName"
$project = "ProjectA"
$groupName = "Contributors"
$allowRepo = "Repo1"
$MyPat = 'xxxxx'
$B64Pat = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":$MyPat"))
$headers = @{
'Authorization' = 'Basic ' + $B64Pat
'Content-Type' = 'application/json'
}
# Get projects GET https://dev.azure.com/{organization}/_apis/projects?api-version=7.1-preview.4
$projectsURL = "https://dev.azure.com/$organization/_apis/projects?api-version=7.1-preview.4"
$projects = Invoke-RestMethod -Uri $projectsURL -Method Get -Headers $headers
$projectA = $projects.value | Where-Object { $_.name -eq "$project" }
$projectAId = $projectA.id
Write-Host "The id of $project is $projectAId"
# Get repos GET https://dev.azure.com/{organization}/{project}/_apis/git/repositories?api-version=7.1-preview.1
$reposURL = "https://dev.azure.com/$organization/$project/_apis/git/repositories?api-version=7.1-preview.1"
$repos = Invoke-RestMethod -Uri $reposURL -Method Get -Headers $headers
$repo = $repos.value | Where-Object { $_.name -eq "$allowRepo" }
$repoId = $repo.id
Write-Host "The id of $allowRepo is $repoId"
# Get group identity GET https://vssps.dev.azure.com/{organization}/_apis/identities?searchFilter=General&filterValue=Project Collection Valid Users&queryMembership=None&api-version=7.2-preview.1
$groupIdsURL = "https://vssps.dev.azure.com/$organization/_apis/identities?searchFilter=General&filterValue=[$project]\$groupName&queryMembership=None&api-version=7.2-preview.1"
$groupIds = Invoke-RestMethod -Uri $groupIdsURL -Method Get -Headers $headers
$groupId = $groupIds.value | Where-Object { $_.providerDisplayName -eq "[$project]\$groupName" }
$groupDescriptor = $groupId.descriptor
Write-Host "The descriptor for group [$project]\$groupName is $groupDescriptor"
# All security namespaces GET https://dev.azure.com/{organization}/_apis/securitynamespaces?api-version=7.2-preview.1
$namespacesURL = "https://dev.azure.com/$organization/_apis/securitynamespaces?api-version=7.2-preview.1"
$namespaces = Invoke-RestMethod -Uri $namespacesURL -Method Get -Headers $headers
$namespaces | ConvertTo-Json -Depth 100 | Out-File "C:\Users\Alvin\Desktop\namespaces.json"
$namespaceGitRepos = $namespaces.value | Where-Object { $_.displayName -eq "Git Repositories" }
$namespaceIdGitReposContribute = $namespaceGitRepos.actions | Where-Object { $_.displayName -eq "Contribute" }
$namespaceIdGitReposContributeBit = $namespaceIdGitReposContribute.bit
$namespaceIdGitRepos = $namespaceGitRepos.namespaceId
Write-Host "The id for namespace Git Repositories is $namespaceIdGitRepos"
Write-Host "The bit for permission Contribute in namespace Git Repositories is $namespaceIdGitReposContributeBit"
# Access Control Entries - Set Access Control Entries POST https://dev.azure.com/{organization}/_apis/accesscontrolentries/{securityNamespaceId}?api-version=7.2-preview.1
$contributeACEURL = "https://dev.azure.com/$organization/_apis/accesscontrolentries/${namespaceIdGitRepos}?api-version=7.2-preview.1"
# Deny All repositories Contribute permission for [PrjectA]\Contributors group
$contributeDenyACEBody = @{
"token" = "repoV2/$projectAId"
"merge" = $true
"accessControlEntries" = @(
@{
"descriptor" = "$groupDescriptor"
"allow" = 0
"deny" = $namespaceIdGitReposContributeBit
"extendedInfo"= @{
"effectiveAllow" = 0
"effectiveDeny" = $namespaceIdGitReposContributeBit
"inheritedAllow" = 0
"inheritedDeny" = $namespaceIdGitReposContributeBit
}
}
)
} | ConvertTo-Json -Depth 100
Invoke-RestMethod -Uri $contributeACEURL -Method Post -Headers $headers -Body $contributeDenyACEBody
# Allow Repo1 Contribute permission for [PrjectA]\Contributors group
$contributeAllowACEBody = @{
"token" = "repoV2/$projectAId/$repoId"
"merge" = $true
"accessControlEntries" = @(
@{
"descriptor" = "$groupDescriptor"
"allow" = $namespaceIdGitReposContributeBit
"deny" = 0
"extendedInfo"= @{
"effectiveAllow" = $namespaceIdGitReposContributeBit
"effectiveDeny" = 0
"inheritedAllow" = $namespaceIdGitReposContributeBit
"inheritedDeny" = 0
}
}
)
} | ConvertTo-Json -Depth 100
Invoke-RestMethod -Uri $contributeACEURL -Method Post -Headers $headers -Body $contributeAllowACEBody
Once tested working, you may spread to other permissions like Read and set permissions for another group of users like Readers.
- DevOps deploying Azure Web Apps to wwwroot/Content/D_C/a/1/s/ in Linux container
- Azure DevOps: access secret variable programmatically
- How to install PowerShell module pushed to Azure Artifacts in Pipelines?
- Get all work items from a project azure devops REST API
- Which scope takes precedence in an release pipeline variable?
- In Azure DevOps, need to view and prioritize Features, Product Backlog Items and Bugs in one list in relation to each other
- CICD of data factory
- Can't multi-target projects in azure pipeline build
- Preview state of azure pipeline yaml after supplying it with runtime parameters
- How do I identify the triggering pipeline in the download step when downloading pipeline artifacts in Azure DevOps on-prem?
- JIRA Azure DevOps iteration not showing work item in Azure DevOps
- Azure DevOps build Artifact Error because of Failed to fetch ARM parameters: Error: Input required: AzureResourceManagerConnection
- Issue with Azure DevOps API: Newly Created Area Paths Not Recognized Immediately
- How to add tag to a build from classic release after successful deployment to stage
- I don't see the menu entries for releases
- Azure DevOps Rest API : Object "ID" scope
- Getting "BadRequest" when trying to deploy web app networking settings using Bicep trmplate
- Accessing Azure DevOps Board custom field using OData query
- AzureStaticWebApp@0 push from artifacts
- Azure DevOps - deploy Window Service task
- CICD for Azure Databricks
- Trigger Azure DevOps pipeline only for "main" AND changes in a certain path
- Azure Pipelines - Replace a variable in a yaml file
- Azure dev ops cicd yaml variable for appSettings, multi line causing an error
- .Net Azure Function app publish does not generate a bin folder
- Git cleanup/garbage collection on remote Azure DevOps git repository
- Run build only on approval
- Azure DevOps is not gathering all changes when using schduled cron trigger
- yaml pipeline: How to use a build artifact generated in a previous build
- How to resolve eslint errors due to use of the html() method in jquery libraries when running security scans with Github advanced security?