azureazure-devopsazure-pipelinesazure-devops-rest-apiazure-pipelines-build-task

Azure DevOps REST API: Permissions Not Updating Despite Successful Response

Question:

I am trying to update permissions for a pipeline in Azure DevOps using the REST API, but although I get a 204 No Content response, the permissions are not actually being applied or updated.

What I'm Doing: I'm using the Azure DevOps REST API to update the Access Control Entries (ACL) for a specific pipeline. Below is the POST request payload I am using:

`permissions_payload = {
  "value": [
    {
      "inheritPermissions": False,
      "token": "vstfs:///Classification/TeamProject/{project_id}/{pipeline_id}",
      "acesDictionary": {
        "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-1": {
          "descriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-1",
          "principalName": "[{project_name}]\\Contributors",
          "allow": 0,
          "deny": 1
        }
      }
    }
  ]
}

# POST request
response = requests.post(
    permission_url,
    headers=headers,
    json=permissions_payload,
    verify=False
)

if response.status_code == 200 or response.status_code == 204:
    print("Permissions updated successfully.")
else:
    print(f"Failed to update permissions: {response.status_code}")`

Response: I receive a 204 No Content, indicating the request was successful. However, when I check the pipeline's security settings via the Azure DevOps UI, the permissions are not updated.

Steps I've Tried: Checked the descriptor: I'm using the correct descriptor for the "Contributors" group retrieved from the Graph API. Verified the token: The token I'm using follows the format: vstfs:///Classification/TeamProject/{project_id}/{pipeline_id} Tried both inheritPermissions: True and inheritPermissions: False, but the outcome is the same.

My Goal: I want to deny certain permissions for the "Contributors" group on a specific pipeline, but nothing seems to work despite receiving a successful response from the API.

Solution

  • Based on your description, you need to use Rest API to update the Pipeline permissions.

    To meet your requirement, you can use the Rest API: Access Control Entries - Set Access Control Entries

    Update Pipeline permission SecurityNamespaceId : 33344d9c-fc72-4d6f-aba5-fa317101a7e9

    POST https://dev.azure.com/{organization}/_apis/accesscontrolentries/33344d9c-fc72-4d6f-aba5-fa317101a7e9?api-version=6.0

    Request Body:

    {
    "token":"{ProjectID}/{PipelineID}",
    "merge":true,
    "accessControlEntries":[{
        "descriptor":"Microsoft.TeamFoundation.Identity;S-1-9-1551374245-491114055-2098815309-2189422963-3385397751-1-479303010-554652490-2991085287-3350433821",
        "allow":16384,
        "deny":16
    }]
}

    To get the descriptor ID, you can use the Rest API: Identities - Read Identities

    GET https://vssps.dev.azure.com/fabrikam/_apis/identities?searchFilter=General&filterValue=[{project_name}]\Contributors&queryMembership=None&api-version=7.0

    Python Script sample:

    import requests
import json

url = "https://dev.azure.com/{orgname}/_apis/accesscontrolentries/33344d9c-fc72-4d6f-aba5-fa317101a7e9?api-version=6.0"

payload = json.dumps({
  "token": "{ProjectID}/{PipelineID}",
  "merge": True,
  "accessControlEntries": [
    {
      "descriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-491114055-2098815309-2189422963-3385397751-1-479303010-554652490-2991085287-3350433821",
      "allow": 16384,
      "deny": 16
    }
  ]
})
headers = {
  'Content-Type': 'application/json',
  'Authorization': 'Basic {Base64PAT}'

}

response = requests.request("POST", url, headers=headers, data=payload)

if response.status_code == 200 or response.status_code == 204:
    print("Permissions updated successfully.")
else:
    print(f"Failed to update permissions: {response.status_code}")

print(response.text)

    Permission value list:

    Administer build permissions: 16384

Delete build pipeline: 4096

Delete builds: 8

Destroy builds: 32

Edit build pipeline: 2048

Edit build quality: 2

Edit queue build configuration: 65536

Manage build qualities: 16

Manage build queue: 256

Override check-in validation by build: 8192

Queue builds: 128

Retain indefinitely: 4

Stop builds: 512

Update build information: 64

View build pipeline: 1024

View builds: 1

    If you need to deny multiple permissions, you can plus related numbers.

    For example: deny View builds and View build pipeline permission: 1 + 1024 = 1025

    {
.....
"accessControlEntries":[{
    "descriptor":"Microsoft.TeamFoundation.Identity;S-1-9-1551374245-491114055-2098815309-2189422963-3385397751-1-479303010-554652490-2991085287-3350433821",
    "allow":0,
    "deny":1025
}]
}

    Result:

    enter image description here

    Update:

    If you need to keep using the Rest API and Request body shared in Question: Access Control Lists - Set Access Control Lists, you need to change the token value:

    From:

    "token": "vstfs:///Classification/TeamProject/{project_id}/{pipeline_id}",

    To:

    "token": "{project_id}/{pipeline_id}",

    In this case, it will work as expected too.