azure-devops

AZDO REST API Setting ACL

Have been reading the docs in this : Access Control Lists - Set Access Control Lists

One part bothers me :

All data that currently exists for the ACLs supplied will be overwritten

1 ACL can have permissions for many multiples of identities (users, groups).

So if I just want to edit the permissions for 1 identity, can I just submit my payload with that 1 identity ? ...or will that be interpreted as a delete for all the existing identities that I am not including in my payload ?

If the latter, then I am thinking one would have to extract the entire ACL with a GET, modify the element requiring change, and resubmit the entire ACL with all identities whether changed or not .

{
    "inheritPermissions": [true | false],
    "token": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx", 
    "acesDictionary": {
        "Microsoft.TeamFoundation.Identity;S-1-1-1111xxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-x-x-x-x-1": {
            "descriptor": "Microsoft.TeamFoundation.Identity;S-1-1-1111.....",  
            "allow": 31,
            "deny": 0
        },
         "Microsoft.TeamFoundation.Identity;S-2-2-2222xxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-x-x-x-x-2": {
            "descriptor": "Microsoft.TeamFoundation.Identity;S-2-2-2222.....",  
            "allow": 31,
            "deny": 0
        }
    }
}

Appreciate any clarifications before I go mess up our system ;)

Solution

  • if I just want to edit the permissions for 1 identity, can I just submit my payload with that 1 identity ? ...or will that be interpreted as a delete for all the existing identities that I am not including in my payload ?

    Your understanding is correct, the latter is the actual situation. When we use Rest API: Access Control Lists - Set Access Control Lists to update the permissions, it will Remove other groups/users permission if you only provide one identity.

    To update one identity with Set Access Control Lists Rest API. we need to use the Rest API: Access Control Lists - Query to get entire ACL of Security token.

    GET https://dev.azure.com/{organization}/_apis/accesscontrollists/{securityNamespaceId}?token={token}api-version=7.1

    Then you can put the entire ACL to the Request Body and modify the element to update the permission.

    On the other hand, if you only want to update permissions of one identity, you can consider using the Rest API: Access Control Entries - Set Access Control Entries

    POST https://dev.azure.com/{organization}/_apis/accesscontrolentries/{securityNamespaceId}?api-version=7.1

    Request Body:

    {
  "token": "newToken",
  "merge": true,
  "accessControlEntries": [
    {
      "descriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-2",
      "allow": 8,
      "deny": 0,
      "extendedinfo": {}
    }
  ]
}

    In this case, if you only provide an identity, it will not change the permissions of other groups/users.