Azure DevOps set permissions via Rest Api Access Control List

3
votes

I'm trying to set permissions using ACL with project permission namespace. In the request bodyInfo, I am passing '16' for allow so that I will allow Administer Build (16) permission for the group but nothing happens.

$securityNamespaceId = "52d39943-cb85-4d7f-8fa8-c6baac873819"
$groupDesc = "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-3474010476-3658975049-2966243200-2961816057-1-3769221364-1224424009-2749800435-4143997070"
$projectId = "12313142-eec0-4c3d-b9b5-44d0c3973b3e"
$token = "`$PROJECT:vstfs:///Classification/TeamProject/$($projectId)"
$allowMask = 16
$denyMask = 0

$bodyInfo = @" 
   { 
      "token": "$Token", 
      "merge": false, 
      "accessControlEntries": [ 
         { 
            "descriptor": "$groupDesc", 
            "allow": $AllowMask, 
            "deny": $DenyMask, 
            "extendedinfo": {} 
         } 
      ] 
   } 
"@

$uri = "https://dev.azure.com/{organization}/_apis/accesscontrolentries/52d39943-cb85-4d7f-8fa8-c6baac873819?api-version=5.0"

$result = (Invoke-RestMethod -Method Post -Uri $uri -Body $bodyInfo -Headers $headers -ContentType "application/json")

count value 

1 {@{descriptor=Microsoft.TeamFoundation.Identity;S-1-9-1551374245-3474010476-3658975049-2966243200-2961816057-1-3769221364-1224424009-2749800435-4143997070; allow=16; deny=0}}


 bit name                         displayName                                  namespaceId                         
 --- ----                         -----------                                  -----------                         
   1 GENERIC_READ                 View project-level information               52d39943-cb85-4d7f-8fa8-c6baac873819
   2 GENERIC_WRITE                Edit project-level information               52d39943-cb85-4d7f-8fa8-c6baac873819
   4 DELETE                       Delete team project                          52d39943-cb85-4d7f-8fa8-c6baac873819
   8 PUBLISH_TEST_RESULTS         Create test runs                             52d39943-cb85-4d7f-8fa8-c6baac873819
  16 ADMINISTER_BUILD             Administer a build                           52d39943-cb85-4d7f-8fa8-c6baac873819
  32 START_BUILD                  Start a build                                52d39943-cb85-4d7f-8fa8-c6baac873819
  64 EDIT_BUILD_STATUS            Edit build quality                           52d39943-cb85-4d7f-8fa8-c6baac873819
 128 UPDATE_BUILD                 Write to build operational store             52d39943-cb85-4d7f-8fa8-c6baac873819
 256 DELETE_TEST_RESULTS          Delete test runs                             52d39943-cb85-4d7f-8fa8-c6baac873819
 512 VIEW_TEST_RESULTS            View test runs                               52d39943-cb85-4d7f-8fa8-c6baac873819
2048 MANAGE_TEST_ENVIRONMENTS     Manage test environments                     52d39943-cb85-4d7f-8fa8-c6baac873819
4096 MANAGE_TEST_CONFIGURATIONS   Manage test configurations                   52d39943-cb85-4d7f-8fa8-c6baac873819
8192 WORK_ITEM_DELETE             Delete and restore work items                52d39943-cb85-4d7f-8fa8-c6baac873819
   16384 WORK_ITEM_MOVE               Move work items out of this project          52d39943-cb85-4d7f-8fa8-c6baac873819
   32768 WORK_ITEM_PERMANENTLY_DELETE Permanently delete work items                52d39943-cb85-4d7f-8fa8-c6baac873819
   65536 RENAME                       Rename team project                          52d39943-cb85-4d7f-8fa8-c6baac873819
  131072 MANAGE_PROPERTIES            Manage project properties                    52d39943-cb85-4d7f-8fa8-c6baac873819
  262144 MANAGE_SYSTEM_PROPERTIES     Manage system project properties             52d39943-cb85-4d7f-8fa8-c6baac873819
  524288 BYPASS_PROPERTY_CACHE        Bypass project property cache                52d39943-cb85-4d7f-8fa8-c6baac873819
 1048576 BYPASS_RULES                 Bypass rules on work item updates            52d39943-cb85-4d7f-8fa8-c6baac873819
 2097152 SUPPRESS_NOTIFICATIONS       Suppress notifications for work item updates 52d39943-cb85-4d7f-8fa8-c6baac873819
 4194304 UPDATE_VISIBILITY            Update project visibility                    52d39943-cb85-4d7f-8fa8-c6baac873819
 8388608 CHANGE_PROCESS               Change process of team project.              52d39943-cb85-4d7f-8fa8-c6baac873819
16777216 AGILETOOLS_BACKLOG           Agile backlog management.                    52d39943-cb85-4d7f-8fa8-c6baac873819
1
azure-devopsazure-devops-rest-api
I think "Administer Build" is not in the project level permissions, it's a build level permissions. - Shayki Abramczyk

1 Answers

1
votes

In your script,you want to use project-level token to modify Administer Build permission in build security. I tested it on postman and found that using project-level token to modify the build security permission, the response status was 200, but in the UI, the permissions were not actually changed.You can try to use build-level token to make changes to build security permission.

Hope this helps. enter image description here enter image description here