Azure DevOps API Feed Management - Set Feed Permissions doesn't work

0
votes

I want to set ACL of Azure DevOps Artifact feed via API,

so I'm following https://docs.microsoft.com/en-us/rest/api/azure/devops/artifacts/feed%20%20management/set%20feed%20permissions?view=azure-devops-rest-5.0

..and my request is:

curl --location --request PATCH 'https://feeds.dev.azure.com/kagarlickij/test/_apis/packaging/Feeds/335ffcb7-d09a-424a-8359-4d912922e422/permissions?api-version=5.0-preview.1' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic O***E=' \
--data-raw '[
    {
        "role": "administrator",
        "identityDescriptor": "Microsoft.IdentityModel.Claims.ClaimsIdentity;[email protected]",
        "displayName": null,
        "isInheritedRole": false
    },
    {
        "role": "administrator",
        "identityDescriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1343567041-101590592-3129239589-3184381367-0-0-0-0-1",
        "displayName": null,
        "isInheritedRole": true
    },
    {
        "role": "contributor",
        "identityDescriptor": "Microsoft.TeamFoundation.ServiceIdentity;7a539633-289b-4efc-ac2e-e475ef28cdc3:Build:c1341550-0e06-4026-ba84-6825bdcdcdb7",
        "displayName": null,
        "isInheritedRole": false
    }
]'

I'm getting expected response:

{
    "count": 3,
    "value": [
        {
            "role": "administrator",
            "identityDescriptor": "Microsoft.IdentityModel.Claims.ClaimsIdentity;[email protected]",
            "displayName": null,
            "isInheritedRole": false
        },
        {
            "role": "administrator",
            "identityDescriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1343567041-101590592-3129239589-3184381367-0-0-0-0-1",
            "displayName": null,
            "isInheritedRole": false
        },
        {
            "role": "contributor",
            "identityDescriptor": "Microsoft.TeamFoundation.ServiceIdentity;7a539633-289b-4efc-ac2e-e475ef28cdc3:Build:c1341550-0e06-4026-ba84-6825bdcdcdb7",
            "displayName": null,
            "isInheritedRole": false
        }
    ]
}

But when I'm checking ACL via Azure DevOps UI or API change is not applied (I still have 4 entities):

curl --location --request GET 'https://feeds.dev.azure.com/kagarlickij/_apis/packaging/Feeds/675fc46d-d757-42a9-b3f2-a12aca38057c/permissions?api-version=5.0-preview.1' \
--header 'Authorization: Basic O***E='

{
    "count": 4,
    "value": [
        {
            "role": "administrator",
            "identityDescriptor": "Microsoft.IdentityModel.Claims.ClaimsIdentity;[email protected]",
            "displayName": null,
            "isInheritedRole": false
        },
        {
            "role": "administrator",
            "identityDescriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1343567041-101590592-3129239589-3184381367-0-0-0-0-1",
            "displayName": null,
            "isInheritedRole": true
        },
        {
            "role": "contributor",
            "identityDescriptor": "Microsoft.TeamFoundation.ServiceIdentity;7a539633-289b-4efc-ac2e-e475ef28cdc3:Build:c1341550-0e06-4026-ba84-6825bdcdcdb7",
            "displayName": null,
            "isInheritedRole": false
        },
        {
            "role": "reader",
            "identityDescriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1343567041-101590592-3129239589-3184381367-0-0-0-0-3",
            "displayName": null,
            "isInheritedRole": true
        }
    ]
}

Any ideas why it fails and how make it work?

1
azure-devops

1 Answers

1
votes

You need to set the role to "none" or "1" to remove the permission for an account. Simply not include the account in the request will not remove the permission.

Please check below example: Set the role to "none" to remove its permission.

        {
            "role": "none",
            "identityDescriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1343567041-101590592-3129239589-3184381367-0-0-0-0-3",
            "displayName": null,
            "isInheritedRole": true
        }

Or Set the role to "1" to remove its permission.

            {
                "role": "1",
                "identityDescriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1343567041-101590592-3129239589-3184381367-0-0-0-0-3",
                "displayName": null,
                "isInheritedRole": true
            }

Below is the number and its map to the permission:

"1"-->"none"  #remove 
"2"-->"reader"
"3"-->"contributor"
"4"-->"owner"
"5"-->"collaborator"