Is it possible through Azure DevOps API to see what permissions any given users has inside of a DevOps Project?
I've been looking at "https://dev.azure.com/{organization}/_apis/permissions/{securityNamespaceId}/{permissions}?api-version=4.1", but it only works for the caller of the request.
Any thoughts?
Thanks
If you're trying to view the permissions in this page(project settings=>permissions=>user)
Then you can use these two workarounds to achieve that:
1.Use Azure cli with devops extension:
Prerequisites: Install the Azure Cli with azure-devops extension and run az login to login with your credentials. Here's a quick start.
Then you can use az devops security permission show to list the permissions of specific user.
Example:
az devops security permission show --id 52d39943-cb85-4d7f-8fa8-c6baac873819 --subject [email protected] --token '$PROJECT:vstfs///Classification/TeamProject/{ProjectID}'
Normally the ID of this security namespace is always 52d39943-cb85-4d7f-8fa8-c6baac873819, and the ProjectID is the ID to represent your project. You can easily find it use Projects-list rest api. The subject could be email address of the specific user's email ID.
Advantage of this way:
Since id and token are always that value during one project. We only need to change the subject to get user's permissions.
az devops security permission show --id 52d39943-cb85-4d7f-8fa8-c6baac873819 --subject [email protected] --token '$PROJECT:vstfs///Classification/TeamProject/{ProjectID}'
az devops security permission show --id 52d39943-cb85-4d7f-8fa8-c6baac873819 --subject [email protected] --token '$PROJECT:vstfs///Classification/TeamProject/{ProjectID}'
...
Response when run the above command looks like this:
2.Use a Azure devops rest api which is not documented:
https://dev.azure.com/{YourOrgName}/_apis/Contribution/HierarchyQuery?api-version=5.0-preview
We should use Post method + application/json Content-Type. And the request body would look like this:
{
"contributionIds": ["ms.vss-admin-web.org-admin-groups-permissions-pivot-data-provider"],
"dataProviderContext": {"properties": {
"subjectDescriptor": "msa.xxx",
"sourcePage": {
"url": "https://dev.azure.com/{OrgName}/{ProjectName}/_settings/permissions?subjectDescriptor=msa.xxx",
"routeId": "ms.vss-admin-web.project-admin-hub-route",
"routeValues": {
"project": "xxx",
"adminPivot": "permissions",
"controller": "ContributedPage",
"action": "Execute",
"serviceHost": "xxx (xxx)"
}
}
}}
}
This not-documented rest api could be more complex. I suggest you use F12 to fetch the correct request body yourself. Let's use edge browser as an example:
1.Navigate the this page in Web Portal and enter F12 mode, then click the clear session button to empty the list.
2.Find the session whose response body would return all permissions related to the user:
In my test the session would receive 1.10kb~1.20kb, you can easily locate it. Then click the session and go to its response body with pretty print enabled.
You can directly use that body to fetch one user's permissions. If you want to fetch other users, just replace the current user's subjectDescriptor with other users' subjectDescriptors. About what's subjectDescriptor and how to get them you can refer to my another answer.
