1
votes

On premises AzDevOps Server 2019, version Dev17.M153.5. I have restricted default access rights to agent queues on every single project in every single collection - removed the default set (Release Admins/Build Admins/Project Admins), added some other lines (Server Admins).

Now, ever once in a while, intermittenly with no pattern that I can see, those three permissions keep coming back automagically. On different projects, through no human actions (all the humans who have the rights for that have been told), those three lines with the Administrator role reappear on the default agent queue ACL.

Is that a known behavior in AzDevOps? Any way to opt out?

EDIT: here's what it looks like. The first three lines don't belong.

Default queue ACL

EDIT: as per the advice, I'd try to track it down using the activity log. I went and made a dummy change to default queue security elsewhere. There was a log record with command SecurityRoleAssignments.SetRoleAssignments. I then filtered the activity log on the collection where the permissions have reverted, and searched for the same command. No instances. The log ends around 7/14, which is likely before the event.

2
I don't have an answer for you and not positive this would provide the detail you might need, but the RC for Server 2020 is available and they are adding some auditing to the agent pools. Possible it might be able to answer this question if it does capture changes to permissions. docs.microsoft.com/en-us/azure/devops/server/release-notes/… - Matt

2 Answers

0
votes

This should be caused by Inheritance permission. By default, the option Inheritance is turned on and the following groups are added to the Administrator role of 'All agent pools': Build Administrators, Release Administrators, Project Administrators.

If we turn off the option Inheritance, we can remove the default permission groups (Release Admins/Build Admins/Project Admins).

If we turn on the Inheritance, the permission group will be inherited again and the default permission groups will come back, please check the option and confirm that inheritance is always off. Please also confirm with all the humans who have the rights to update the option.

Uodate1

Login {Azure DevOps Server URL}/_oi/_diagnostics/activityLog, we can see the Activity Log and check who added the permission groups, please check it.

enter image description here

0
votes

Installed Azure DevOps 2020. A couple of weeks in, no such behavior.

Concluding it was a bug in AzDevOps 2019 all along that they've quietly fixed.