How to set branch permissions using az-cli?

0
votes

I'm trying to deny the Edit Policies permission from a subject for the develop branch. I was under the impression this command would work:

$ az devops security permission update --allow-bit 2048 --subject [email protected] --namespace-id ***** --token repoV2/<project id>/<git repo id>/refs^heads^develop/

Despite the response

[
  {
    "acesDictionary": {
      "Microsoft.IdentityModel.Claims.ClaimsIdentity;****\\[email protected]": {
        "allow": 2048,
        "deny": 0,
        "descriptor": "Microsoft.IdentityModel.Claims.ClaimsIdentity;****\\[email protected]",
        "extendedInfo": {
          "effectiveAllow": 20342
        },
        "resolvedPermissions": [
          {
            "bit": 2048,
            "displayName": "Edit policies",
            "effectivePermission": "Allow",
            "name": "EditPolicies"
          }
        ]
      }
    },
    "includeExtendedInfo": true,
    "inheritPermissions": true,
    "token": "repoV2/***/***/refs^heads^develop"
  }
]

The permission remains the same.

I think the token- and namespace id's are correct because the command works when using the token repoV2/***/***/.

1
gitazure-devopsazure-cli
Hi @JG801, Is there any update about this ticket? You could check if the answer could give you some help. Feel free to let me know if you have questions. Just a remind of this. - Kevin Lu-MSFT
So, if I'm not mistaken, the token for a branch named 'develop' should end with '/refs/heads/646576656c6f70/' ? - JG801
develop: refs/heads/64006500760065006c006f007000/. You need to use 00 to connect each alphabet. - Kevin Lu-MSFT
That was it ! I hope they'll document this in the reference manual. - JG801

1 Answers

0
votes

Here is the format of the az devops security permission update:

az devops security permission update --id
                                     --subject
                                     --token
                                     [--allow-bit]
                                     [--deny-bit]
                                     [--org]

From you azure cli command, the cause of the problem should be the parameters.

You could get these parameters in Browser F12 Network Tool.

Here are the steps:

Step1: Navigate to the branch permission and press F12 to open the NetWork tool. Then you could select the network tab.

Step2: Try to change the permssion.

Step3: You could check the network record and get these parameters.

enter image description here

Here is an example about the azure cli:

az devops security permission update --id 2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87 --subject [email protected] --token repoV2/92c1c5e8-d842-4698-b3f5-45d69e25624c/34439f96-646e-4aa0-a3e5-a55742a9813e/refs/heads/310032003400/ --allow-bit 0 --deny-bit 2048 --org https://dev.azure.com/orgname

Note: the branch parameter in token needs to be the hex id (e.g. refs/heads/310032003400/).

Based on my test, if you use the branch name, it doesn't change the permission.

Here is a ticket about convert branch name to hex id.