Why is there a difference in feed permission settings when Azure artifact feeds are created "via UI" and "via REST API"?

0
votes

Using REST API:

I used the following documentation : https://docs.microsoft.com/en-us/rest/api/azure/devops/artifacts/feed%20%20management/create%20feed?view=azure-devops-rest-5.0#feedpermission to create project scope feed using REST API

And referred Create Azure Artifacts universal package feed via Azure API - Example

Feed was created with the following permissions

  1. USER -- Owner
  2. [myorg]\Project Collection Administrators -- Owner (Inherited)
  3. [myorg]\Project Collection Valid User -- Reader (Inherited)

Via UI:

When Feed was created via user interface, the following permissions are set:

  1. USER -- Owner
  2. [myorg]\Project Collection Administrators -- Owner (Inherited)
  3. Project Collection Build Service (myorg) -- Contributor
  4. [myproject]\Project Administrators -- Owner
  5. [myproject]\Contributors -- Contributor
  6. [myproject] Build Service (myorg) -- Contributor

Only limited user/group is provided permission for feed created via REST API compared to feed created manually via UI. Why is there a difference?

1
azure-devopsazure-devops-rest-apiazure-artifacts
It depends on how we define the request body. This is the simplest format, if you want to define similar feed like what UI does, you need to define permissions element also.LoLance

1 Answers

0
votes

Why is there a difference in feed permission settings when Azure artifact feeds are created “via UI” and “via REST API”?

The difference depends on how we write the Request Body. My request body here only used three elements, so the request only creates a simple feed with name and default permission specified.

If you want to create a feed with same permissions like what UI does, you should also specify the Permissions element, something like this:

{
    "name": "Test12345",
    "hideDeletedPackageVersions": true,
    "permissions": [
        {
            "identityDescriptor": "Microsoft.TeamFoundation.ServiceIdentity;xxxxxxxxxx",
            "role": 3
        },
        {
            "identityDescriptor": "Microsoft.TeamFoundation.ServiceIdentity;xxxxxxxxxx",
            "role": 3
        },
        {
            "identityDescriptor": "Microsoft.TeamFoundation.Identity;xxxxxxxxxx",
            "role": 4
        },
        {
            "identityDescriptor": "Microsoft.TeamFoundation.Identity;xxxxxxxxxxx",
            "role": 3
        }
    ]
}

With permissions element defined in request body, you can use the API to create new feed with the the same permissions when you do that via UI.

In addition:

As for how to find the ID(the xxxxxxxx in body above) of those permissions, you can use Edge browser(or other browsers) in F12 mode to get your corresponding IDs. For me:

1.Navigate to the page when creating the feed via UI:

enter image description here

2.In Edge, click F12 and clear the previous requests:

enter image description here

3.Click the Create button, and check the requests in F12 window:

enter image description here

4.Find the request above and check its body, we can find the IDs list easily:

enter image description here

enter image description here

Once you've found the IDs which represents the corresponding permissions in your org, you can create feed with permissions easily.