| title | titleSuffix | description | ms.custom | ms.subservice | ms.assetid | toc | ms.author | author | ms.topic | monikerRange | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|---|
Default permissions quick reference |
Azure DevOps |
Default permissions and access to common user tasks for Azure DevOps. |
permissions, engagement-fy23 |
azure-devops-security |
B656A277-BA3D-472D-824D-CDD4E067053E |
show |
chcomley |
chcomley |
overview |
<= azure-devops |
10/06/2023 |
[!INCLUDE version-lt-eq-azure-devops]
To use Azure DevOps features, users must be added to a security group with the appropriate permissions and granted access to the web portal. Limitations to select features are based on the access level and security group to which a user is assigned. The Basic access level and higher supports full access to most Azure DevOps services, except for Azure Test Plans. Stakeholder access level provides partial support to Azure Boards and Azure Pipelines. To learn more about access levels, see About access levels and Stakeholder access quick reference.
The most common built-in security groups—Readers, Contributors, and Project Administrators—and team administrator role grant permissions to specific features.
In general, use the following guidance when assigning users to a security group:
- Add to the Contributors security group full-time workers who contribute to the code base or manage projects.
- Add to the Project Administrators security group users tasked with managing project resources.
- Add to the Project Collection Administrators security group users tasked with managing organization or collection resources.
To learn more about administrative tasks see About user, team, project, and organization-level settings. For a complete reference of all built-in groups and permissions, see Permissions and groups. For information about access levels, see About access levels.
In the tables provided in this article, a ✔️ (checkmark) indicates that the corresponding access level or security group has access to a feature by default.
To assign or change an access level, see Add users and assign licenses. If you need to grant specific users select permissions, you can do so.
::: moniker range=">= azure-devops-2019"
You can plan and track work from the web portal Boards hub, and using Visual Studio, Excel, and other clients. For an overview of work tracking features, see About Agile tools. To change permissions, see Set permissions and access for work tracking. In addition to the permissions set at the project level via the built-in groups, you can set permissions for the following objects: area and iteration paths and individual queries and query folders.
::: moniker-end
Note
Team administrators can configure settings for their team's tools. Organization owners and members of the Project Administrators group can configure settings for all teams. To be added as an administrator, see Add team administrators or Change project-level permissions.
Each user's access level or permission assignment controls access to the following tasks. Members of the Readers, Contributors, or Project Administrators group are assumed to have Basic access or greater.
You can use work items to track anything you need to track. For more information, see Understand how work items are used to track issues, tasks, and epics.
[!INCLUDE temp]
You use Boards to implement Kanban/Agile methods. Boards present work items as cards and support quick status updates through drag-and-drop.
[!INCLUDE temp]
Backlogs display work items as lists. A product backlog represents your project plan and a repository of all the information you need to track and share with your team. Portfolio backlogs allow you to group and organize your backlog into a hierarchy.
[!INCLUDE temp]
You use sprint tools to implement Scrum methods. The Sprints set of tools provide filtered views of work items that a team has assigned to specific iteration paths or sprints.
[!INCLUDE temp]
Queries are filtered lists of work items based on criteria that you define by using a query editor. Adhoc searches are powered by a semantic search engine.
[!INCLUDE temp]
Delivery plans display work items as cards against a calendar view. This format can be an effective communication tool with managers, partners, and stakeholders for a team.
[!INCLUDE temp]
::: moniker range=">= azure-devops-2019"
You can manage your source code from the web portal Repos hub, or using Xcode, Eclipse, IntelliJ, Android Studio, Visual Studio, or Visual Studio Code.
::: moniker-end
::: moniker range="azure-devops"
Stakeholders for private projects have no access to Repos. Stakeholders for public projects have the same access to Repos as Contributors.
::: moniker-end
::: moniker range="azure-devops"
You can use Advanced Security to identify security vulnerabilities in your repository.
::: moniker-end
::: moniker range="azure-devops"
[!INCLUDE temp]
You can connect to your code from the web portal Code hub, or using Xcode, Eclipse, IntelliJ, Android Studio, Visual Studio, or Visual Studio Code. Stakeholders for private projects have no access to Code.
::: moniker-end
You can use Git repositories to host and collaborate on your source code. For an overview of code features and functions.
[!INCLUDE temp]
Team Foundation Version Control (TFVC) provides a centralized version control system to manage your source control.
[!INCLUDE temp]
::: moniker range=">= azure-devops-2019"
You can define and manage your builds and releases from the web portal Pipelines hub. For an overview of pipelines features and functions, see Continuous integration on any platform.
::: moniker-end
::: moniker range="azure-devops"
[!INCLUDE temp]
::: moniker-end
::: moniker range=">= azure-devops-2019 < azure-devops"
[!INCLUDE temp]
[!INCLUDE temp]
You use task groups to encapsulate a sequence of tasks already defined in a build or a release pipeline into a single reusable task. Task group permissions follow a hierarchical model. You can set defaults for all permissions at the project-level and over-write on an individual task group pipeline. You define and manage task groups in the Task groups tab in Azure Pipelines.
[!INCLUDE temp]
::: moniker-end
::: moniker range=">= azure-devops-2019"
Users granted Basic + Test Plans or Visual Studio Enterprise access level can define and manage manual tests from the web portal. For an overview of manual test features and functions, see Testing overview. You set several test permissions at the project level from Project Settings>Permissions.
::: moniker-end
[!INCLUDE temp]
::: moniker range=">= azure-devops-2019"
::: moniker-end
::: moniker range="azure-devops"
You can manage feeds from the web portal, Artifacts. Users with Stakeholder or Basic access, or higher can access Azure Artifacts features. To set permissions, see Secure feeds using permissions.
::: moniker-end
::: moniker range=">= azure-devops-2019 < azure-devops"
You can manage feeds from the web portal, Artifacts. Users with at least Basic access can access Azure Artifacts features. Users with Stakeholder access can't. To set permissions, see Secure feeds using permissions.
::: moniker-end
[!INCLUDE temp]
To manage notifications, see Manage personal notifications and Manage team notifications.
Note
There are no UI permissions associated with managing notifications. Instead, you can manage them using the TFSSecurity command line tool.
[!INCLUDE temp]
::: moniker range="azure-devops"
You can define and manage team and project dashboards from the web portal, Dashboards. For an overview of dashboard and chart features, see Dashboards. You can set individual dashboard permissions to grant or restrict the ability to edit or delete dashboards.
Users granted Stakeholder access to private projects can't view or create query charts. Stakeholder access to public projects can view and create query charts.
::: moniker-end
::: moniker range="< azure-devops"
You can define and manage team dashboards from the web portal, Dashboards. For an overview of dashboard and chart features, see Dashboards. You set dashboard permissions at the team level from the team dashboard page.
::: moniker-end
[!INCLUDE temp]
::: moniker range=">= azure-devops-2019"
From the web portal Analytics views, you can create and manage Analytics views. An Analytics view provides a simplified way to specify the filter criteria for a Power BI report based on the Analytics Service data store. The Analytics Service is the reporting platform for Azure DevOps. For more information, see What is the Analytics Service?.
You set permissions for the service at the project level, and for shared Analytics views at the object level. Users with Stakeholder access have no access to view or edit Analytics views.
[!INCLUDE temp]
::: moniker-end