Home > Mobile >  Give rights to Azure DevOps build-in Users
Give rights to Azure DevOps build-in Users

Time:03-22

I was googling around all day but I can't find a solution. In Azure DevOps there are build-in Users created for each project. One of those users is a default build agent user (normally named <projectName> Build Service).

I already automated the creation of repositories an pipelines using the Azure DevOps REST API. The next step would be to grant certain rights to the build-in Build Agent User. I am already struggling to find the build-in user in the API.

So how would one grant rights to this user using the REST API?

The goal would be to add the default build-in build agent user to the contributer role so he can push tags to repositories.

CodePudding user response:

You can get him with enter image description here

enter image description here

CodePudding user response:

Give rights to Azure DevOps build-in Users

You could use REST API Users - List API: to get the identifier of your group.

        "subjectKind": "user",
        "domain": "Build",
        "principalName": "f0a50df8-5a11-41c3-8d7e-22180f923c80",
        "mailAddress": "",
        "origin": "vsts",
        "originId": "64b9d209-XXXXX-bb46ade01dc",
        "displayName": "MyTestProject Build Service (YourOrganizationName)",

The originId is the Id in below REST API URL.

Then we use the Identities api.

GET https://vssps.dev.azure.com/fabrikam/_apis/Identities/{id}?queryMembership=None

Then get the descriptor from the json response .Descriptor.Identifier:

{
    "Id": "64b9d209-0deb-4d9c-9e8d-6bb46ade01dc",
    "Descriptor": {
        "IdentityType": "Microsoft.TeamFoundation.ServiceIdentity",
        "Identifier": "0a2bf5f-XXXXd-1e9006e97c76:Build:f0a50df8-5a11-41c3-8d7e-22180f923c80"
    },

If you don't have the group id, but have the display name:

GET https://vssps.dev.azure.com/fabrikam/_apis/Identities?searchFactor=DisplayName&factorValue={display name url encoded}&options=None&queryMembership=None

Then get the descriptor from the json response [0].Descriptor.Identifier.

Now, we have the Identity, we could use the REST API Access Control Entries - Set Access Control Entries to set the permission for that group:

POST https://dev.azure.com/{organization}/_apis/accesscontrolentries/{securityNamespaceId}?api-version=5.0

Request body:

{ 
   "token":"repoV2/{projectId}/{repoId}/",
   "merge":true,
   "accessControlEntries":[ 
      { 
         "descriptor":"Microsoft.TeamFoundation.Identity;{groupIdentifier}",
         "allow":2,
         "deny":0,
         "extendedInfo":{ 
            "effectiveAllow":2,
            "effectiveDeny":0,
            "inheritedAllow":2,
            "inheritedDeny":0
         }
      }
   ]
}

Note the id in the url is hardcoded because its a constant. But you can also fetch from the response of

GET https://dev.azure.com/{organization}/_apis/securitynamespaces
  • Related