Currently we're only really making use of Project Collection Valid Users and Project Collection Administrators default groups in Azure DevOps but is unlikely to stand up to scrutiny an there's been a few requests for tweaks to this.
1 - Give 'standard users' access to view and work on only their projects but with the capability to create projects
2 - Give someone access to see all projects but not be able delete any existing ones (unless they're the project admin) or to be able to create new ones
As far as I've been able to tell I can't give someone permissions to view all projects without them being a project collection admin, and that means that they can create and delete projects which I don't want to provide.
Is there any way of overcoming this? The only thing I can think is I'd have to add this new permissions group to every project manually, which would be fine for a point in time, but I wouldn't be confident of adding the group to all projects, and it would likely go out of date when new project sites were created. I'd assume there's got to be a simpler way, and I may be overcomplicating things so thought I'd ask for some support.
CodePudding user response:
Sure, you can accomplish this.
It'll take a few new groups and a new group rule within your Organization settings though.
To start, you'll want to create a 2 new groups within your Organization Settings > Permissions:
- Project Creators: "Allow" - "Create Project"
- Project Readers: No explicit permissions
Then, head to Organization Settings > Users and select the Group Rules tab. Within your group rules, select "New Group Rule".
Choose your Project Readers group within the "Azure DevOps or AAD Group" setting, select the default access level, select all projects, then choose "Project Readers" for their access level:
For a more step-by-step walkthrough on creating group rules, here's Microsoft's documentation on Group Rules: