Access Control Entries (ACEs)

TFS 2017 | TFS 2015 | TFS 2013


Looking for REST APIS that support TFS 2018 or later versions? See the Azure DevOps REST API Reference.

api-version = 1.0

Add a list of access control entries

Use this API to add or update ACEs in the ACL for the provided token. In the case of a collision (by identity descriptor) with an existing ACE in the ACL, the "merge" parameter determines the behavior. If set, the existing ACE has its allow and deny merged with the incoming ACE's allow and deny. If unset, the existing ACE is displaced.

POST https://{instance}/_apis/accesscontrolentries/{securitynamespace}/?api-version={version}
Parameter Type Default Notes
instance string TFS server name ({server:port}).
securitynamespace guid ID of the security namespace.
api-version string Version of the API to use.
token string The token whose ACL should be modified.
aces AccessControlEntry[] The ACEs to set.
merge bool True to merge permission bits in case of a conflicting ACE; false to overwrite

No merge

The allow bit is set to 5 before the update.

Sample request

POST https://mytfsserver/DefaultCollection/_apis/accesscontrolentries/5a27515b-ccd7-42c9-84f1-54c998f03866/?api-version=1.0
  "token": "newToken",
  "merge": false,
  "accessControlEntries": [
      "descriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-1",
      "allow": 8,
      "deny": 0,
      "extendedinfo": {}

Sample response

  "count": 1,
  "value": [
      "descriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-1",
      "allow": 8,
      "deny": 0,
      "extendedInfo": {}

With merge

The allow bit is set to 5 before the update.

Sample request

POST https://mytfsserver/DefaultCollection/_apis/accesscontrolentries/5a27515b-ccd7-42c9-84f1-54c998f03866/?api-version=1.0
  "token": "newToken",
  "merge": true,
  "accessControlEntries": [
      "descriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-2",
      "allow": 8,
      "deny": 0,
      "extendedinfo": {}

Sample response

  "count": 1,
  "value": [
      "descriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-2",
      "allow": 13,
      "deny": 0,
      "extendedInfo": {}

Remove a list of access control entries

Use this API to remove the provided ACEs from the ACL belonging to the provided token.

DELETE https://{instance}/_apis/accesscontrolentries/{securitynamespace}/?api-version={version}&token={string}[&descriptors={string}]
Parameter Type Default Notes
instance string TFS server name ({server:port}).
securitynamespace guid ID of the security namespace.
api-version string Version of the API to use.
token string The token whose ACL should be modified.
descriptors string String containing a list of identity descriptors separated by ',' whose entries should be removed.

Remove ACEs

Any ACEs whose descriptor is in the provided descriptors list will be removed from the ACL.

Sample request

DELETE https://mytfsserver/DefaultCollection/_apis/accesscontrolentries/5a27515b-ccd7-42c9-84f1-54c998f03866/?token=newToken&descriptors=Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-1,Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-2&api-version=1.0

Sample response
