Security namespace and permission reference for Azure DevOps

TFS 2017 | TFS 2015 | TFS 2013

Security namespaces are used to store access control lists (ACLs) on tokens. Data stored in security namespaces determines the level of access the following entities have to perform a specific action on a specific resource.

  • Azure DevOps user
  • Azure DevOps Organization owner
  • Member of an Azure DevOps security group
  • Azure DevOps service account
  • Azure DevOps service principal

Each family of resources, such as work items or Git repositories, is secured through a unique namespace. Each security namespace contains zero or more ACLs. Each ACL contains a token, an inherit flag, and a set of zero or more access control entries (ACEs). Each ACE contains an identity descriptor, an allowed permissions bitmask, and a denied permissions bitmask. Tokens are arbitrary strings representing resources in Azure DevOps.

Note

Namespaces and tokens are valid for all versions of Azure DevOps. Those listed here are valid for Azure DevOps 2019 and later versions. Namespaces are subject to change over time. To get the latest list of namespaces, exercise one of the command line tools or REST API. Some namespaces have been deprecated as listed in the Deprecated and read-only namespaces section later in this article.

Permission management tools

The recommended method for managing permissions is through the web portal. However, if you need to set a permission that isn't surfaced through the web portal or to set more granular permissions, you can use one of the command line tools or REST API.

For all Azure DevOps instances, you can use the Security REST API.

Security namespaces and their IDs

This article describes the valid namespaces, lists the associated permissions, and provides links to more information. Many security namespaces correspond to permissions you set through a Security or Permissions web portal page. Other namespaces or select permissions aren't surface through the web portal. They grant access by default to members of security groups or Azure DevOps service principals. Namespaces have been grouped into the following categories based on how they're managed through the web portal.

  • Object-level
  • Project-level
  • Organization or collection-level
  • Server-level (on-premises only)
  • Role-based
  • Internal only

Hierarchy and tokens

A security namespace can be either hierarchical or flat. Tokens in a hierarchical namespace exist in a hierarchy with effective permissions inherited from parent tokens to child tokens. Tokens in a flat namespace have no concept of a parent-child relationship between any two tokens.

Tokens in a hierarchical namespace either have a fixed length for each path part, or variable length. If the tokens have variable-length path parts, then a separator character is used to distinguish where one path part ends and another begins.

Security tokens are case-insensitive. Token examples for different namespaces are provided in the following sections.

Object-level namespaces and permissions

The following table describes the namespaces that manage object-level permissions. Most of the listed permissions are managed through the web portal page for each object. Permissions are set at the project-level and inherited at the object-level unless changed.


Namespace

Permissions

Description


Build

ViewBuilds
EditBuildQuality
RetainIndefinitely
DeleteBuilds
ManageBuildQualities
DestroyBuilds
UpdateBuildInformation
QueueBuilds
ManageBuildQueue
StopBuilds
ViewBuildDefinition
EditBuildDefinition
DeleteBuildDefinition
OverrideBuildCheckInValidation
AdministerBuildPermissions

Manages build permissions at the project-level and object-level.

Token format for project-level build permissions: PROJECT_ID
If you need to update permissions for a particular build definition ID, for example, 12, security token for that build definition looks as follows:
Token format for project-level, specific build permissions: PROJECT_ID/12
Example: xxxxxxxx-a1de-4bc8-b751-188eea17c3ba/12

ID: 33344d9c-fc72-4d6f-aba5-fa317101a7e9


CSS

GENERIC_READ
GENERIC_WRITE
CREATE_CHILDREN
DELETE
WORK_ITEM_READ
WORK_ITEM_WRITE
MANAGE_TEST_PLANS
MANAGE_TEST_SUITES

Manages area path object-level permissions to create, edit, and delete child nodes and set permissions to view or edit work items in a node. You can manage these permissions through the Set permissions and access for work tracking, Create child nodes, modify work items under an area path.

ID: 83e28ad4-2d72-4ceb-97b0-c7726d5502c3


DashboardsPrivileges

Read
Create
Edit
Delete
ManagePermissions
MaterializeDashboards

Manages dashboard object-level permissions to edit and delete dashboards and manage permissions for a project dashboard. You can manage these permissions through the Dashboards user interface.

ID: 8adf73b7-389a-4276-b638-fe1653f7efc7


Git Repositories

Administer
GenericRead
GenericContribute
ForcePush
CreateBranch
CreateTag
ManageNote
PolicyExempt
CreateRepository
DeleteRepository
RenameRepository
EditPolicies
RemoveOthersLocks
ManagePermissions
PullRequestContribute
PullRequestBypassPolicy

Manages Git repository permissions at the project-level and object-level. You can manage these permissions through the Project settings, Repositories administrative interface.

Token format for project-level permissions: repoV2/PROJECT_ID
You need to append RepositoryID to update repository-level permissions.

Token format for repository-specific permissions: repoV2/PROJECT_ID/REPO_ID

ID: 2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87


Iteration

GENERIC_READ
GENERIC_WRITE
CREATE_CHILDREN
DELETE

Manages iteration path object-level permissions to create, edit, and delete child nodes and view child node permissions. To manage through the web portal, see Set permissions and access for work tracking, Create child nodes.
Token format: 'vstfs:///Classification/Node/Iteration_Identifier/'
Suppose, you have the following iterations configured for your team.
– ProjectIteration1
  TeamIteration1
     – TeamIteration1ChildIteration1
     – TeamIteration1ChildIteration2
     – TeamIteration1ChildIteration3
  TeamIteration2
     – TeamIteration2ChildIteration1
     – TeamIteration2ChildIteration2

To update permissions for ProjectIteration1\TeamIteration1\TeamIteration1ChildIteration1, the security token looks as follows:
vstfs:///Classification/Node/ProjectIteration1_Identifier:vstfs:///Classification/Node/TeamIteration1_Identifier:vstfs:///Classification/Node/TeamIteration1ChildIteration1_Identifier

ID: bf7bfa03-b2b7-47db-8113-fa2e002cc5b1


MetaTask

Administer
Edit
Delete

Manages task group permissions to edit and delete task groups, and administer task group permissions. To manage through the web portal, see Pipeline permissions and security roles, Task group permissions.

Token format for project-level permissions: PROJECT_ID
Token format for metaTask-level permissions: PROJECT_ID/METATASK_ID

If MetaTask has parentTaskId then the Security token looks as follows:
Token Format: PROJECT_ID/PARENT_TASK_ID/METATASK_ID

ID: f6a4de49-dbe2-4704-86dc-f8ec1a294436


ReleaseManagement

ViewReleaseDefinition
EditReleaseDefinition
DeleteReleaseDefinition
ManageReleaseApprovers
ManageReleases
ViewReleases
CreateReleases
EditReleaseEnvironment
DeleteReleaseEnvironment
AdministerReleasePermissions
DeleteReleases
ManageDeployments
ManageReleaseSettings
ManageTaskHubExtension

Manages release definition permissions at the project and object-level.

Token format for project-level permissions: PROJECT_ID
Example: xxxxxxxx-a1de-4bc8-b751-188eea17c3ba
If you need to update permissions for a particular release definition ID, for example, 12, security token for that release definition looks as follows:

Token format for specific release definition permissions: PROJECT_ID/12
Example: xxxxxxxx-a1de-4bc8-b751-188eea17c3ba/12
If the release definition ID lives in a folder, then the security tokens look as follows:
Token format: PROJECT_ID/{folderName}/12
For stages, tokens look like: PROJECT_ID/{folderName}/{DefinitionId}/Environment/{EnvironmentId}.

ID: c788c23e-1b46-4162-8f5e-d7585343b5de


WorkItemQueryFolders

Read
Contribute
Delete
ManagePermissions
FullControl
RecordQueryExecutionInfo


Project-level namespaces and permissions

The following table describes the namespaces that manage project-level permissions. Most of the listed permissions are managed through the web portal admin context. Project Administrators are granted all project-level permissions. Other project-level groups have select permission assignments.


Namespace

Permissions

Description


Project

GENERIC_READ
GENERIC_WRITE
DELETE
PUBLISH_TEST_RESULTS
ADMINISTER_BUILD
START_BUILD
EDIT_BUILD_STATUS
UPDATE_BUILD
DELETE_TEST_RESULTS
VIEW_TEST_RESULTS
MANAGE_TEST_ENVIRONMENTS
MANAGE_TEST_CONFIGURATIONS
WORK_ITEM_DELETE
WORK_ITEM_MOVE
WORK_ITEM_PERMANENTLY_DELETE
RENAME
MANAGE_PROPERTIES
MANAGE_SYSTEM_PROPERTIES
BYPASS_PROPERTY_CACHE
BYPASS_RULES
SUPPRESS_NOTIFICATIONS
UPDATE_VISIBILITY
CHANGE_PROCESS
AGILETOOLS_BACKLOG
AGILETOOLS_PLANS

Manages Project-level permissions.
The AGILETOOLS_BACKLOG permission manages access to Azure Boards backlogs. This is an internal permission setting and shouldn't be changed.

Root token format: $PROJECT
Token to secure permissions for each project in your organization.
$PROJECT:vstfs:///Classification/TeamProject/PROJECT_ID.
Assume you have a project named Test Project 1.
You can get the project ID for this project by using the az devops project show command.
az devops project show --project "Test Project 1"
The command returns a project-id, for example, xxxxxxxx-a1de-4bc8-b751-188eea17c3ba.
Therefore, the token to secure project-related permissions for Test Project 1 is:
'$PROJECT:vstfs:///Classification/TeamProject/xxxxxxxx-a1de-4bc8-b751-188eea17c3ba'

ID: 52d39943-cb85-4d7f-8fa8-c6baac873819


Tagging

Enumerate
Create
Update
Delete

Manages permissions to create, delete, enumerate, and use work item tags. You can manage the Create tag definition permission through the Project settings, Permissions administrative interface.

Token format for project-level permissions: /PROJECT_ID
Example: /xxxxxxxx-a1de-4bc8-b751-188eea17c3ba

ID: bb50f182-8e5e-40b8-bc21-e8752a1e7ae2


VersionControlItems

Read
PendChange
Checkin
Label
Lock
ReviseOther
UnlockOther
UndoOther
LabelOther
AdminProjectRights
CheckinOther
Merge
ManageBranch

Manages permissions for a Team Foundation Version Control (TFVC) repository. There is only one TFVC repository for a project. You can manage these permissions through the Project settings, Repositories administrative interface.

ID: a39371cf-0841-4c16-bbd3-276e341bc052


Collection-level namespaces and permissions

The following table describes the namespaces that manage organization-level permissions. Most of the listed permissions are managed through the web portal Collection settings context. Members of the Project Collection Administrators group are granted most of these permissions. To learn more, see Change project collection-level permissions.


Namespace

Permissions

Description


BuildAdministration

ViewBuildResources
ManageBuildResources
UseBuildResources
AdministerBuildResourcePermissions


Collection

GENERIC_READ
GENERIC_WRITE
CREATE_PROJECTS
TRIGGER_EVENT
MANAGE_TEMPLATE
DIAGNOSTIC_TRACE
SYNCHRONIZE_READ
MANAGE_TEST_CONTROLLERS
DELETE_FIELD
MANAGE_ENTERPRISE_POLICIES

Manages permissions at the organization or collection-level.

ID: 3e65f728-f8bc-4ecd-8764-7e378b19bfa7


Workspaces

Read
Use
Checkin
Administer

Manages permissions for administering shelved changes, workspaces, and the ability to create a workspace at the organization or collection level. The Workspaces namespace applies to the TFVC repository.

Root token format: /
Token format for a specific workspace: /{workspace_name};{owner_id}

ID: 93bafc04-9075-403a-9367-b7164eac6b5c


VersionControlPrivileges

CreateWorkspace
AdminWorkspaces
AdminShelvesets
AdminConnections
AdminConfiguration

Manages permissions for Team Foundation Version Control (TFVC) repository.

The AdminConfiguration permission grants users the ability to edit server-level permissions for users and groups. The AdminConnections permission grants users the ability to read the contents of a file or folder of an on-premises, server-level repository. ID: 66312704-deb5-43f9-b51c-ab4ff5e351c3


Server-level namespaces and permissions

The following table describes those security namespaces and permissions defined for on-premises instances of Azure DevOps Server. You can manage these permissions, which are granted to members of the Team Foundation Administrators group, through the Azure DevOps Server administration console. For descriptions of these permissions, see Permissions and groups, Server-level permissions.


Namespace

Permissions

Description


CollectionManagement

CreateCollection
DeleteCollection

Manages permissions set at the server-level to create and delete project collections.

ID: 52d39943-cb85-4d7f-8fa8-c6baac873819


Server

GenericRead
GenericWrite
Impersonate
TriggerEvent

Manages permissions set at the server-level. This includes permissions to edit instance-level information, make requests on behalf of others, and trigger events.

ID: 1f4179b3-6bac-4d01-b421-71ea09171400


Warehouse

Administer

Grants permission to process or change settings for the data warehouse or SQL Server Analysis cube by using the Warehouse Control Web Service.

ID: b8fbab8b-69c8-4cd9-98b5-873656788efb


Role-based namespaces and permissions

The following table describes the security namespaces and permissions used to manage role-based security. You can manage role assignments through the web portal for pipeline resources as described Pipeline permissions and security roles.


Namespace

Permissions

Description


DistributedTask

View
Manage
Listen
AdministerPermissions
Use
Create

Manages permissions to access agent pool resources. By default, the following roles and permissions are assigned at the project level and inherited for each agent pool that is created:

  • Reader role (View permissions only) to all members of the Project Valid Users group
  • Administrator role (all permissions) to members of the Build Administrators, Project Administrators, and Release Administrators groups.
  • User role (View, Use, and Create permissions) to all members of the Contributor group
  • Creator role (View, Use, and Create permissions) to all members of the Contributor group

    ID: 101eae8c-1709-47f9-b228-0e476c35b3ba

Environment

View
Manage
ManageHistory
Administer
Use
Create

Manages permissions to create and manage Environments. By default, the following permissions are assigned:

  • Reader role (View permissions only) to all members of the Project Valid Users group
  • Creator role (View, Use, and Create permissions) to all members of the Contributor group
  • Creator role (View, Use, and Create permissions) to all members of the Project Administrators group
  • Administrator role (all permissions) to the user who created a specific Environment.

    ID: 83d4c2e6-e57d-4d6e-892b-b87222b7ad20

ExtensionManagement

ViewExtensions
ManageExtensions
ManageSecurity

The Manager role is the only role used to manage the security of Marketplace extensions. Members of the Manager role can install extensions and respond to requests for extensions to be installed. The other permissions are assigned automatically to members of default security groups and service principals. To add users to the Manager role, see Manage extension permissions.

ID: 5d6d7b80-3c63-4ab0-b699-b6a5910f8029


Library

View
Administer
Create
ViewSecrets
Use
Owner

Manages permissions to create and manage library items, which include secure files and variable groups. Role memberships for individual items are automatically inherited from those of the Library node. By default, the following permissions are assigned:

  • Reader role (View permissions only) to all members of the Project Valid Users group and the Project Collection Build Service account
  • Creator role (View, Use, and Create permissions) to all members of the Contributors group
  • Creator role (View, Use, Create, and Owner permissions) to the member who created the library item
  • Administrator role (all permissions) to members of the Build Administrators, Project Administrators, and Release Administrators groups.
    To learn more, see Library asset security roles.

    ID: b7e84409-6553-448a-bbb2-af228e07cbeb

ServiceEndpoints

Use
Administer
Create
ViewAuthorization
ViewEndpoint

Manages permissions to create and manage service connections. Role memberships for individual items are automatically inherited from those defined at the project-level. By default, the following roles are assigned:

  • Reader role (View permissions only) to all members of the Project Valid Users group and the Project Collection Build Service account
  • Creator role (View, Use, and Create permissions) to to members of the Endpoint Creators service security group.
  • Administrator role (all permissions) to members of the Endpoint Administrators service security group.
    Roles are assigned through Service connection security roles.

    ID: 49b48001-ca20-4adc-8111-5b60c903a50c

Internal namespaces and permissions

The following table describes the security namespaces and permissions that aren't surfaced through the web portal. They are primarily used to grant access to members of default security groups or to internal resources. We strongly recommend that you don't alter these permission settings in any way.


Namespace

Permissions

Description


AccountAdminSecurity

Read
Create
Modify

Manages permissions to read or modify the organization account owner. These permissions are assigned to the organization owner and members of the Project Collection Administrator group.

ID: 11238e09-49f2-40c7-94d0-8f0307204ce4


BlobStoreBlobPrivileges

Read
Delete
Create
SecurityAdmin

Sets permissions to read, create, and manage the security of the data store. These permissions are assigned to several Azure DevOps service principals.

ID: 11238e09-49f2-40c7-94d0-8f0307204ce4


Boards

View
Create
ChangeMetadata
MoveCard
Delete
Manage

Manages permissions and access to Kanban boards.

ID: 251e12d9-bea3-43a8-bfdb-901b98c0125e


EventPublish

Read
Write

Grants read and write access for notification handler.

ID: 7cd317f2-adc6-4b6c-8d99-6074faeaf173


EventSubscriber

GENERIC_READ
GENERIC_WRITE

Grants read and write access for notification subscribers.

ID: 2bf24a2b-70ba-43d3-ad97-3d9e1f75622f


EventSubscription

GENERIC_READ
GENERIC_WRITE
UNSUBSCRIBE
CREATE_SOAP_SUBSCRIPTION

Manages member permissions to view, edit, and unsubscribe from notifications or create a SOAP subscription.

ID: 58b176e7-3411-457a-89d0-c6d0ccb3c52b

Identity

Read
Write
Delete
ManageMembership
CreateScope
RestoreScope

Manages permissions to read, write, and delete user account identity information; manage group membership and create and restore identity scopes. The ManageMembership permission is automatically granted to members of the Project Administrators and Project Collection Administrators groups.

Token format for project-level permissions: PROJECT_ID
Example: xxxxxxxx-a1de-4bc8-b751-188eea17c3ba
To modify group level permissions for Group Origin ID [2b087996-2e64-4cc1-a1dc-1ccd5e7eb95b]:
Token: xxxxxxxx-a1de-4bc8-b751-188eea17c3ba\2b087996-2e64-4cc1-a1dc-1ccd5e7eb95b

ID: 5a27515b-ccd7-42c9-84f1-54c998f03866


Licensing

Read
Create
Modify
Delete
Assign
Revoke

Manages the ability to view, add, modify, and remove license levels. These permissions are automatically granted to members of the Project Collection Administrators groups.

ID: 453e2db3-2e81-474f-874d-3bf51027f2ee


PermissionLevel

Read
Create
Update
Delete

Manages the ability to create and download permission reports.

ID: 25fb0ed7-eb8f-42b8-9a5e-836a25f67e37


PipelineCachePrivileges

Read
Write

Manages permissions to read and write pipeline cache entries. These permissions are only assigned to internal Azure DevOps service principles.
ID: 62a7ad6b-8b8d-426b-ba10-76a7090e94d5


ReleaseManagement

ViewTaskEditor
ViewCDWorkflowEditor
ExportReleaseDefinition
ViewLegacyUI
DeploymentSummaryAcrossProjects
ViewExternalArtifactCommitsAndWorkItems

Manages access to Release Management user interface elements.

ID: 7c7d32f7-0e86-4cd6-892e-b35dbba870bd


WorkItemTrackingAdministration

ManagePermissions
DestroyAttachments

Manages permissions for administrating work tracking and destroying attachments.
ID: 445d2788-c5fb-4132-bbef-09c4045ad93f


WorkItemTrackingProvision

Administer
ManageLinkTypes

Manages permissions for changing work tracking processes and managing link types. The WorkItemTrackingProvision namespace is an older security namespace that is mostly used for TFS-2018 and earlier versions.
Root token format: /$
Token format for a specific project: $/PROJECT_ID

ID: 5a6cd233-6615-414d-9393-48dbb252bd23


Deprecated and read-only namespaces

The following namespaces are either deprecated or read-only. You shouldn't use them.

  • CrossProjectWidgetView
  • DataProvider
  • Favorites
  • Graph
  • Identity2
  • IdentityPicker
  • Job
  • Location
  • ProjectAnalysisLanguageMetrics
  • Proxy
  • Publish
  • Registry
  • Security
  • ServicingOrchestration
  • SettingEntries
  • Social
  • StrongBox
  • TeamLabSecurity
  • TestManagement
  • VersionControlItems2
  • ViewActivityPaneSecurity
  • WebPlatform
  • WorkItemsHub
  • WorkItemTracking
  • WorkItemTrackingConfiguration