We have some old ADO/VSTS projects that we want to archive and make read only. Each project has work items, builds, git repos, etc...
at the moment the only methods I have found are painful.
I tried this with git repos and There is some issues with this as some permissions are not inherited down to individual users who created the git repo and they are still able to checkin.
Here you can see I created a READONLY group and set everything to DENY except Read permissions. (The members of this group are the default groups e.g. contributors, build admins, proj admins)
However, I had a repo created by a test user BEFORE i created the readonly group and it seems that user still has permissions to that repo
ok ok I understand that if the permissions are set at the lower level, then they won't be inherited down from the top level parent. I could create a script that checks the users of every git repo and sets their check-in permissions to deny but that is painful and i would prefer not to do that. Likewise, some projects have over 300 git repos.
FYI I want to make the whole project read only not just git repos cream chargers.
Azure DevOps now have a feature called: "Disable Repository". Disable access to to the repository (including builds, pull requests, etc) but keep the repository discoverable with a warning. It means your repo will not allow commits, even builds and pipelines cannot use it. Just go to your Devops "Project Settings".
Enable anonymous access to projects for your organization You must be signed in to create a public project. Choose Azure DevOps to open Projects. Then choose Organization settings. Choose the Policies page, and select On for Allow public projects.
Restrict access to view or modify objects Azure DevOps is designed to enable all valid users to view all objects defined in the system. You can restrict access to resources by setting the permission state to Deny. You can set permissions for members that belong to a custom security group or for an individual user.
Yeah, you've found one of the nasty features of the Azure DevOps permission model. More specific ACLs trump less specific ACLs. Even for DENY rules.
When there is an explicit ALLOW rule on a more specific ACL, it will override the DENY on a less specific ACL.
Specificity for git is based on:
Similar hierarchies exist for other securables.
There is no easy way to strip these all, apart from scripting the action.
The Azure CLI has a devops extension which will allow you to script out what you want and can output JSON to make it easier to script.
You can use az devops security permission list
to list all permissions defined for a identity (group or user) and az devops security permission reset
or az devops security permission update
to unset or override the given permission.
Other probably needed calls:
Azure DevOps now have a feature called: "Disable Repository".
Disable access to to the repository (including builds, pull requests, etc) but keep the repository discoverable with a warning.
It means your repo will not allow commits, even builds and pipelines cannot use it. Just go to your Devops "Project Settings". Scroll down to "Repositories" menu and select which Repo do you want to disable.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With