Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Azure DevOps make project read only

We have some old ADO/VSTS projects that we want to archive and make read only. Each project has work items, builds, git repos, etc...

at the moment the only methods I have found are painful.

  1. Remove all groups except read only group and add users in there. this is too painful and long, we have over 300 projects to make read only
  2. Create a new group and then add in other groups (e.g. proj admins, contributors etc..) and then add this group to the top level area/git repo path and set all to DENY. *

I tried this with git repos and There is some issues with this as some permissions are not inherited down to individual users who created the git repo and they are still able to checkin.

Here you can see I created a READONLY group and set everything to DENY except Read permissions. (The members of this group are the default groups e.g. contributors, build admins, proj admins)

enter image description here

However, I had a repo created by a test user BEFORE i created the readonly group and it seems that user still has permissions to that repo

enter image description here

ok ok I understand that if the permissions are set at the lower level, then they won't be inherited down from the top level parent. I could create a script that checks the users of every git repo and sets their check-in permissions to deny but that is painful and i would prefer not to do that. Likewise, some projects have over 300 git repos.

FYI I want to make the whole project read only not just git repos cream chargers.

like image 897
james Avatar asked Jan 17 '20 11:01

james


People also ask

How do I make my Azure DevOps project read only?

Azure DevOps now have a feature called: "Disable Repository". Disable access to to the repository (including builds, pull requests, etc) but keep the repository discoverable with a warning. It means your repo will not allow commits, even builds and pipelines cannot use it. Just go to your Devops "Project Settings".

How do I change the visibility of a project in Azure DevOps?

Enable anonymous access to projects for your organization You must be signed in to create a public project. Choose Azure DevOps to open Projects. Then choose Organization settings. Choose the Policies page, and select On for Allow public projects.

How do I restrict access to Azure DevOps?

Restrict access to view or modify objects Azure DevOps is designed to enable all valid users to view all objects defined in the system. You can restrict access to resources by setting the permission state to Deny. You can set permissions for members that belong to a custom security group or for an individual user.


2 Answers

Yeah, you've found one of the nasty features of the Azure DevOps permission model. More specific ACLs trump less specific ACLs. Even for DENY rules.

When there is an explicit ALLOW rule on a more specific ACL, it will override the DENY on a less specific ACL.

Specificity for git is based on:

  1. Server (TFS only)
  2. Organization / Project Collection
  3. Project
  4. Default repo settings
  5. Specific repo settings
  6. Branch folder settings (only settable through API)
  7. Specific branch settings

Similar hierarchies exist for other securables.

There is no easy way to strip these all, apart from scripting the action.

The Azure CLI has a devops extension which will allow you to script out what you want and can output JSON to make it easier to script.

You can use az devops security permission list to list all permissions defined for a identity (group or user) and az devops security permission reset or az devops security permission update to unset or override the given permission.

Other probably needed calls:

  • az devops security group list
  • az devops user list
  • az devops security group membership *
like image 103
jessehouwing Avatar answered Sep 17 '22 11:09

jessehouwing


Azure DevOps now have a feature called: "Disable Repository".

Disable access to to the repository (including builds, pull requests, etc) but keep the repository discoverable with a warning.

It means your repo will not allow commits, even builds and pipelines cannot use it. Just go to your Devops "Project Settings". Scroll down to "Repositories" menu and select which Repo do you want to disable.

enter image description here

like image 36
Major Avatar answered Sep 18 '22 11:09

Major