How to restrict access to Pipelines in Azure DevOps

Question

I need to restrict access so that a user can NOT:

1. See or access Pipelines, or any of its sub-features, including Builds, Releases, Library, Task groups, Deployment groups
2. Create or edit build pipelines

I followed this:
https://learn.microsoft.com/en-us/azure/devops/pipelines/policies/set-permissions?view=vsts

I set all permissions to Deny. However, the user can still do both (1) and (2) above.

Question: Can I do either (1) or (2)?

Answer 1

In Organization Settings under Security you can set:

• Manage build resources
• Use build resources
• View build resources

I'd say those should be Deny.

I have personally encountered some permission caching issue when testing these things. Logging out and back in often doesn't change permissions right away.

Update: Under Pipelines->Release you can click the 3 dots and there is a security subsite there containing these:

Adding the user or group and setting Deny on those settings fixed it for me. This unfortunatly seems to be on a Release-Pipeline basis.

Update2: You can go into folder view when looking at releases, you can then create a folder to put all your release-pipelines into, then on a folder basis you can set the security settings to deny for you user or group, that way it will be inherited to every folder.

Developers need to remember to create release pipelines in that folder though.

You need to have pipelines in the root or you wont be able to see the security button. (tested in new and old navigation design)