Reputation: 98
Translate ACL Descriptors to Security Group names
When using the AzDO REST API Security Endpoint, I'm trying to determine which ACE dictionary in an Access Control List belongs to a specific security group.
Link to Documentation: https://learn.microsoft.com/en-us/rest/api/azure/devops/security/access%20control%20lists/query?view=azure-devops-rest-5.0
the JSON output includes a section called "acesDictionary". Each element in this section contains a "descriptor" key.
Example:
{
"inheritPermissions": false,
"token": "a0d66bdf-2d5a-48a5-822b-1d6c4e8f20a2",
"acesDictionary": {
"Microsoft.TeamFoundation.ServiceIdentity;53bed6f5-352c-4160-b88e-275616c09042:Build:6b1dcbeb-af9b-4218-ac72-fc84b6dce8de": {
"descriptor": "Microsoft.TeamFoundation.ServiceIdentity;53bed6f5-352c-4160-b88e-275616c09042:Build:6b1dcbeb-af9b-4218-ac72-fc84b6dce8de",
"allow": 8225,
"deny": 0
}.......truncated.
Through trial and error, I've been able to determine that one of the elements modifies permission for project contributors for a specific release pipeline. What I cannot figure out is how to translate the "descriptor" to the equivalent [ProjectName]SecurityGroupName. I need to be able to do this so I can modify the permission via a script for dozens of projects with dozens of release and build pipelines each.
Any advice on which endpoint to use would be greatly appreciate.
Upvotes: 3
Views: 762
Answers (1)
Reputation: 36
You can find the identity of the descriptor using this undocumented API:
Disclaimer: Any API that is not publicly documented is subject to change at anytime.
https://vssps.dev.azure.com/{organization}/_apis/identities?descriptors={IdentityDescriptor}
From there you can grab the security group from ProviderDisplayName.
Example response:
{
Id:"5b250e58-8dbf-4111-8eab-8735e1058a11",
Descriptor:{
IdentityType:"Microsoft.TeamFoundation.Identity",
Identifier:"S-1-9-2551374245-3827430512-2595430990-2155723759-1767818319-0-0-0-0-3"
},
ProviderDisplayName:"[ExampleProjectName]\Project Valid Users",
CustomDisplayName:null,
DisplayName:"[ExampleProjectName]\Project Valid Users",
IsActive:true,
UniqueUserId:0,
IsContainer:true,
Members:[ ],
MemberOf:[ ],
Properties:{
SchemaClassName:"Group",
Description:"Members of this group have access to the team project.",
Domain:"vstfs:///Classification/TeamProject/13f75242-3248-4999-a76c-47f6ec2580a4",
Account:"Project Valid Users",
SecurityGroup:"SecurityGroup",
SpecialType:"EveryoneApplicationGroup",
ScopeId:"70f521e4-b39a-4422-807d-bbef695ec44f",
ScopeType:"TeamProject",
LocalScopeId:"13g75242-3248-4999-a76c-47f6ec2580a4",
SecuringHostId:"23ad9cb9-521b-46c2-a7b0-fbd454ac7275",
ScopeName:"ExampleProjectName",
VirtualPlugin:""
}
Upvotes: 2
Related Questions
- How to obtain descriptor identifier for a AD Group using Azure Devops REST API
- Azure DevOps set permissions via Rest Api Access Control List
- I need Azure DevOps REST API to set permission for group itself as well as on repositories, pipeline and releases
- Adding an AAD group to Azure DevOps using the rest api
- How to manage Azure DevOps group permissions using Rest API
- Is it possible to set permissions on variable groups via the REST API?
- Azure DevOps API to manage security ACL of Variable Group
- Create Azure Devops (security) group like 'Contributors' with Permissions via Rest API or Client DLL
- Manage permissions to run azure devops pipelines and permissions to change variable groups pragmatically
- How to manage Azure DevOps group permissions with REST API