Reputation: 61
Per-Project or per-Repo Scope for PAT's (Personal Access Token)
Can a Personal Access Token in Azure DevOps (PAT) be scoped per project or git-Repo? Are there any good alternatives?
We have some shared (internal) dev/test VMs where multiple developers use git occasionally (e.g. VS Code), each with their own PAT.
Since these developers can potentially have access to different projects, we want to make sure that the impact of a missing logout (due to stored git-credentials) would be as small as possible.
The Azure DevOps web UI does not allow scope PAT's per project or git-repo, but I was wondering if there are any other options, e.g. via API or CLI or some alternatives to this approach. Basically I'd like to have the PAT scope as narrow as possible. Didn't find any related feature requests neither.
Upvotes: 3
Views: 2855
Answers (1)
Reputation: 18988
I was wondering if there are any other options, e.g. via API or CLI or some alternatives to this approach. Basically I'd like to have the PAT scope as narrow as possible.
You are right. If you want to use API or any other tool to achieve this, I'm sorry to say that this does not possible now. The UI of page while you are generating the PAT is the unique way to set the scope of PAT. For api, until now, it only support List instead of create, put or any other operate method.
But, if you limit the access in permission setting page, even give this account Token the full access, the PAT token still could not be operated to the relevant content which be limited in UI.
So, as work around, I recommend you can limit the access to per project or git-repo in the page to achieve what you want. For example, if you want to limit about the project access, you can change it in the Users tab of organization setting.
At this time, even the scope of token is full access, the user who is using this token still could not access the projects which not be allowed to access.
But still, this as disadvantage. If you just don't want this token be used to operate some special projects/repos instead of do not allow this user access the special project/repos in UI, this work around will not work for you.
I think the demand you want is suitable, you can raise your suggestion in our Microsoft Developer Community. Hope you could raise more suggestion to help build better Azure Devops.
Upvotes: 4
Related Questions
- Azure DevOps Permissions for Individual Repositories
- Using multiple git personal access tokens (PAT) with Credential Manager
- Segregate repos for different project from main repo in Azure
- How to efficiently handle Personal Access Token in Azure DevOps organization?
- Azure DevOps and permissions to specific projects
- Using multiple accounts to access Azure Devops Git repo from Visual Studio
- In Azure Devops how to I grant a single individual permissions to a 1 repo only, instead of all repos within the project?
- Setting Up Multiple GIT Repositories for Multiple Projects in VSTS
- VSTS Build - Write access to Git repositories using personal access token (PAT)
- GIT/VSO: Only share a subset of repo