Reputation: 1412
Update permissions for Azure DevOps group for EventSubscription through Azure CLI?
I've been adding permissions to a custom Azure DevOps Services group through the Azure CLI (az devops version 0.11.0) and I've usually been able to do the following:
az devops security permission namespace list, find namespaceId of specific namespace (like EventSubscription)- Get the Project Admin's descriptor
az devops security permission list --id $namespaceId --subject $projectAdmin.descriptor...- Find an allow bit in the ACES dictionary, find the respective token
az devops security permission update... with the new token
But when I run security permission list for the EventSubscription namespace, it returns with empty JSON for the project admins group so I can't find the token. I've tried "$SUBSCRIPTION" as it looked like what a TFS 2010 user used, but that doesn't work.
Questions:
How can I list tokens on the project admins group for the EventSubscription namespace? I tried to see if tfssecurity would pull anything up, but didn't work. Also tried using Fiddler to see if it would find a token but also nothing. Can't use Fiddler with the UI.
Or what token do I use for Azure DevOps to update the EventSubscription permission for a group?
Upvotes: 0
Views: 483
Answers (1)
Reputation: 19491
I tested with EventSubscription namespace id and project admins group descriptor as subject parameters and got the same result as you.
$env:AZURE_DEVOPS_EXT_PAT = 'ckdhd6wuma5uw2h35dv37pgdum5eyjviqneineixxxxx'
$output = az devops security permission namespace list | ConvertTo-Json -Depth 100
#get descriptor
$output2 = az devops security group list --scope project | ConvertTo-Json -Depth 100
#eventSubscription namespaceId: 58b176e7-3411-457a-89d0-c6xxx/ Project namespaceId:52d39943-cb85-4d7f-8fa8-c6xxx
$output3 = az devops security permission list --namespace-id 58b176e7-3411-457a-89d0-c6xxxx --subject vssgp.Uy0xLTktMTU1MTM3NDI0NS00MjQ3MDQ2OTMyLTI2ODA1Nzg2MjktMjkxMzgyMjE4MC0yNDQ0MjYxxxxx | ConvertTo-Json -Depth 100
Write-Host $output3
But when I tested with Project namespace id and project admins group descriptor, I can get the token normally.
So I think this could be a problem with the association between the EventSubscription namespace and the project admins group descriptor. Can you share the corresponding operation in the UI? This will help me investigate further.
Upvotes: 1
Related Questions
- update variable group from azure devops pipeline
- Assigning group permissions using to Azure DevOps CLI
- Having no permission for updating Variable Group via Azure DevOps REST API from running Pipeline
- How can I grant roleAssignement/write permission to azure devops service connection
- I need Azure DevOps REST API to set permission for group itself as well as on repositories, pipeline and releases
- How to manage Azure DevOps group permissions using Rest API
- Group Permission for Azure DevOps via CLI
- Manage permissions to run azure devops pipelines and permissions to change variable groups pragmatically
- How to manage Azure DevOps group permissions with REST API
- Azure DevOps : permissions to add an existing user to an existing group