Get all security groups and users associated with a certain build definition[Azure-Devops]

Question

I have looked through the documentation available at - https://learn.microsoft.com/en-us/rest/api/azure/devops/security/?view=azure-devops-rest-5.1

For a certain build definition, I want to be able to get all the security groups and users associated with it through code/powershell script and output it to a json file for example.

Any help will be appreciated! I have tried curling multiple api's but not getting what I need.

Thanks!

Answer 1

There has one api does not been documented. Try with below:

POST https://dev.azure.com/{org name}/_apis/Contribution/HierarchyQuery/project/{project name}?api-version=5.0-preview.1

Request body:

{
  "contributionIds": [
    "ms.vss-admin-web.security-view-members-data-provider"
  ],
  "dataProviderContext": {
    "properties": {
      "permissionSetId": "33344d9c-fc72-4d6f-aba5-fa317101a7e9",
      "permissionSetToken": "{token}",
      "sourcePage": {
        "url": "https://dev.azure.com/{org name}/{project name}/_build?definitionId={build definition id}&_a=summary",
        "routeId": "ms.vss-build-web.pipeline-details-route",
        "routeValues": {
          "project": "{project name}",
          "viewname": "details",
          "controller": "ContributedPage",
          "action": "Execute",
          "serviceHost": "{org name}"
        }
      }
    }
  }
}

Some key points you should pay attention to:

• permissionSetId: Here the 33344d9c-fc72-4d6f-aba5-fa317101a7e9 is a fixed value which represent the namespaceid of build security.

• permissionSetToken: This is the token which can used to get the security info. You can run below command to get the token(s) you should used.

  az devops security permission list --id 33344d9c-fc72-4d6f-aba5-fa317101a7e9 --subject {your account} --output table --organization https://dev.azure.com/{org name} --project {project name}

• url: Here the url value used to tell the system which specific build you want to check. Just replace the corresponding org name/project name/definition id into the URL sample provided.

---

In addition, I wrote a shot powershell script for you:

$token = "{token}"

$url="https://dev.azure.com/{org name}/_apis/Contribution/HierarchyQuery/project/{project name}?api-version=5.0-preview.1"

$token = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($token)"))

$context=@"
{
  "contributionIds": [
    "ms.vss-admin-web.security-view-members-data-provider"
  ],
  "dataProviderContext": {
    "properties": {
      "permissionSetId": "33344d9c-fc72-4d6f-aba5-fa317101a7e9",
      "permissionSetToken": "{token}",
      "sourcePage": {
        "url": "https://dev.azure.com/{org name}/{project name}/_build?definitionId={build definition id}&_a=summary",
        "routeId": "ms.vss-build-web.pipeline-details-route",
        "routeValues": {
          "project": "{project name}",
          "viewname": "details",
          "controller": "ContributedPage",
          "action": "Execute",
          "serviceHost": "{org name}"
        }
      }
    }
  }
}
"@

$response = Invoke-RestMethod -Uri $url -Headers @{Authorization = "Basic $token"} -Method Post -Body $context -ContentType "application/json"

Write-Host "results = $($response.dataProviders.'ms.vss-admin-web.security-view-members-data-provider'.identities.displayname| ConvertTo-Json -Depth 100)"