Reputation: 1603
Only allow users under a certain AD Group to approve Pull Requests on Azure DevOps
On my organisation we use Azure DevOps and we have a repository where we want developers to be able to create pull requests with changes to it, but only develpers belonging to certain AD group to be able to approve them. What's the best way to achieve this in Azure DevOps?
According to Microsoft Documentation there is a permission called "Contribute to pull requests " which allows "Can create, comment on, and vote on pull requests." However, disabling this would mean that people cannot create pull requests. I want them to be able to create the pull request, just not able to approve them and complete them.
Upvotes: 1
Views: 4153
Answers (1)
Reputation: 28096
However, disabling this would mean that people cannot create pull requests. I want them to be able to create the pull request, just not able to approve them and complete them.
If the
Contributeis set toDeny, then the developer canreview the code/create new branch/create PR/approve PRbut can'tpush changes to master branch or branch not created by himself/complete PR. So this option can only partly meet your needs.Apart from above, a most recommended way in this scenario is to use Branch Policies.
Since the original purpose is to avoid developers to complete the PR themselves, you can set both
Require a minimum number of reviewersandAutomatically Include reviewersoptions to meet your original needs:
So that all the PRs in master branch can't be completed until it gets enough approvals from specific Group. (The group you're in, Project Administrators or what) Then the developers can create the PR, but the PR can only be completed by approvals from you(Team admins/managers?).
You can choose one of the above two options or combine them together to meet your needs.
In addition: If all above still can't meet your requirements very well, feel free to post your feature request in our User Voice forum, the Product Team would consider about your feedback. Follow the feedback and you can get notifications if there's any update.
Hope all above helps :)
Upvotes: 3
Related Questions
- Is it possible to restrict who can complete a Pull Request in Azure DevOps?
- Azure DevOps: approve Pull Request programatically
- Azure DevOps: Approver unable to approve their own PR
- Azure DevOps pull request forbid manipulation of required reviewers
- Azure Devops Pull Request - Prevent a user approving request if they have worked on the branch
- Set Pull Request polices based on raising user(s)
- Permission required so users can add Required Reviewer to Pull Requests
- Restrict Pull Requests Between specific Branches
- Azure DevOps: Restrict pull requests to subset of team
- Removing required approvers from VSTS pull request