Reputation: 7618
Allow users to set branch policies but not Cross Repo Policies
Current situation (if I'm not missing anything)
If Project settings --> Repos-->Repositories-> Git Repositories -> "Edit Policies" is allowed, users can edit Cross Repo Policies and add "local" policies to individual repos/branches
If Project settings --> Repos-->Repositories-> Git Repositories -> "Edit Policies" is denied , users can't edit any kind of policies (Cross Repo or "local")
If I want users to be able to edit "local" policies on specific repos/branches but not be able to edit Cross Repo Policies, I have to
On "Git Repositories", set "Edit Policies" to Denied
On each Repository, set "Edit Policies" to Allowed
Desired behavior
Is there a way to allow users to edit "Local" repository/branch policies without setting permissions on each individual repo?
Basically, I want to enforce the company wide "Cross Repo Policies" but allow teams to add additional policies own their own repos/branches if necessary.
Thanks
Upvotes: 0
Views: 523
Answers (1)
Reputation: 30313
The behavior you described in above current situation is by design, and it is easy to understand. For the permissions you set for Git Repositories are Cross Repo, they apply to all the repos in the project.
So that if you allow the edit policy permission for a user in Git Repositories level. He will be able to edit the Cross Repo Policies. If you deny the permission, he will not be edit any kind of policy.
When a user is added to a team group of the project. He will inherit the permission settings of this group. So you can set the Edit Policies permission to Not set for a user on Git Repositories level. He will inherit the permission set for the group which he is a member of.
If you want to enforce the company wide "Cross Repo Policies" but allow teams to add additional policies own their own repos/branches if necessary. You will need to set the Edit Policies permission to Deny on Git Repositories level and set the Edit Policies permission to allow on each repo level for each individual team group.
Check the steps here to add a team in azure devops.
Upvotes: 1
Related Questions
- Setting permissions on branch folders rather than specific branches
- Azure Devops - How to turn off Cross-Repository policies for default branch for certain repos
- How to disable the Branch Policies in Azure DevOps using REST API?
- Automatically set branch policies for different types of PRs in Azure Devops
- Branch Policy with path restrictions in Azure DevOps
- Missing access to cross-repo policies or project-wide branch policies in Azure DevOps
- Can I set default security and/or branch policies in Azure DevOps?
- Cross-repo branch policy administration permission?
- Cross-repo branch policy build validation - how to?
- Template for setting branch policies for repos