Pipelines security groups Azure DevOps API

Question

Is there a way to see which group/users have access and what are the permissions to specific pipeline in a project with REST API?

Answer 1

I am afraid there is not a rest api that can directly check group/users's permissions to a specific pipeline. You have to use multiple rest apis to get what you want. See below steps;

1, Get the Groups via Groups list API. Get all Users via Users list API.

You need to get the subject descriptor of the group/user from the result.

eg. "descriptor: "acs.Nzc4OWYwOWQtZTA1My00ZjJlLWJkZWUtMGM4Zjg0NzZhNGJj"

2, Use the subject descriptor from above rest api to get the identity descriptor via Identities - Read Identities rest api

https://vssps.dev.azure.com/{organization}/_apis/identities?subjectDescriptors={subjectDescriptors}&api-version=6.1-preview.1

Get identity descriptor from the Result:

eg. "descriptor": "Microsoft.IdentityModel.Claims.ClaimsIdentity;7a394543-62fd-4274-a7d2-8fac775942b6\\jtseng@vscsi.us"

3, Use Access Control Lists - Query Rest api to check the permissions for this group/user using above identity descriptor and token

GET https://dev.azure.com/{organization}/_apis/accesscontrollists/{securityNamespaceId}?token={token}&descriptors={descriptors}&includeExtendedInfo={includeExtendedInfo}&recurse={recurse}&api-version=6.1-preview.1

The securityNamespaceId of Build is a constant value 33344d9c-fc72-4d6f-aba5-fa317101a7e9. See here for all securityNamespaceIds.

The token's format is projectId/buildDefinitionId

For example the request url to get the permissions for a buildDefinition can be like below:

"https://dev.azure.com/myOrg/_apis/accesscontrollists/33344d9c-fc72-4d6f-aba5-fa317101a7e9?includeExtendedInfo=True&token=****-****-4fa8-b2f1-0ee8f4fc82c5/87&descriptors=Microsoft.TeamFoundation.ServiceIdentity;bfbbe64a-653b-47f8-8f74-a56680a9bc6a:Build:39e13f04-cb4e-4fa8-b2f1-0ee8f4fc82c5&api-version=6.1-preview.1"

Then you will get the permission result from the extendedInfo like below:

In order to understand the permission value (eg. 3 in below ) in extendedInfo

extendedInfo":  {"effectiveAllow":  3}

You can check the Security Namespaces - Query rest api. See below name of the permission and its bit for Build Security Namespaces.

  bit name                           displayName                           namespaceId                         
  --- ----                           -----------                           -----------                         
    1 ViewBuilds                     View builds                           00000000-0000-0000-0000-000000000000
    2 EditBuildQuality               Edit build quality                    00000000-0000-0000-0000-000000000000
    4 RetainIndefinitely             Retain indefinitely                   00000000-0000-0000-0000-000000000000
    8 DeleteBuilds                   Delete builds                         00000000-0000-0000-0000-000000000000
   16 ManageBuildQualities           Manage build qualities                00000000-0000-0000-0000-000000000000
   32 DestroyBuilds                  Destroy builds                        00000000-0000-0000-0000-000000000000
   64 UpdateBuildInformation         Update build information              00000000-0000-0000-0000-000000000000
  128 QueueBuilds                    Queue builds                          00000000-0000-0000-0000-000000000000
  256 ManageBuildQueue               Manage build queue                    00000000-0000-0000-0000-000000000000
  512 StopBuilds                     Stop builds                           00000000-0000-0000-0000-000000000000
 1024 ViewBuildDefinition            View build pipeline                   00000000-0000-0000-0000-000000000000
 2048 EditBuildDefinition            Edit build pipeline                   00000000-0000-0000-0000-000000000000
 4096 DeleteBuildDefinition          Delete build pipeline                 00000000-0000-0000-0000-000000000000
 8192 OverrideBuildCheckInValidation Override check-in validation by build 00000000-0000-0000-0000-000000000000
16384 AdministerBuildPermissions     Administer build permissions          00000000-0000-0000-0000-000000000000

The value of the effectiveAllow is the sum of the bits for the allowed permissions. In above example. the effectiveAllow is 3. So the permissions for this group is ViewBuilds -->allow and EditBuildQuality-->allow

Hope above helps!