CODEWITHSUNDEEP
azureazure-devopsazure-devops-rest-api
Oleksii
Oleksii

Reputation: 1549

AzureDevOps RestAPI does not return groups that are a member of a certain group

I'm observing strange behaviour of Azure DevOps REST API. This documentation page https://learn.microsoft.com/en-us/rest/api/azure/devops/memberentitlementmanagement/?view=azure-devops-rest-5.1 is saying that "A member is a user or a group added to an account."

But when I try to get members of a certain group like: https://vsaex.dev.azure.com/XXXXX/_apis/GroupEntitlements/YYY/members?api-version=5.1-preview.1

it returns all user members perfectly fine, hoverer no group members of YYY group. At the same time I can see that YYY contains quite lot of groups that are a member of YYY.

At the same time I do not see other API that looks as being able to do what I need. My personal access token has all 'Read' permissions to all object types. Am I missing something obvious? Thanks in advance.

Upvotes: 0

Views: 1223

Answers (1)

Vito Liu
Vito Liu

Reputation: 8298

As a workaround, we can use the API to list all group and get group ID(Group ID in the response body is originId)

GET https://vssps.dev.azure.com/{Org name}/_apis/graph/groups?api-version=6.0-preview.1

Get the one group subjectDescriptor via below REST API

Note: subjectDescriptor is field value in the response body

GET https://vssps.dev.azure.com/{Org name}/_apis/graph/descriptors/{Group ID}

enter image description here

List group member

POST https://dev.azure.com/{Org name}/_apis/Contribution/HierarchyQuery?api-version=5.1-preview.1

Request Body

{
  "contributionIds": [
    "ms.vss-admin-web.org-admin-members-data-provider"
  ],
  "dataProviderContext": {
    "properties": {
      "subjectDescriptor": "{subjectDescriptor}",
      "sourcePage": {
        "url": "https://dev.azure.com/{Org name}/_settings/groups?subjectDescriptor={subjectDescriptor}",
        "routeId": "ms.vss-admin-web.collection-admin-hub-route",
        "routeValues": {
          "adminPivot": "groups",
          "controller": "ContributedPage",
          "action": "Execute"
        }
      }
    }
  }
}

Result:

enter image description here

Note: I recommend that you raise the initial issue to Developer Community, they will check it and contact to Product team.

Update1

Check group permission and get NamespaceId and Token.

GET https://dev.azure.com/{Org name}/_apis/Contribution/HierarchyQuery?api-version=6.0-preview

Request Body

{
  "contributionIds": [
    "ms.vss-admin-web.org-admin-groups-permissions-pivot-data-provider"
  ],
  "dataProviderContext": {
    "properties": {
      "subjectDescriptor": "{subjectDescriptor},
      "sourcePage": {
        "url": "https://dev.azure.com/v-viliu/_settings/groups?subjectDescriptor={subjectDescriptor}",
        "routeId": "ms.vss-admin-web.collection-admin-hub-route",
        "routeValues": {
          "adminPivot": "groups",
          "controller": "ContributedPage",
          "action": "Execute"
        }
      }
    }
  }
}

Get descriptor via below API

GET https://dev.azure.com/{Org name}/_apis/accesscontrollists/{securityNamespaceId}?api-version=6.0

Get group permission detail info

https://dev.azure.com/{Org name}/_apis/accesscontrollists/{securityNamespaceId}?token={Token}&descriptors={descriptor}&api-version=6.0

Note: This is binary code.

Update group permission.

POST https://dev.azure.com/{organization}/_apis/accesscontrollists/{securityNamespaceId}?api-version=6.0

We could get the request body through the API above, If you need to change permissions, you only need to change the value of field Allow and Deny.

You could also refer to this link.

Upvotes: 2

Related Questions