In Azure DevOps Services where can one configure "Administer Permissions" access of a user to some Environment?

Question

When I am trying to change the access of Project Administrators from Reader to Administrator I get

Access Denied: e...4 needs the following permission(s) on the resource Environments/f...6/7 to perform this action: Administer Permissions

Where e...4 corresponds to the id of my user in Azure DevOps Services.

(I am a Project Administrator)

Who can grant these Administer Permissions rights? Is it some kind of Organization Administrator? Where its screen? Documentation? Rest API?

I could not find anything.

Answer 1

If the UI interface is improperly operated, even PCA (Project Collection Administrators) or Organization Owner will also be trapped in the UI interface here (the PCA/ORG Owner may also lose all operating permissions on Env in the UI interface of Env's permission settings.). But REST API can get rid of this situation.

There is a REST API document about this, but there doesn't have a specific document for this.

Roleassignments - Set Role Assignments

You can use f12 to capture the detailed request(UI also based on the above REST API).

I write a python demo to achieve your requirement.

import requests
import json

url = "https://dev.azure.com/<Organization Name>/_apis/securityroles/scopes/distributedtask.environmentreferencerole/roleassignments/resources/<Project ID>_<Env ID>?api-version=5.0-preview.1"

payload = json.dumps([
  {
    "userId": "<User ID>",
    "roleName": "Administrator"
  }
])
headers = {
  'Authorization': 'Basic <Your Personal Access Token>',
  'Content-Type': 'application/json'
}

response = requests.request("PUT", url, headers=headers, data=payload)

print(response.text)

Use List Projects REST API to get the project id.

Use List Users REST API to get the user ID.

Get the Env ID from the Env page url.