Reputation: 1
How to grant dashboard (manage) permission to System.AccessToken for updating a dashboard widget using Azure DevOps REST API?
I want to call Azure DevOps REST API's Widgets - Update Widget endpoint from an Azure Devops Build Pipeline.
I'm calling the endpoint from a powershell task and I am passing the System.AccessToken in the header like this
@{ Authorization = 'Bearer $(System.AccessToken)' };
The error I'm seeing
Invoke-RestMethod : {"$id":"1","innerException":null,"message":"VS403200: User '<project-name> Build Service (<org-name>)' is denied 'Manage' permission on dashboard resources.","typeName":"Microsoft.TeamFoundation.Dashboards.WebApi.InsufficientPermissionsException, Microsoft.TeamFoundation.Dashboards.WebApi","typeKey":"InsufficientPermissionsException","errorCode":0,"eventId":3000}
Does anybody know what permissions need to be granted and how they can be granted in Azure DevOps?
- I have tried making requests to other endpoints such as Widgets - Get Widget and it works.
- I have tried giving permission service user.
Upvotes: 0
Views: 32
Answers (1)
Reputation: 18328
You're referring to the Widgets - Update Widget endpoint, which requires the scope vso.dashboards_manage. The Wdigets - Get Widget requires scope vso.dashboard_read. All users can read dashboard widgets, which explains why the Get method works.
There are two types of build agents, the one your project is using is based on the Settings > Pipelines: Settings > "Limit job authorization scope...". Additional info here.
The two types of accounts are:
- Organization-scoped build agents: have access to resources across projects. The name of this account is "Project Collection Build Service (your-org-name)"
- Project-scoped build agents: can only access resources within a single project. The name of this account is "your-project-name Build Service (your-org-name)"
You appear to be using a project-scoped agent.
By default, only Team Administrators can assign permissions to a Dashboard. To grant your project-scope build agent the "manage" permission:
Navigate to the Dashboard
Select "Dashboard Settings" from the menu in the top right
Under security, click "manage permissions for this dashboard"
In the dialog that appears, type the name of the build agent into the search box.
Grant the user with the "Edit dashboard" permission.
Upvotes: 0
Related Questions
- Azure DevOps REST API parent relation link to existing work item error
- How to grant permissions to call Azure DevOps REST API using System.AccessToken?
- Azure DevOps Server 2022 REST APIs Broken for Environments Approvals
- How to programatically clone a classic build pipeline using the azure devops API
- Azure Devops REST API add reviewer to a PR
- Error while creating Work Item in Azure Devops using Rest API
- Trying to create a Devops Agent pool using REST api
- Updating a service connection via the rest api
- Update build definition using Azure DevOps REST API in PowerShell
- Using VSTS Rest API, how do you Update a Markdown widget?