Skip to content

Az Devops Security CLI no funciona #29308

Description

@14juanvf14

Describe the bug

I’ve created a scoped group for the project in azdevops and can assign-unassign permissions at the project level without any problems.

I want to block repository creation and understand that it’s an object-level security permission.

I run the following command string in CLI:

$subject = proportion of the field descriptor that matches the group name (“vssgp. Uy0x…”)

$orgUrl = “https://dev.azure.com/XXX”

$namespaceId = az devops security permission namespace list -o json --org “$orgUrl” --query “[?@.name == ‘Git Repositories’].namespaceId | [0]”

$bit = az devops security permission namespace show -o json --namespace-id $namespaceId --org “$orgUrl” --query “[0].actions[?@.name == ‘CreateRepository’].bit | [0]”

Finally, I execute the command:

az devops security permission update --id $namespaceId --subject $subject --token ‘$PROJECT:vstfs:///Classification/TeamProject/XXX-ID PROJECT-XX’ --deny-bit $bit --org “$orgUrl” --merge true

I get the project id through the Azure Rest API and it works at the project level, however the object-level permissions

Los GUID usados en el comando cumplen con el formato indicado.

az devops security permission update --id ‘XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX’ --subject vssgp. Uy0… jU4 --token ‘$PROJECT:vstfs:///Classification/TeamProject/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX’ --deny-bit 16 --org https://dev.azure.com/ORG-CFM-GOB-Gobierno-IT

Como menciono, el comando funciona con permisos a nivel de proyecto y no a nivel de objeto com ‘Git Repositories’ de acuerdo con https://learn.microsoft.com/es-es/azure/devops/organizations/security/permissions?view=azure-devops&tabs=current-page#project-level-permissions

La respuesta de la CLI al ejecutar a nivel de proyecto es

[
{
“acesDictionary”: {
“Microsoft.TeamFoundation.Identity; S-1-9-…-3252845889-… -2985685298-… -1-1409785011-596615241-…-1374749258”: {
“allow”: 2228230,
“deny”: 0,
“descriptor”: “Microsoft.TeamFoundation.Identity; S-1-9…-1374749258”,
“extendedInfo”: {
“effectiveAllow”: 2228230
},
“resolvedPermissions”: [
{
“bit”: 4,
“displayName”: “Delete this node”,
“effectivePermission”: “Allow”,
“name”: “DELETE”
}
]
}
},
“includeExtendedInfo”: true,
“inheritPermissions”: true,
“token”: “$PROJECT:vstfs:///Classification/TeamProject/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX”
}
]

Pero a ejecutar los comandos a nivel de objeto:

TF400898: An Internal Error Occurred. Activity Id: 7232aeb7-1e2b-4310-93a6-d04798563461.

TF400898: An Internal Error Occurred. Activity Id: f6fc89af-c214-428b-b6b1-a46f4cae629e.

TF400898: An Internal Error Occurred. Activity Id: b6163f57-3fed-4bc0-b08a-6c2f0eeb2fb2.

TF400898: An Internal Error Occurred. Activity Id: 9c75f855-e3e4-4b9e-bf79-d58ff19bb95e.

Related command

az devops security permission update --id $namespaceId --subject $subject --token '$PROJECT:vstfs:///Classification/TeamProject/XXXX-XXX....' --deny-bit $bit --org "$orgUrl" --merge true

Errors

El comando Fallo cuando deberia asignar permisos

Issue script & Debug output

TF400898: An Internal Error Occurred. Activity Id: 7232aeb7-1e2b-4310-93a6-d04798563461.

TF400898: An Internal Error Occurred. Activity Id: f6fc89af-c214-428b-b6b1-a46f4cae629e.

TF400898: An Internal Error Occurred. Activity Id: b6163f57-3fed-4bc0-b08a-6c2f0eeb2fb2.

TF400898: An Internal Error Occurred. Activity Id: 9c75f855-e3e4-4b9e-bf79-d58ff19bb95e.

Expected behavior

asignar o desasignar un permiso

Environment Summary

azure-cli 2.61.0

core 2.61.0
telemetry 1.1.0

Extensions:
azure-devops 1.0.1

Dependencies:
msal 1.28.0
azure-mgmt-resource 23.1.1

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Auto-AssignAuto assign by botDevOpsService AttentionThis issue is responsible by Azure service team.act-platform-engineering-squadbugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reportedIssues that are reported by GitHub users external to the Azure organization.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions