| ms.subservice | azure-devops-security |
|---|---|
| ms.author | chcomley |
| author | chcomley |
| ms.topic | include |
| ms.date | 10/19/2022 |
::: moniker range="< azure-devops" :::row::: :::column span="2":::
Namespace permission
:::column-end:::
:::column span="2":::
:::row:::
:::column span="2":::
Administer build resource permissions
BuildAdministration, AdministerBuildResourcePermissions
:::column-end:::
:::column span="2":::
Can modify permissions for build pipelines at the project collection-level. This includes the following artifacts:
- Set retention policies
- Set resource limits for pipelines
- Add and manage agent pools
- Add and manage deployment pools
:::column-end:::
:::row-end:::
::: moniker-end
::: moniker range="<azure-devops"
:::row:::
:::column span="2":::
Administer process permissions
Process, AdministerProcessPermissions:::column-end::: :::column span="2"::: Can modify permissions for customizing work tracking by creating and customizing inherited processes. Requires the collection to be configured to support the Inherited process model. See also: - Customize a project
- Add and manage processes
:::column-end:::
:::row-end:::
::: moniker-end
::: moniker range="< azure-devops"
:::row:::
:::column span="2":::
Administer shelved changes
VersionControlPrivileges, AdminWorkspaces:::column-end::: :::column span="2"::: Can delete shelvesets created by other users. Applies when TFVC is used as the source control. :::column-end::: :::row-end::: :::row::: :::column span="2"::: Administer workspaces
Workspaces, Administer:::column-end::: :::column span="2"::: Can create and delete workspaces for other users. Applies when TFVC is used as the source control. :::column-end::: :::row-end::: :::row::: :::column span="2"::: Alter trace settings
Collection, DIAGNOSTIC_TRACE:::column-end::: :::column span="2"::: Can change the trace settings for gathering more detailed diagnostic information about Azure DevOps Web services. :::column-end::: :::row-end::: :::row::: :::column span="2"::: Create a workspace
VersionControlPrivileges, CreateWorkspace:::column-end::: :::column span="2"::: Can create a version control workspace. Applies when TFVC is used as the source control. This permission is granted to all users as part of their membership within the Project Collection Valid Users group. :::column-end::: :::row-end::: :::row::: :::column span="2"::: Create new projects
(formerly Create new team projects)
Collection, CREATE_PROJECTS:::column-end::: :::column span="2"::: Can add projects to a project collection. Additional permissions may be required depending on your on-premises deployment. :::column-end::: :::row-end::: ::: moniker-end ::: moniker range="<azure-devops" :::row::: :::column span="2"::: Create process
Process, Create:::column-end::: :::column span="2"::: Can create an inherited process used to customize work tracking and Azure Boards. Requires the collection to be configured to support the Inherited process model.
:::column-end::: :::row-end::: :::row::: :::column span="2"::: Delete field from organization
(formerly Delete field from account)
Collection, DELETE_FIELD:::column-end::: :::column span="2"::: Can delete a custom field that was added to a process. For on-premises deployments, requires the collection to be configured to support Inherited process model.
:::column-end::: :::row-end::: :::row::: :::column span="2":::
Note
Edit collection-level information includes the ability to perform these tasks for all projects defined in an organization or collection:
- Modify Extensions, and Analytics settings
- Modify version control permissions and repository settings
- Edit event subscriptions or alerts for global notifications, project-level, and team-level events
- Edit all project and team-level settings for projects defined in the collections.
:::column-end:::
:::row-end:::
::: moniker-end
::: moniker range="<azure-devops"
:::row:::
:::column span="2":::
Edit process
Process, Edit
:::column-end:::
:::column span="2":::
Can edit a custom inherited process. Requires the collection to be configured to support the Inherited process model.
:::column-end:::
:::row-end:::
::: moniker-end
::: moniker range="< azure-devops"
:::row:::
:::column span="2":::
Make requests on behalf of others
Server, Impersonate
:::column-end:::
:::column span="2":::
Can perform operations on behalf of other users or services.
Assign this permission only to on-premises service accounts.
:::column-end:::
:::row-end:::
:::row:::
:::column span="2":::
Manage build resources
BuildAdministration, ManageBuildResources
:::column-end:::
:::column span="2":::
Can manage build computers, build agents, and build controllers.
:::column-end:::
:::row-end:::
::: moniker-end
::: moniker range="<azure-devops"
:::row:::
:::column span="2":::
Manage enterprise policies
Collection, MANAGE_ENTERPRISE_POLICIES
:::column-end:::
:::column span="2":::
Can enable and disable application connection policies as described in Change application connection policies.
Note
This permission is only valid for Azure DevOps Services. While it may appear for Azure DevOps Server on-premises, it doesn't apply to on-premises servers.
:::column-end:::
:::row-end:::
::: moniker-end
::: moniker range="< azure-devops"
:::row:::
:::column span="2":::
Manage process template
Collection, MANAGE_TEMPLATE
:::column-end:::
:::column span="2":::
Can download, create, edit, and upload process templates. A process template defines the building blocks of the work item tracking system as well as other subsystems you access through Azure Boards. Requires the collection to be configured to support ON=premises XML process model.
:::column-end:::
:::row-end:::
:::row:::
:::column span="2":::
Manage test controllers
Collection, MANAGE_TEST_CONTROLLERS
:::column-end:::
:::column span="2":::
Can register and de-register test controllers.
:::column-end:::
:::row-end:::
:::row:::
:::column span="2":::
Trigger events
Collection, TRIGGER_EVENT
Server, TRIGGER_EVENT
:::column-end:::
:::column span="2":::
Can trigger project alert events within the collection. Assign only to service accounts. Users with this permission can't remove built-in collection level groups such as Project Collection Administrators.
:::column-end:::
:::row-end:::
:::row:::
:::column span="2":::
Use build resources
BuildAdministration, UseBuildResources
:::column-end:::
:::column span="2":::
Can reserve and allocate build agents. Assign only to service accounts for build services.
:::column-end:::
:::row-end:::
:::row:::
:::column span="2":::
View build resources
BuildAdministration, ViewBuildResources
:::column-end:::
:::column span="2":::
Can view, but not use, build controllers and build agents that are configured for an organization or project collection.
:::column-end:::
:::row-end:::
:::row:::
:::column span="2":::
View instance-level information
or View collection-level information
Collection, GENERIC_READ
:::column-end:::
:::column span="2":::
Can view collection-level permissions for a user or group.
:::column-end:::
:::row-end:::
:::row:::
:::column span="2":::
View system synchronization information
Collection, SYNCHRONIZE_READ
:::column-end:::
:::column span="2":::
Can call the synchronization application programming interfaces. Assign only to service accounts.
:::column-end:::
:::row-end:::
::: moniker-end