Azure DevOps make project read only

Asked 17/1, 2020 at 11:44 Answered 7/6, 2024 at 6:56

Solved permissions azure-devops ado readonly

We have some old ADO/VSTS projects that we want to archive and make read only. Each project has work items, builds, git repos, etc...

at the moment the only methods I have found are painful.

Remove all groups except read only group and add users in there. this is too painful and long, we have over 300 projects to make read only
Create a new group and then add in other groups (e.g. proj admins, contributors etc..) and then add this group to the top level area/git repo path and set all to DENY. *

I tried this with git repos and There is some issues with this as some permissions are not inherited down to individual users who created the git repo and they are still able to checkin.

Here you can see I created a READONLY group and set everything to DENY except Read permissions. (The members of this group are the default groups e.g. contributors, build admins, proj admins)

However, I had a repo created by a test user BEFORE i created the readonly group and it seems that user still has permissions to that repo

ok ok I understand that if the permissions are set at the lower level, then they won't be inherited down from the top level parent. I could create a script that checks the users of every git repo and sets their check-in permissions to deny but that is painful and i would prefer not to do that. Likewise, some projects have over 300 git repos.

FYI I want to make the whole project read only not just git repos.

Inhambane answered 17/1, 2020 at 11:44 Comment(0)

Yeah, you've found one of the nasty features of the Azure DevOps permission model. More specific ACLs trump less specific ACLs. Even for DENY rules.

When there is an explicit ALLOW rule on a more specific ACL, it will override the DENY on a less specific ACL.

Specificity for git is based on:

Server (TFS only)
Organization / Project Collection
Project
Default repo settings
Specific repo settings
Branch folder settings (only settable through API)
Specific branch settings

Similar hierarchies exist for other securables.

There is no easy way to strip these all, apart from scripting the action.

The Azure CLI has a devops extension which will allow you to script out what you want and can output JSON to make it easier to script.

You can use az devops security permission list to list all permissions defined for a identity (group or user) and az devops security permission reset or az devops security permission update to unset or override the given permission.

Other probably needed calls:

Aftereffect answered 17/1, 2020 at 13:11 Comment(2)

@jesshouwing So i have to go through every project then ever git repo, and update permissions for every user (that's explicitly there) all in a script. This is painful :(. – Inhambane 17/1, 2020 at 14:7

You can list all explicitly set, that way you don't have to iterate over all possible securables. – Aftereffect 17/1, 2020 at 14:21

Azure DevOps now have a feature called: "Disable Repository".

Disable access to to the repository (including builds, pull requests, etc) but keep the repository discoverable with a warning.

It means your repo will not allow commits, even builds and pipelines cannot use it. Just go to your Devops "Project Settings". Scroll down to "Repositories" menu and select which Repo do you want to disable.

Jilljillana answered 17/3, 2021 at 16:35 Comment(1)

Nice feature but unfortunately this breaks all access to the repo. You can't even read it. Any work item links to checkins from it will show as "unable to access" – Monnet 22/10, 2021 at 20:29

You can use the Azure DevOps disable repository option, which has the disadvantage that the repo is not showing up in the list of repos under the project anymore. This might not be desired if the code should still be readable for reference purposes.

The other method explained in one of the answers is to manually remove any write permissions using the repository settings UI. If you have a lot of access control lists on your repos or even need to do this on multiple repos, the manual approach can become time consuming. Therefore I wrote a script to automate this: https://github.com/ckadluba/RemoveAzureGitRepoWritePermissions.

It basically works like this.

.\Remove-AzureGitRepoWritePermissions.ps1 -OrgName "myorganisation" -ProjectName "MyProject" -RepoName "MyRepo"

It sets an explicit deny for the permissions: GenericContribute, ForcePush, CreateBranch, CreateTag, ManageNote, PolicyExempt, PullRequestContribute and PullRequestBypassPolicy.

Uncial answered 1/8, 2022 at 0:28 Comment(0)

Another option, if you only care about the git repo, is to Lock all branches.

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019

Prevent updates to a Git branch by locking the branch. Locking a branch prevents other users from changing the existing commit history. Locking also > blocks any new commits from being added to the branch by others.

(see https://learn.microsoft.com/en-us/azure/devops/repos/git/lock-branches?view=azure-devops)

Halfslip answered 7/6, 2024 at 6:56 Comment(0)

Recommended topics

Hot tags