使用Azure DevOps CLI分配组权限 [英] Assigning group permissions using to Azure DevOps CLI

问题描述

我正在尝试使用cli向构建管理员"组分配权限.

I am trying to assign permissions to the "build administrators" group using the cli.

我要更新的特定权限是删除团队项目"权限.

The specific permission i want to update is the "Delete Team Project" permission.

由于信息分散，尤其是有关安全性令牌和权限位的部分，因此文档整理起来有些困难.

The documentation is a little difficult to put together since the information is scattered, specially the parts about security tokens and permissions bits.

我正在使用az devops安全命令.我正在努力的部分是获得正确令牌并设置正确的权限位

I am using the az devops security command. The part i am struggling with is getting the correct token and the setting the correct permission bits

我知道我要使用的命名空间.它是环境名称空间.通过首先检查所有名称空间并找到环境名称空间的guid来发现这一点.

I know the namespace I want to use. it is the environment namespace. Found this out by first checking all the namespaces and finding the guid for the environment namespace.

#get list of all namespaces
az devops security permission namespace list -o table

$envnamespace = <guid from above command for the environment namespace>

# first i set my org and token
$orgUrl = "https://dev.azure.com/<MYORG>"
$personalToken = "<MY_PERSONAL_TOKE>"
$projectName = "<my_project>"

# login using PAT
$personalToken | az devops login --organization $orgUrl

# set default organisation
az devops configure --defaults organization=$orgUrl

# get the group descriptor ID for the group "build administrators"
$id = az devops security group list --project $projectName --output json --query "graphGroups[?displayName == '$groupID'].descriptor | [0]" -o tsv --verbose

# now i want to add permissions for the group "build administrators"
# but i am not sure what the token should be and what permission bits to use

我运行以下命令以查看列出该组的权限.它返回了一些令牌，但对我来说它们没有意义.我要如何知道哪个令牌代表什么权限.例如我如何知道哪个令牌用于删除团队项目"权限

I run the following command to see list the permissions on the group. it returns some tokens but they don't make sense to me. How am i meant to know which token is for what permissions. for example how do i know which token is for "Delete Team Project" permission

az devops security permission list --namespace-id $envnamespace --subject $id 

下一步的目的是运行以下命令以更新权限

The aim next is to run the following command to update permissions

az devops security permission update --namespace-id $envnamespace --subject $id --token $token2 --allow-bit 4 deny-bit 1 --verbose

-allow-bit和deny-bit我不确定将权限设置为 deny

The --allow-bit and deny-bit i'm not sure exactly what it should be to set the permission to deny

有关正确方法的任何建议，将不胜感激.

any advice on the correct way to do this would be appreciated.

推荐答案

我如何知道哪个令牌用于删除团队项目"权限

how do I know which token is for "Delete Team Project" permission

运行az devops security permission namespace list，删除团队项目"的名称空间ID在"Project"名称空间下.

Run az devops security permission namespace list, the namespaceID of "Delete Team Project" is under the "Project" namespace.

您可以获取特定Delete Team Project名称空间的bit和namespaceID(有关参考，请参见下面的屏幕截图).

You can get the bit and the namespaceID of the specific Delete Team Project namespace (for reference see screenshot shown below).

我该如何知道哪个令牌代表什么权限

How am I meant to know which token is for what permissions

对于令牌，您可以参考用于权限管理的安全令牌有关详细信息，其中列出了

For the tokens, you can refer to Security tokens for permissions management for details, there are listed Token examples for different namespaces.

供您参考的另一个示例(参考 jessehouwing的博客):

Another example for your reference (reference jessehouwing's blog) :

az login
az extension add --name "azure-devops"

# Find the group identifier of the group you want to set permissions for

$org = "gdbc2019-westeurope"

# There is a weird edge case here when an Azure DevOps Organization has a Team Project with the same name as the org.
# In that case you must also add a query to filter on the right domain property `?@.domain == '?'`  

$subject = az devops security group list `
    --org "https://dev.azure.com/$org/" `
    --scope organization `
    --subject-types vssgp `
    --query "graphGroups[?@.principalName == '[$org]\Project Collection Administrators'].descriptor | [0]"

$namespaceId = az devops security permission namespace list `
    --org "https://dev.azure.com/$org/" `
    --query "[?@.name == 'Git Repositories'].namespaceId | [0]"

$bit = az devops security permission namespace show `
    --namespace-id $namespaceId `
    --org "https://dev.azure.com/$org/" `
    --query "[0].actions[?@.name == 'PullRequestBypassPolicy'].bit | [0]"

az devops security permission update `
    --id $namespaceId `
    --subject $subject `
    --token "repoV2/" `
    --allow-bit $bit `
    --merge true `
    --org https://dev.azure.com/$org/

这篇关于使用Azure DevOps CLI分配组权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！