如何使用服务帐户模拟Azure Devops中的用户 [英] How to use service account to impersonate users in Azure Devops

问题描述

我创建了一个服务帐户来模拟组织中的用户，以便更改用户名下的工作项.我已经将该服务帐户添加到项目收集服务帐户"组中，该组的代表他人发出请求"设置为允许".该服务帐户具有Visual Studio订阅.

I created a service account to impersonate users in my organization in order to make changes to work items in the users’ name. I already added that service account to the group "Project Collection Service Accounts", which has "Make requests on behalf of others" set to "Allow". The service account has Visual Studio Subscription.

然后，我使用与本地TFS一起使用的代码来执行模拟，并且出现错误500，提示访问被拒绝:X需要以下权限才能执行此操作:发出请求代表他人"

I then used my code, which is working with our on-premise TFS, to execute the impersonation and I got an error 500 saying that "Access Denied: X needs the following permission(s) to perform this action: Make requests on behalf of others"

我应该怎么做才能使其正常工作?这是我正在使用的代码:

What should I do to make it works? Here the code I’m using:

        var credential = new VssAadCredential("X@myoganization", "password");
        var collection = new TfsTeamProjectCollection(new Uri("my_devops_uri"), credential);
        MyTfsConnection.ProjectCollection = collection;

        MyTfsConnection.IdentityService = collection.GetService<IIdentityManagementService>();
        MyTfsConnection.WIStore = collection.GetService<WorkItemStore>();

        var adAccount = "someone@myoganization";
        var identity = MyTfsConnection.IdentityService.ReadIdentity(IdentitySearchFactor.AccountName, adAccount, MembershipQuery.None, ReadIdentityOptions.None);
        using (var impersonatedCollection = new TfsTeamProjectCollection(new Uri("my_devops_uri"), credential, identity.Descriptor))
        {

            var impersonatedWIStore = impersonatedCollection.GetService<WorkItemStore>();
        }

推荐答案

无法执行此操作，服务帐户无意将客户端与服务器连接，无法签入代码或更改工作项

It's not able to do this, Service account is not intended to connect the client with server either check in code or change work items.

服务帐户用于运行与TFS相关的各种服务.它应该在计算机上具有最低权限.

Service account is used to run various services related to TFS. It should have the minimum privileges possible on the machine.

客户端不应使用服务帐户连接到服务器，它们应该使用自己的帐户，您可以授予该帐户对TFS中相关存储库的访问权限.例如，如果您将所有客户与服务帐户建立联系，您将如何知道谁签入了每个变更集，谁应该将工作项分配给谁?

The client should not connect to the server with a service account, they should be using their own account which you grant access to the relevant repositories in TFS. For example, if you connect all clients with the service account, how will you know who checked in each changeset, who should assign work items to?

您也将无法将工作项目分配给服务帐户.

You will also not able to assign work items to a service account.

这篇关于如何使用服务帐户模拟Azure Devops中的用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！