使用 Azure DevOps CLI 分配组权限 [英] Assigning group permissions using to Azure DevOps CLI

问题描述

我正在尝试使用 cli 为构建管理员"组分配权限.

我要更新的具体权限是删除团队项目"权限.

由于信息分散，文档整理起来有点困难，特别是有关安全令牌和权限位的部分.

我正在使用 az devops 安全命令.我正在努力的部分是获取正确令牌并设置正确的权限位

我知道我想使用的命名空间.它是 environment 命名空间.通过首先检查所有命名空间并找到环境命名空间的 guid 发现了这一点.

#获取所有命名空间的列表az devops 安全权限命名空间列表 -o 表$envnamespace = <guid from above command for the environment namespace>

# 首先我设置我的组织和令牌$orgUrl = "https://dev.azure.com/"$personalToken = ""$projectName = ""# 使用 PAT 登录$personalToken |az devops 登录 --organization $orgUrl# 设置默认组织az devops 配置 --defaults 组织=$orgUrl# 获取组构建管理员"的组描述符 ID$id = az devops 安全组列表 --project $projectName --output json --query "graphGroups[?displayName == '$groupID'].descriptor | [0]" -o tsv --verbose# 现在我想为构建管理员"组添加权限# 但我不确定令牌应该是什么以及使用什么权限位

我运行以下命令来查看组的权限列表.它返回一些令牌，但它们对我来说没有意义.我是怎么想知道哪个令牌用于什么权限.例如，我怎么知道哪个令牌用于删除团队项目"权限

az devops 安全权限列表 --namespace-id $envnamespace --subject $id

接下来的目的是运行以下命令来更新权限

az devops 安全权限更新 --namespace-id $envnamespace --subject $id --token $token2 --allow-bit 4 deny-bit 1 --verbose

--allow-bit 和 deny-bit 我不确定将权限设置为 deny

任何有关正确方法的建议将不胜感激.

解决方案

我怎么知道哪个令牌用于删除团队项目"权限

运行az devops安全权限命名空间列表，删除团队项目"的namespaceID在Project"命名空间下.

您可以获得特定Delete Team Project命名空间的bit和namespaceID(参考见下图).><块引用>

我怎么知道哪个令牌用于什么权限

令牌可以参考

I am trying to assign permissions to the "build administrators" group using the cli.

The specific permission i want to update is the "Delete Team Project" permission.

The documentation is a little difficult to put together since the information is scattered, specially the parts about security tokens and permissions bits.

I am using the az devops security command. The part i am struggling with is getting the correct token and the setting the correct permission bits

I know the namespace I want to use. it is the environment namespace. Found this out by first checking all the namespaces and finding the guid for the environment namespace.

#get list of all namespaces
az devops security permission namespace list -o table

$envnamespace = <guid from above command for the environment namespace>

# first i set my org and token
$orgUrl = "https://dev.azure.com/<MYORG>"
$personalToken = "<MY_PERSONAL_TOKE>"
$projectName = "<my_project>"

# login using PAT
$personalToken | az devops login --organization $orgUrl

# set default organisation
az devops configure --defaults organization=$orgUrl

# get the group descriptor ID for the group "build administrators"
$id = az devops security group list --project $projectName --output json --query "graphGroups[?displayName == '$groupID'].descriptor | [0]" -o tsv --verbose

# now i want to add permissions for the group "build administrators"
# but i am not sure what the token should be and what permission bits to use

I run the following command to see list the permissions on the group. it returns some tokens but they don't make sense to me. How am i meant to know which token is for what permissions. for example how do i know which token is for "Delete Team Project" permission

az devops security permission list --namespace-id $envnamespace --subject $id 

The aim next is to run the following command to update permissions

az devops security permission update --namespace-id $envnamespace --subject $id --token $token2 --allow-bit 4 deny-bit 1 --verbose

The --allow-bit and deny-bit i'm not sure exactly what it should be to set the permission to deny

any advice on the correct way to do this would be appreciated.

解决方案

how do I know which token is for "Delete Team Project" permission

Run az devops security permission namespace list, the namespaceID of "Delete Team Project" is under the "Project" namespace.

You can get the bit and the namespaceID of the specific Delete Team Project namespace (for reference see screenshot shown below).

How am I meant to know which token is for what permissions

For the tokens, you can refer to Security tokens for permissions management for details, there are listed Token examples for different namespaces.

Another example for your reference (reference jessehouwing's blog) :

az login
az extension add --name "azure-devops"

# Find the group identifier of the group you want to set permissions for

$org = "gdbc2019-westeurope"

# There is a weird edge case here when an Azure DevOps Organization has a Team Project with the same name as the org.
# In that case you must also add a query to filter on the right domain property `?@.domain == '?'`  

$subject = az devops security group list `
    --org "https://dev.azure.com/$org/" `
    --scope organization `
    --subject-types vssgp `
    --query "graphGroups[?@.principalName == '[$org]Project Collection Administrators'].descriptor | [0]"

$namespaceId = az devops security permission namespace list `
    --org "https://dev.azure.com/$org/" `
    --query "[?@.name == 'Git Repositories'].namespaceId | [0]"

$bit = az devops security permission namespace show `
    --namespace-id $namespaceId `
    --org "https://dev.azure.com/$org/" `
    --query "[0].actions[?@.name == 'PullRequestBypassPolicy'].bit | [0]"

az devops security permission update `
    --id $namespaceId `
    --subject $subject `
    --token "repoV2/" `
    --allow-bit $bit `
    --merge true `
    --org https://dev.azure.com/$org/

这篇关于使用 Azure DevOps CLI 分配组权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！