Default permissions quick reference for Azure DevOps

TFS 2017 | TFS 2015 | TFS 2013

To use Azure DevOps features, users must be added to a security group with the appropriate permissions and granted access to the web portal. Limitations to select features are based on the access level and security group to which a user is assigned. The Basic access level and higher supports full access to most Azure DevOps Services, except for Azure Test Plans. Stakeholder access level provides partial support to Azure Boards and Azure Pipelines. To learn more about access levels, see About access levels and Stakeholder access quick reference.

Assign users to a security group

The most common built-in security groups—Readers, Contributors, and Project Administrators— and team administrator role grant permissions to specific features.

In general, use the following guidance when assigning users to a security group:

  • Add to the Contributors security group full-time workers who contribute to the code base or manage projects.
  • Add to the Project Administrators security group users tasked with managing project resources. I
  • Add to the Project Collection Administrators security group users tasked with managing organization or collection resources.

To learn more about administrative tasks see About user, team, project, and organization-level settings. For a complete reference of all built-in groups and permissions, see Permissions and groups. For information about access levels, see About access levels.

In the tables provided in this article, a ✔️ (checkmark) indicates that the corresponding access level or security group has access to a feature by default.

To assign or change an access level, see Add users and assign licenses. If you need to grant specific users select permissions, you can do so.

Work tracking

You can plan and track work from the web portal Work hub, and using Eclipse, Visual Studio, Excel, Project, and other clients.

Note

Team administrators can configure settings for their team's tools. Organization owners and members of the Project Administrators group can configure settings for all teams. To be added as an administrator, see Add team administrators or Change project-level permissions.

Access to the following tasks are controlled by each user's access level or by permission assignments. Members of the Readers, Contributors, or Project Administrators group are assumed to have Basic access or greater.

General work item permissions

You can use work items to track anything you need to track. To learn more, see Understand how work items are used to track issues, tasks, and epics.

Task or permission

Readers

Contributors

Project admins

View work items in this node (Area Path permission)

✔️

✔️

✔️

Edit work items in this node (Area Path permission)

✔️

✔️

Create tag definition

✔️

✔️

Email work items

✔️

✔️

✔️

Apply a work item template

✔️

✔️

Delete and restore work items (Project-level permission) (able to restore from the Recycle bin)

✔️

✔️

Permanently delete work items (Project-level permission)

✔️

✔️

✔️

Note

Work items are subject to rules applied to them. Conditional rules based on user or group membership are cached for your web browser. If you find yourself restricted to update a work item, you may have encountered one of these rules. If you believe you've encountered an issue that doesn't apply to you, see Work item form IndexDB caching issues. To learn more about conditional rules, see Rules and rule evaluation.

Boards

You use Boards to implement Kanban methods. Boards present work items as cards and support quick status updates through drag-and-drop.

Task

Readers

Contributors

Team admins
Project admins

View boards and open work items

✔️

✔️

✔️

Add child items to a checklist

✔️

✔️

Assign to a sprint (from card field)

✔️

✔️

Configure board settings

✔️

Backlogs features access

Backlogs display work items as lists. A product backlog represents your project plan and a repository of all the information you need to track and share with your team. Portfolio backlogs allow you to group and organize your backlog into a hierarchy.

Task

Readers

Contributors

Team admins
Project admins

View backlogs and open work items

✔️

✔️

✔️

Add work items to a backlog

✔️

✔️

Use bulk edit features

✔️

✔️

Add child items to a backlog item; prioritize or reorder a backlog; parent items using the Mapping pane; Assign items to a sprint using drag-and-drop

✔️

✔️

Configure team settings, backlog levels, show bugs, work days off

✔️

Sprints

You use sprint tools to implement Scrum methods. The Sprints set of tools provide filtered views of work items that a team has assigned to specific iteration paths or sprints.

Task

Readers

Contributors

Team admins Project admins

Add work items to a sprint backlog or taskboard

✔️

✔️

Prioritize/reorder a sprint backlog or taskboard; add child items to a backlog item; reassign items to a sprint using the Planning pane

✔️

✔️

View team capacity and work details

✔️

✔️

Set team capacity

✔️

✔️

Use bulk edit features

✔️

✔️

Define team sprints

✔️

Queries

Queries are filtered lists of work items based on criteria that you define by using a query editor. Adhoc searches are powered by a semantic search engine.

Task

Readers

Contributors

Project admins

Create and save managed My queries, query charts

✔️

✔️

✔️

Create, delete, and save Shared queries, charts, folders

✔️

Delivery plans

Delivery plans display work items as cards against a calendar view. This format can be an effective communication tool with managers, partners, and stakeholders for a team.

Task

Readers

Contributors

Team admins
Project admins

Create, edit, or delete a delivery plan, Contributors can only edit or delete plans that they create

✔️

✔️

Manage permissions for a delivery plan, Contributors can only manage permissions for plans that they create

✔️

✔️

Code: Source control

You can connect to your code from the web portal Code hub, or using Xcode, Eclipse, IntelliJ, Android Studio, Visual Studio, or Visual Studio Code. Stakeholders for private projects have no access to Code.

Git

You can use Git repositories to host and collaborate on your source code. For an overview of code features and functions.

Permission

Readers

Contributors

Build Admins

Project Admins


Read (clone, fetch, and explore the contents of a repository); also, can create, comment on, vote, and Contribute to pull requests

✔️

✔️

✔️

✔️

Contribute, Create branches, Create tags, and Manage notes

✔️

✔️

✔️

Create repository, Delete repository, and Rename repository

✔️

Edit policies, Manage permissions, Remove others' locks

✔️

Force push (rewrite history, delete branches and tags)

✔️

Bypass policies when completing pull requests
(not set for any security group)


TFVC

Team Foundation Version Control (TFVC) provides a centralized version control system to manage your source control.

Note

Tasks such as create, delete, or rename a TFVC repository are not supported. Once a TFVC repository is created you can't delete it. Also, you can only have one TFVC repository per project. This is different from Git repositories which allow for adding, renaming, and deleting multiple repositories.

Permission

Readers

Contributors

Build Admins

Project Admins

Check in, Label, Lock, Merge, Pend a change in a server workspace, Read

Read only

✔️

✔️

✔️

Administer labels, Manage branches, Manage permissions, Revise other users' changes, Undo other users' changes, Unlock other users' changes

✔️

Test

Users granted Visual Studio Enterprise or Advanced access level can define and manage manual tests from the web portal. For an overview of manual test features and functions, see Testing overview. You set several test permissions at the project level from Project Settings>Permissions.

Permission

Level

Readers

Contributors

Project Admins

View test runs

Project-level

✔️

✔️

✔️

Create test runs
Delete test runs

Project-level

✔️

✔️

Manage test configurations
Manage test environments

Project-level

✔️

✔️

Create tag definition
Delete and restore work items

Project-level

✔️

✔️

Permanently delete work items

Project-level

✔️

View work items in this node

Area Path

✔️

✔️

✔️

Edit work items in this node
Manage test plans
Manage test suites

Area Path

✔️

✔️

Package management

You can manage feeds from the web portal, Build and release > Packages. Users granted Basic access or higher can access Package management features. Users granted Stakeholder access have no access. To set permissions, see Secure feeds using permissions.

Feeds have three permission roles: Readers, Contributors, and Owners. Owners can add user accounts or security groups -to any role.

Permission Reader Contributor Owner
List and restore/install packages ✔️ ✔️ ✔️
Push packages ✔️ ✔️
Unlist/deprecate packages ✔️ ✔️
Delete/unpublish package ✔️
Edit feed permissions ✔️
Rename and delete feed ✔️

By default, the Project Collection Build Service is a Contributor and your project team is a Reader.

Note

To access a feed in a different organization, a user must be given access to the project hosting that feed.

Notifications, alerts, and team collaboration tools

To manage notifications, see Manage personal notifications and Manage team notifications.

Note

There are no UI permissions associated with managing notifications. Instead, you can manage them using the TFSSecurity command line tool.

Task

Readers

Contributors

Team admins

Project admins Project Collection admins

Set personal notifications or alerts

✔️

✔️

✔️

Set team notifications or alerts

✔️

✔️

Set project-level notifications or alerts

✔️

View Project READMEs

✔️

✔️

✔️

✔️

View Project wikis or code wikis

✔️

✔️

✔️

✔️

Provision or create a project wiki

✔️

✔️

✔️

Publish code as a wiki

✔️

✔️

✔️

Request feedback

✔️

✔️

✔️

Provide feedback

✔️

✔️

✔️

✔️

Search across projects, organizations, collections

✔️

✔️

✔️

✔️

Dashboards, charts, reports, and widgets


Task

Readers

Contributors

Team admins

Project admins