Manage extension permissions

Azure Boards | Azure DevOps Server 2019 | TFS 2018 | TFS 2017 | TFS 2015

In this article, learn how to grant permissions to users or groups for managing extensions. Extension management tasks include installing, disabling, enabling, reviewing, and approving extensions.

In this article, learn how to grant permissions for publishing or updating extensions for users or groups.

  1. Sign in to your organization (https://dev.azure.com/{yourorganization}).

  2. Select gear icon Organization settings.

    Open Organization settings

  3. Select Extensions.

    Extension settings hub

  4. Select Security in the upper right of the Extension Security page:

    Extension security button

  5. Add users or update permission settings:

    Extension security

  1. Sign in to your organization (https://dev.azure.com/{yourorganization}).

  2. Select gear icon Admin settings.

    Open Admin settings

  3. Select Extensions, and then select Security.

    Extension settings hub

  4. Add users or update permission settings:

    Extension security

To grant permissions for publishing or updating to users or groups, use TFSSecurity command-line tool.

  1. At the server level, create a group, for example, "TFS Extension Publishers":

    tfssecurity /gcg "TFS Extension Publishers" "publishers who can manage extensions for the server" /server:ServerURL
    
  2. Grant access to the "TFS Extension Publishers" group to manage extensions:

    tfssecurity /a+ Publisher "//" CreatePublisher n:"[TEAM FOUNDATION]\TFS Extension Publishers" allow /server:ServerURL
    tfssecurity /a+ Publisher "//" PublishExtension n:"[TEAM FOUNDATION]\TFS Extension Publishers" allow /server:ServerURL
    tfssecurity /a+ Publisher "//" UpdateExtension n:"[TEAM FOUNDATION]\TFS Extension Publishers" allow /server:ServerURL
    tfssecurity /a+ Publisher "//" DeleteExtension n:"[TEAM FOUNDATION]\TFS Extension Publishers" allow /server:ServerURL
    

    For Team Foundation Server "15" RC2 or earlier, use this syntax:

    tfssecurity /a+ Publisher "//" Create n:"[TEAM FOUNDATION]\TFS Extension Publishers" allow /server:ServerURL
    tfssecurity /a+ Publisher "//" Publish n:"[TEAM FOUNDATION]\TFS Extension Publishers" allow /server:ServerURL
    tfssecurity /a+ Publisher "//" Write n:"[TEAM FOUNDATION]\TFS Extension Publishers" allow /server:ServerURL
    
  3. Add existing users and groups to the "TFS Extension Publishers" group.

    tfssecurity /g+ "[TEAM FOUNDATION]\TFS Extension Publishers" n:User /server:ServerURL
    

You can add users later to "TFS Extension Publishers". This permission is a server-level permission, so updating and deleting an extension affects all the project collections that use the extension.