About security roles
Azure DevOps Services | Azure DevOps Server 2019 | TFS 2018 | TFS 2017 | TFS 2015 | TFS 2013
While the majority of features and functional tasks are managed by individual permissions, there are several artifacts and features that the system manages through role-based permissions. You can add users or groups to a role. Each role determines the set of operations that the user can perform as described in the following sections.
Many role-based permissions can be set for all artifacts of a specific type in a project, or for the project or collection and then selectively inherited for a specific artifact. Role memberships for individual items automatically inherit those set for the project or collection. If required, you can turn off Inheritance for a specific artifact.
Agent queue security roles
|Reader||Can view the queue. You typically add operators to this role that are responsible for monitoring the build and deployment jobs in that queue.|
|User||Can use the queue when authoring build or release pipelines.|
|Administrator||Can manage membership for all roles of the queue, as well as view and use the queues. The user that created a queue is automatically added to the Administrator role for that queue.|
Agent pool security roles
|Reader||Can view the pool as well as agents. You typically add operators to this role that are responsible for monitoring the agents and their health.|
|Service Account||Can use the pool to create an agent queue in a project. If you follow the guidelines for creating new pools and queues, you typically do not have to add any members to this role.|
|Administrator||Can register or unregister agents from the pool and manage membership for all pools, as well as view and create pools. They can also use the agent pool when creating an agent queue in a project. The system automatically adds the user that created the pool to the Administrator role for that pool.|
Deployment group security roles
|Reader||Can only view deployment groups.|
|Creator||Can view and create deployment groups.|
|User||Can view and use but cannot manage or create deployment groups.|
|Administrator||Can administer roles, manage, view and use deployment groups.|
Deployment pool security roles
|Reader||Can only view deployment pools.|
|Service Account||Can view agents, create sessions, and listen for jobs from the agent pool.|
|User||Can view and use the deployment pool for creating deployment groups.|
|Administrator||Can administer, manage, view and use deployment pools.|
Library asset security roles: Variable groups and secure files
|Administrator||Can use and manage library items.|
|Reader||Can only read library items.|
|User||Can use library items, but not manage them.|
Service connection security roles
|User||Can use the endpoint when authoring build or release pipelines.|
|Administrator||Can manage membership of all other roles for the service connection as well as use the endpoint to author build or release pipelines. The system automatically adds the user that created the service connection to the Administrator role for that pool.|
The Manager role is the only role used to manage the security of Marketplace extensions. Members of the Manager role can install extensions and respond to requests for extensions to be installed.
To learn more, see Grant permissions to manage extensions.
Team administrator role
For each team that you add, you can assign one or more team members as administrators. The team admin role isn't a group with a set of defined permissions. Instead, the team admin role is tasked with managing team assets.
For details, see Manage teams and configure team tools.
Members of the Project Administrators or Project Collection Administrators groups can manage all team admin areas for all teams.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.