Change access levels

Azure DevOps Server 2019 | TFS 2018 | TFS 2017 | TFS 2015 | TFS 2013

Users must be added to a group with the appropriate permissions, to connect and use the functions and features that Azure DevOps Server provides. To use select web portal features, they must also belong to the access level that enables access to that feature. For an overview of each access level, see About access levels.

This article applies to managing access levels for project collections defined on an on-premises Azure DevOps. To manage access levels for the Azure DevOps cloud service, see Add users to your organization or project. For Azure DevOps feature availability, see the Azure DevOps Feature Matrix.

Important

Make sure that you select the correct version of this article for Azure DevOps Services or Azure DevOps Server, renamed from Team Foundation Server (TFS). The version selector is located above the table of contents.
Content version selector

For a simplified overview of the permissions that are assigned to the most common groups—Readers, Contributors, and Project Administrators—and the Stakeholder access group, see Permissions and access.

Note

Even if you set a user or group's access level, you must add them to a project for them to connect to a project and access features available through a supported client or the web portal.

Make sure to set each user's access level based on what you've purchased for that user. Basic access includes all Stakeholder features - Basic + Test Plans, Advanced and Visual Studio Enterprise subscriber access levels include all Basic features. In the images provided below, the circled features indicate the features made available from the previous access level.

Prerequisites

Note

The images you see from your web portal may differ from the images you see in this article. These differences result from updates made to your on-premises Azure DevOps. Make sure you have selected the version of this article using the content version selector. However, the basic functionality available to you remains the same unless explicitly mentioned.

Open access levels

You manage access levels for the collections defined on the application tier. The default access level you set applies to all projects defined for all collections. Users or groups that you add to teams, projects, or collections are granted the access level that you set as the default. To change the access level for a specific group or user, add them specifically to a non-default access level.

  1. From the web portal home page for a project collection (for example, http://MyServer:8080/tfs/DefaultCollection/), open Access levels. If you are at a project level, choose the Azure DevOps logo and then choose Access levels.

    web portal, Open Access levels dialog

    If you don't see Access levels, you aren't an administrator and don't have permission. Here's how to get permissions.

  2. Select the access level you want to manage.

    For example, here we choose Basic, and then Add to add a group to Basic access.

    Basic access level, add group

  3. Enter the name of the user or group into the text box. You can enter several identities into the text box, separated by commas. The system automatically searches for matches. Choose the matches that meet your choice.

    Add users and group dialog

  4. Choose Save changes.

From a user context, open Server Settings by choosing the  gear icon. The tabs and pages available differ depending on which settings level you access.

  1. From the web portal home page for a project (for example, http://MyServer:8080/tfs/DefaultCollection/MyProject/), open Server settings.

    TFS 2017, Web portal, open the Server settings admin context
  2. From Access levels, select the access level you want to manage. For example, here we choose Stakeholder, and then Add to add a group to Stakeholder access.

    TFS 2017, Web portal, Server settings admin context, Access levels, Stakeholder access level, Add user or group

    If you don't see Access levels, you aren't a TFS administrator and don't have permission. Here's how to get permissions.

  3. Enter the name of the user or group into the text box. You can enter several identities into the text box, separated by commas. The system automatically searches for matches. Choose the matches that meet your choice.

    Add users and group dialog

  4. Choose Save changes.

  1. From the web portal home page for a project (for example, http://MyServer:8080/tfs/DefaultCollection/MyProject/), open administration settings.

    Open the administration page

  2. From the Access levels page, select the access level you want to manage. For example, here we add a group to Stakeholder access.

    Stakeholder access level, Add Windows user or group

    If you don't see Access levels, you aren't an administrator and don't have permission. Learn more about how to get permissions.

Change the default access level

Change the default access level to match the access you have licenses for. If you change the default access level to Stakeholder, all users not explicitly added to the Basic or an advanced level are limited to the features provided through Stakeholder access.

You set an access level from its page. Choose Set as default access level as shown.

Stakeholder access level, set as default

Admin context, Control panel, Access levels, Stakeholder tab, set as default access level

Important

Service accounts are added to the default access level. If you set Stakeholder as the default access level, you must add the Azure DevOps service accounts to the Basic or an advanced access level group.

Guide to features and access levels

For details on the features available to each access level, see About access levels.