Change individual or group permissions

Azure DevOps Services | Azure DevOps Server 2019 | TFS 2018 | TFS 2017 | TFS 2015 | TFS 2013

The standard way to set permissions is by adding them to one or more built-in security groups. However, sometimes you may want to grant additional permissions to select users, where not all permissions are assigned to the security group. For example, if you want to give some users the ability to add or edit area and iteration paths, but don't want them to have all permissions available to members of the Project Administrators group.

You can change individual permissions in one of the following three ways:

  • Create a custom Azure DevOps security group, define permissions for that group, add the user account to the group
  • For object-level permissions: Add the user account and set permissions
  • For project or collection-level permissions: Search for the user account and selectively change their permission assignments

In this article you learn how to do the following tasks:

  • Create a custom security group
  • Set permissions for a custom security group
  • Add members to a custom security group
  • Change the permission assignments for an individual user

If you're new to managing permissions and groups, review About permissions and groups to learn about permission states and inheritance.

Note

The images you see from your web portal may differ from the images you see in this article. These differences result from updates made to Azure DevOps Services or your on-premises deployment. However, the basic functionality available to you remains the same unless explicitly mentioned.

Create a custom security group

Create a custom security group at the project-level or the collection-level. The method for creating a custom security group is the same, no matter at what level you add it.

To create a project-level security group, open the web portal and choose the project where you want to add users or groups.

  1. Choose Project Settings > Security.

    To see the full image, click to expand.

    Project Settings>Security

  2. Choose Create group to open the dialog for adding a group.

    Create a custom security group"

  3. Enter a name for the group, and optionally a description.

    For example, here we define a Team Admins group.

    Security group dialog, Add a security group at the project level

  4. Choose Create group.

  1. Open Project Settings. Choose the gear icon gear settings icon, and choose Security.

    Open Project Settings>Security, previous nav

  2. Choose Create group to open the dialog for adding a group.

    Create a custom security group"

  3. Enter a name for the group, and optionally a description.

    For example, here we define a Team Admins group.

    Security group dialog, Add a security group at the project level

  4. Choose Create group.

Set permissions for a custom security group

  1. To set permissions for the custom group you created, choose the group name and then set one or more permissions.

    Set permissions for a project-level custom security group

    For a description of each permission, see Permissions and groups reference, project-level permissions.

  2. Choose Save changes.

Add members to a custom security group

You add members to a custom security group in the same way you add users to a built-in group.

  1. Choose the security group, choose Members, and then choose Add.

    Security>Members page, Add member

  2. Enter the user identity into the text box. You can enter several identities into the text box, separated by commas. The system automatically searches for matches. Choose the match(es) that meets your choice.

    Add users and group dialog

    Note

    Users that have limited access, such as Stakeholders, won't be able to access select features even if granted permissions to those features. To learn more, see Permissions and access.

Change individual permission at the project-level

  1. From the project-level Security page, enter the user identity in the Filter users and groups box. Then, select the account whose permissions you want to change.

    Filter and select a user account

  2. Change the permission, setting a permission as Allow or Deny.

    Set permissions for a single user account

    For a description of each permission, see Permissions and groups reference, project-level permissions.

  3. Choose Save changes.

Change individual permission at the collection-level

  1. Open the user-level or collection-level Security admin page and follow the instructions provided in the previous section for project-level permissions.

    For a description of each collection-level permission, see Permissions and groups reference, collection-level permissions.

Change individual permission at an object-level

From the web portal, open the Security dialog for the object whose permissions you want to set. For specific instructions, see the following articles:

Area Task
Wiki & Dashboard permissions
DevOps (code, build, test, release) permissions
Work tracking permissions
  1. From the Security dialog, choose Add.

    Open the Add users or group permissions dialog

  2. Enter the user ID, choose search, and then make your selection in the left pane.

  3. Update the permission setting to Allow or Deny for specific permissions.

    Set permissions for a single user account

    For a description of specific permissions, see Permissions and groups reference.

  4. Choose Save changes.

Next steps