Default Git repository and branch permissions

Azure DevOps Services | Azure DevOps Server 2019 | TFS 2018 | TFS 2017 | TFS 2015 | TFS 2013

After you've been added as a team member, you are a member of the Contributors group. This membership allows you to contribute to a Git repository. The most common built-in groups include Readers, Contributors, and Project Administrators. These groups are assigned the default permissions for contributing to a branch or repository.

From the project admin content, on the Version Control page, you can set permissions on a repository.

From the Code > Branches page, you can set permissions for a specific branch and set branch policies.

Set permissions across all Git repositories by making changes to the top-level Git repositories entry. Individual repositories inherit permissions from the top-level Git Repositories entry. Branches inherit a subset of permissions from assignments made at the repository level. For branch permissions and policies, see Set branch permissions and Improve code quality with branch policies.

Task Readers Contributors Build Admins Project Admins
Clone, fetch, and explore the contents of a repository; also, can create, comment on, vote, and contribute to pull requests checkmark checkmark checkmark checkmark
Contribute to a repository, create branches, create tags, manage notes checkmark checkmark checkmark
Create, delete, and rename repositories checkmark
Edit policies, Manage permissions, Remove others' locks checkmark
Bypass policies when completing pull requests, Bypass policies when pushing, Force push (rewrite history, delete branches and tags) (not set for any security group)

Set permissions across all Git repositories by making changes to the top-level Git repositories entry. Individual repositories inherit permissions from the top-level Git Repositories entry. Branches inherit a subset of permissions from assignments made at the repository level. For branch permissions and policies, see Set branch permissions and Improve code quality with branch policies.

By default, the project-level Readers groups have read-only permissions.

Task Contributors Build Admins Project Admins
Branch Creation: At the repository level, can push their changes to branches in the repository. Does not override restrictions in place from branch policies. At the branch level, can push their changes to the branch and lock the branch. checkmark checkmark checkmark
Contribute: At the repository level, can push their changes to branches in the repository. Does not override restrictions in place from branch policies. At the branch level, can push their changes to the branch and lock the branch. checkmark checkmark checkmark
Note Management: Can push and edit Git notes to the repository. They can also remove notes from items if they have the Force permission. checkmark checkmark checkmark
Tag Creation: Can push tags to the repository, and can also edit or remove tags if they have the Force permission. checkmark checkmark checkmark
Administer: Delete and rename repositories

If assigned to the top-level Git repositories entry, can add additional repositories. At the branch level, users can set permissions for the branch and unlock the branch. The Administer permission set on an individual Git repository does not grant the ability to rename or delete the repository. These tasks require Administer permissions at the top-level Git repositories entry.

checkmark
Rewrite and destroy history (force push): Can force an update to a branch and delete a branch. A force update can overwrite commits added from any user. Users with this permission can modify the commit history of a branch. checkmark

The Project Collection Build Service can read from all repositories by default. Any pipeline which runs with project collection scope can potentially read any repository in the organization/collection. You can remove this permission for a repository: set "Read" to "Deny" for the Project Collection Build Service.