Default Git repository and branch permissions

Azure DevOps Services | Azure DevOps Server 2020 | Azure DevOps Server 2019 | TFS 2018 - TFS 2013

After you've been added as a team member, you are a member of the Contributors group. This membership allows you to contribute to a Git repository. The most common built-in groups include Readers, Contributors, and Project Administrators. These groups are assigned default permissions for contributing to a branch or repository.

Permission

Readers

Contributors

Build Admins

Project Admins

Read (clone, fetch, and explore the contents of a repository); also, can create, comment on, vote, and Contribute to pull requests

✔️

✔️

✔️

✔️

Contribute to a repository, Create branches, Create tags, and Manage notes

✔️

✔️

✔️

Bypass policies when pushing to a repository

✔️

Create repository, Delete repository, and Rename repository

✔️

Edit policies, Force push (rewrite history, delete branches and tags), Manage permissions, Remove others' locks

✔️

Bypass policies when completing pull requests (not set for any security group)

By default, the project-level Readers groups have read-only permissions.

Permission

Contributors

Build Admins

Project Admins

Branch Creation: At the repository level, can push their changes to branches in the repository. Does not override restrictions in place from branch policies. At the branch level, can push their changes to the branch and lock the branch.

✔️

✔️

✔️

Contribute: At the repository level, can push their changes to branches in the repository. Does not override restrictions in place from branch policies. At the branch level, can push their changes to the branch and lock the branch.

✔️

✔️

✔️

Note Management: Can push and edit Git notes to the repository. They can also remove notes from items if they have the Force permission.

✔️

✔️

✔️

Tag Creation: Can push tags to the repository, and can also edit or remove tags if they have the Force permission.

✔️

✔️

✔️

Administer: Delete and rename repositories: If assigned to the top-level Git repositories entry, can add additional repositories. At the branch level, users can set permissions for the branch and unlock the branch. The Administer permission set on an individual Git repository does not grant the ability to rename or delete the repository. These tasks require Administer permissions at the Git repositories top-level.

✔️

Rewrite and destroy history (force push): Can force an update to a branch and delete a branch. A force update can overwrite commits added from any user. Users with this permission can modify the commit history of a branch.

✔️

To change permissions or set policies for Git repositories or branches, see the following articles:

Tip

To quickly find a permission or setting defined for a project or organization, use the Organization search setting feature.