Default permissions and access for Azure DevOps

Azure DevOps Services | Azure DevOps Server 2019 | TFS 2018 | TFS 2017 | TFS 2015 | TFS 2013

To use Azure DevOps features, users must be added to a security group with the appropriate permissions and granted access to the web portal. Limitations to select features are based on the access level and security group to which a user is assigned. The Basic access level and higher supports full access to all Azure Boards features. Stakeholder access level provides partial support to select features, allowing users to view and modify work items, but not use all features. Stakeholder access is available to support free access to a limited set of features by an unlimited set of stakeholders.

The most common built-in security groups—Readers, Contributors, and Project Administrators— and team administrator role grant permissions to specific features.

In general, use the following guidance when assign users to an access level and security group:

  • Grant Basic access or higher and add to the Contributors security group full-time workers who contribute to the code base or manage projects.
  • Grant Stakeholder access and add to the Contributors security group managers or users who don't actively contribute to the code base but want to check project status and provide direction, feedback, feature ideas, and business alignment to a team. Also,
  • Grant Stakeholder access and add to the Project Administrators security group users tasked with managing project resources. If they also need to contribute to the code base, then you must assign them Basic or higher-level access.
  • Grant Stakeholder access and add to the Project Collection Administrators security group users tasked with managing organization or collection resources. If they also need to contribute to the code base, then you must assign them Basic or higher-level access.

To learn more about administrative tasks see About user, team, project, and organization-level settings. For a complete reference of all built-in groups and permissions, see Permissions and groups. For information about access levels, see About access levels.

In the tables provided in this article, a  checkmark indicates that the corresponding access level or security group has access to a feature by default.

For a comparison chart of Stakeholder versus Basic access, see the Feature matrix. To assign or change an access level, see Add users and assign licenses. If you need to grant specific users select permissions, you can do so.

Dashboards, charts, reports, and widgets

You can define and manage dashboards from the web portal, Dashboard. For an overview of dashboard and chart features, see Dashboards. You set dashboard permissions at the team level from the team dashboard page.

Users granted Stakeholder access to private projects can't view or create query charts. Stakeholder access to public projects can view and create query charts.

Task Stakeholders Readers Contributors Team admins Project Admins
View work item query charts (from the Queries page) checkmark checkmark checkmark checkmark
View dashboards (including work item query charts added to the dashboard) checkmark checkmark checkmark checkmark checkmark
Create work item query and test tracking charts 1 checkmark checkmark checkmark
Add and configure dashboards 1 With permissions set checkmark checkmark

Notes:

  1. Public project Stakeholders have full access to all features.
Task Stakeholders Readers Contributors Team admins Project Admins
View charts and dashboards checkmark checkmark checkmark checkmark checkmark
Create work item and test tracking charts checkmark checkmark checkmark
Add and configure dashboards
With permissions set checkmark checkmark
Task Stakeholders Readers Contributors Team admins Project Admins
View team dashboard home page checkmark checkmark checkmark checkmark checkmark
Create work item and test tracking charts checkmark checkmark checkmark

Dashboards and charts

You can pin charts to a team dashboard Home page.

Task Stakeholders Readers Contributors Team admins Project Admins
View work item query charts (from the Queries page) checkmark checkmark checkmark checkmark
View dashboards (including work item query charts added to the dashboard) checkmark checkmark checkmark checkmark checkmark
Create work item query and test tracking charts 1 checkmark checkmark checkmark
Add and configure dashboards 1 With permissions set checkmark checkmark

Notes:

  1. Public project Stakeholders have full access to all features.
Task Stakeholders Readers Contributors Team admins Project Admins
View charts and dashboards checkmark checkmark checkmark checkmark checkmark
Create work item and test tracking charts checkmark checkmark checkmark
Add and configure dashboards
With permissions set checkmark checkmark
Task Stakeholders Readers Contributors Team admins Project Admins
View team dashboard home page checkmark checkmark checkmark checkmark checkmark
Create work item and test tracking charts checkmark checkmark checkmark

Power BI Integration and Analytics views

From the web portal Analytics views, you can create and manage Analytics views. An Analytics view provides a simplified way to specify the filter criteria for a Power BI report based on the Analytics Service data store. The Analytics Service is the reporting platform for Azure DevOps. To learn more, see What is the Analytics Service?.

You set permissions for the service at the project level, and for shared Analytics views at the object level. Users with Stakeholder access have no access to view or edit Analytics views.

Task Readers Contributors Project admins
View Analytics checkmark checkmark checkmark
View a shared Analytics view checkmark checkmark
Edit and delete Analytics views checkmark

Azure Boards

You can plan and track work from the web portal Boards hub, and using Eclipse, Visual Studio, Excel, Project, and other clients. For an overview of work tracking features, see About Agile tools.

Users granted Stakeholder access are granted different access to features depending on whether it is a private or a public project. For private projects, Stakeholders have limited access to select work tracking functions, whereas for public projects, Stakeholders enjoy full access to work tracking features. To learn more, see About access levels, Stakeholder access.

Work tracking

You can plan and track work from the web portal Work hub, and using Eclipse, Visual Studio, Excel, Project, and other clients. For an overview of work tracking features, see About Agile tools.

Note

Team administrators can configure settings for their team's tools. Organization owners and members of the Project Administrators group can configure settings for all teams. To be added as an administrator, see Add team administrators or Add administrators, set permissions at the project-level or project collection-level.

General work item feature access

You can use work items to track anything you need to track. To learn more, see Understand how work items are used to track issues, tasks, and epics.

Task Stakeholders Readers Contributors Team admins
View/open work items checkmark checkmark checkmark checkmark
Add work items, add tags to work items
(Stakeholders can assign existing tags to work items, but can't add new tags)
checkmark checkmark checkmark
Change work item type checkmark checkmark checkmark
Move work item to another project checkmark checkmark
Email work items checkmark checkmark checkmark
Apply a work item template checkmark checkmark checkmark
Delete work items (able to restore from the Recycle bin) checkmark checkmark
Permanently delete work items checkmark
Provide feedback (through the Microsoft Feedback client) checkmark checkmark checkmark checkmark
Request feedback checkmark checkmark

Note

You can change the work item type or move work items to another project within a project collection. These features require that the data warehouse is disabled. With the data warehouse disabled, you can use the Analytics Service to support your reporting needs. To learn more about disabling the data warehouse, see Disable the data warehouse and cube.

Task Stakeholders Readers Contributors Team admins
View/open work items checkmark checkmark checkmark checkmark
Add work items, add tags to work items
(Stakeholders can assign existing tags to work items, but can't add new tags)
checkmark checkmark checkmark
Email work items checkmark checkmark checkmark
Apply a work item template checkmark checkmark checkmark
Delete work items (able to restore from the Recycle bin) checkmark checkmark
Permanently delete work items checkmark
Provide feedback (through the Microsoft Feedback client) checkmark checkmark checkmark checkmark
Request feedback checkmark checkmark
Task Stakeholders Readers Contributors Team admins
View/open work items checkmark checkmark checkmark checkmark
Add work items, add tags to work items
(Stakeholders can assign existing tags to work items, but can't add new tags)
checkmark checkmark checkmark
Email work items checkmark checkmark checkmark
Delete work items (able to restore from the Recycle bin) checkmark checkmark
Permanently delete work items checkmark
Provide feedback (through the Microsoft Feedback client) checkmark checkmark checkmark checkmark
Request feedback checkmark checkmark
Task Stakeholders Readers Contributors Team admins
View/open work items checkmark checkmark checkmark checkmark
Add work items, add tags to work items
(Stakeholders can assign existing tags to work items, but can't add new tags)
checkmark checkmark checkmark
Email work items checkmark checkmark checkmark
Permanently delete work items checkmark
Provide feedback (through the Microsoft Feedback client) checkmark checkmark checkmark checkmark
Request feedback checkmark checkmark

Boards feature access

You use Boards to implement Kanban methods. Boards present work items as cards and support quick status updates through drag-and-drop.

Task Stakeholders Readers Contributors Team admins
View boards and open work items checkmark checkmark checkmark checkmark
Add work items to a board; update status, reorder, or reparent child tasks through drag-and-drop; update a field on a card checkmark checkmark
Add child tasks to a checklist checkmark checkmark checkmark
Assign to a sprint (from card menu) checkmark checkmark checkmark
Customize a board, configure team settings
(Stakeholders assigned as a team administrator or Project Administrator can configure team settings)
checkmark checkmark
Task Stakeholders Readers Contributors Team admins
View boards and open work items checkmark checkmark checkmark checkmark
Add work items to a board; update status through drag-and-drop checkmark checkmark
Assign to a sprint checkmark checkmark checkmark
Customize a board, configure team settings
(Stakeholders assigned as a team administrator or Project Administrator can configure team settings)
checkmark checkmark

Backlogs features access

Backlogs display work items as lists. A product backlog represents your project plan and a repository of all the information you need to track and share with your team. Portfolio backlogs allow you to group and organize your backlog into a hierarchy.

Task Stakeholders Readers Contributors Team admins
View backlogs and open work items checkmark checkmark checkmark checkmark
Add work items to a backlog
(Stakeholders can only add items to the bottom of the backlog)
checkmark checkmark checkmark
Use bulk edit features checkmark checkmark checkmark
Add child items to a backlog item; prioritize or reorder a backlog; parent items using the Mapping pane; Assign items to a sprint using the Planning pane checkmark checkmark
Customize a backlog, configure team settings
(Stakeholders assigned as a team administrator or Project Administrator can configure team settings)
checkmark checkmark
Task Stakeholders Readers Contributors Team admins
View backlogs and open work items checkmark checkmark checkmark checkmark
Add work items to a backlog
(Stakeholders can only add items to the bottom of the backlog)
checkmark checkmark checkmark
Use bulk edit features checkmark checkmark checkmark
Add child items to a backlog item; prioritize or reorder a backlog; parent items using the Mapping pane checkmark checkmark
Customize a backlog, configure team settings
(Stakeholders assigned as a team administrator or Project Administrator can configure team settings)
checkmark checkmark

Sprints feature access

You use sprint tools to implement Scrum methods. The Sprints set of tools provide filtered views of work items that a team has assigned to specific iteration paths or sprints.

Task Stakeholders Readers Contributors Team admins
View sprint backlogs, taskboards, and open work items checkmark checkmark checkmark checkmark
Add work items to a sprint backlog
(Stakeholders can add backlog items to the bottom of a sprint backlog)
checkmark checkmark checkmark
Add work items to a taskboard
(Stakeholders can add backlog items but not tasks)
checkmark checkmark
Prioritize/reorder a sprint backlog or taskboard; add child items to a backlog item; reassign items to a sprint using the Planning pane checkmark checkmark
View team capacity (work details) checkmark checkmark checkmark checkmark
Set team capacity checkmark checkmark
Use bulk edit features checkmark checkmark checkmark
Define sprints, set sprint dates checkmark
Customize a sprint backlog or taskboard, configure team settings
(Stakeholders assigned as a team administrator or Project Administrator can configure team settings)
checkmark checkmark
Task Stakeholders Readers Contributors Team admins
View sprint backlogs, taskboards, and open work items checkmark checkmark checkmark checkmark
Add work items to a sprint backlog
(Stakeholders can add backlog items to the bottom of a sprint backlog)
checkmark checkmark checkmark
Add work items to a taskboard
(Stakeholders can add backlog items but not tasks)
checkmark checkmark
Prioritize/reorder a sprint backlog or taskboard; add child items to a backlog item; reassign items to another using drag-and-drop checkmark checkmark
View team capacity (work details) checkmark checkmark checkmark checkmark
Set team capacity checkmark checkmark
Use bulk edit features checkmark checkmark checkmark
Define sprints, set sprint dates checkmark
Customize a sprint backlog or taskboard, configure team settings
(Stakeholders assigned as a team administrator or Project Administrator can configure team settings)
checkmark checkmark

Queries are filtered lists of work items based on criteria that you define by using a query editor. Adhoc searches are powered by a semantic search engine.

Task Stakeholders Readers Contributors Project admins
View and run managed queries checkmark checkmark checkmark checkmark
Create and save managed My queries checkmark checkmark checkmark
Create and save managed Shared queries
(Stakeholders can't save Shared queries even if granted permissions)
checkmark
View query charts checkmark checkmark checkmark
Create query charts checkmark checkmark
Powerful semantic work-tracking search checkmark checkmark checkmark checkmark
Task Stakeholders Readers Contributors Team admins
View and run managed queries checkmark checkmark checkmark checkmark
Create and save managed queries
(Stakeholders can't save shared queries)
checkmark checkmark checkmark
View query charts checkmark checkmark checkmark
Create query charts checkmark checkmark

Delivery plans feature access

Delivery plans display work items as cards against a calendar view. This format can be an effective communication tool with managers, partners, and stakeholders for a team. Users granted Stakeholder access for private projects have no access to delivery plans, while users granted Stakeholder access for public projects has the same access as regular Contributors granted Basic access.

Task Stakeholders Readers Contributors Project admins
View delivery plans checkmark checkmark checkmark
Create, edit, or delete a delivery plan
(Contributors can only edit or delete plans that they create)
checkmark checkmark
Manage permissions for a delivery plan
(Contributors can only manage permissions for plans that they create)
checkmark

Additional permissions

In addition to the permissions set at the project level via the built-in groups, you can set permissions for the following objects: area and iteration paths and individual queries and query folders.

Azure Repos

You can manage your source code from the web portal Repos hub, or using Xcode, Eclipse, IntelliJ, Android Studio, Visual Studio, or Visual Studio Code.

Stakeholders for private projects have no access to Repos. Stakeholders for public projects have the same access to Repos as Contributors.

Code: Source control

You can connect to your code from the web portal Code hub, or using Xcode, Eclipse, IntelliJ, Android Studio, Visual Studio, or Visual Studio Code. Stakeholders for private projects have no access to Code.

Git

You can use Git repositories to host and collaborate on your source code. For an overview of code features and functions.

Set permissions across all Git repositories by making changes to the top-level Git repositories entry. Individual repositories inherit permissions from the top-level Git Repositories entry. Branches inherit a subset of permissions from assignments made at the repository level. For branch permissions and policies, see Set branch permissions and Improve code quality with branch policies.

Task Readers Contributors Build Admins Project Admins
Clone, fetch, and explore the contents of a repository; also, can create, comment on, vote, and contribute to pull requests checkmark checkmark checkmark checkmark
Contribute to a repository, create branches, create tags, manage notes checkmark checkmark checkmark
Create, delete, and rename repositories checkmark
Edit policies, Manage permissions, Remove others' locks checkmark
Bypass policies when completing pull requests, Bypass policies when pushing, Force push (rewrite history, delete branches and tags) (not set for any security group)

Set permissions across all Git repositories by making changes to the top-level Git repositories entry. Individual repositories inherit permissions from the top-level Git Repositories entry. Branches inherit a subset of permissions from assignments made at the repository level. For branch permissions and policies, see Set branch permissions and Improve code quality with branch policies.

By default, the project-level Readers groups have read-only permissions.

Task Contributors Build Admins Project Admins
Branch Creation: At the repository level, can push their changes to branches in the repository. Does not override restrictions in place from branch policies. At the branch level, can push their changes to the branch and lock the branch. checkmark checkmark checkmark
Contribute: At the repository level, can push their changes to branches in the repository. Does not override restrictions in place from branch policies. At the branch level, can push their changes to the branch and lock the branch. checkmark checkmark checkmark
Note Management: Can push and edit Git notes to the repository. They can also remove notes from items if they have the Force permission. checkmark checkmark checkmark
Tag Creation: Can push tags to the repository, and can also edit or remove tags if they have the Force permission. checkmark checkmark checkmark
Administer: Delete and rename repositories

If assigned to the top-level Git repositories entry, can add additional repositories. At the branch level, users can set permissions for the branch and unlock the branch. The Administer permission set on an individual Git repository does not grant the ability to rename or delete the repository. These tasks require Administer permissions at the top-level Git repositories entry.

checkmark
Rewrite and destroy history (force push): Can force an update to a branch and delete a branch. A force update can overwrite commits added from any user. Users with this permission can modify the commit history of a branch. checkmark

The Project Collection Build Service can read from all repositories by default. Any pipeline which runs with project collection scope can potentially read any repository in the organization/collection. You can remove this permission for a repository: set "Read" to "Deny" for the Project Collection Build Service.

TFVC

Team Foundation Version Control (TFVC) provides a centralized version control system to manage your source control.

Task Readers Contributors Build Admins Project Admins
Contribute to a centralized version control, including Code Review (Check in, label, lock, merge, pend a change) Read only checkmark checkmark checkmark
Check in, revise, undo, or unlock other users' changes checkmark
Manage branches, manage permissions checkmark

Azure Pipelines

You can define and manage your builds and releases from the web portal Pipelines hub. For an overview of pipelines features and functions, see Continuous integration on any platform.

Build and Release

You can define and manage your builds and releases from the web portal, Build and Release. For an overview of pipelines features and functions, see Continuous integration on any platform.

From the web portal, you can set permissions for all or individual build pipelines, release pipelines, task groups, or variable groups. See Set build and release permissions.

Note

When the Free access to Pipelines for Stakeholders preview feature is enabled for the organization, Stakeholders get access to all Build and Release features. This is indicated by the  preview icon shown in the following table. Without this feature enabled, stakeholders can only view and approve releases. To learn more, see Provide Stakeholders access to edit build and release pipelines.

Task Stakeholders Readers Contributors Build
Admins
Project Admins Release Admins
View release pipelines checkmark checkmark checkmark checkmark checkmark checkmark
Define builds with continuous integration preview checkmark checkmark checkmark
Define releases and manage deployments preview checkmark checkmark checkmark
Approve releases preview checkmark checkmark checkmark
Azure Artifacts (5 users free) preview checkmark checkmark checkmark
Queue builds, edit build quality preview checkmark checkmark checkmark
Manage build queues and build qualities preview checkmark checkmark
Manage build retention policies, delete and destroy builds preview checkmark checkmark checkmark
Administer build permissions preview checkmark checkmark
Manage release permissions preview checkmark checkmark
Create and edit task groups preview checkmark checkmark checkmark checkmark
Manage task group permissions preview checkmark checkmark checkmark
Can view library items such as variable groups preview checkmark checkmark checkmark checkmark checkmark
Use and manage library items such as variable groups preview checkmark checkmark checkmark
Task Stakeholders Readers Contributors Build
Admins
Project Admins Release Admins
View build and release pipelines checkmark checkmark checkmark checkmark checkmark checkmark
Define builds with continuous integration checkmark checkmark checkmark
Define releases and manage deployments checkmark checkmark checkmark
Approve releases checkmark checkmark checkmark checkmark
Azure Artifacts (5 users free) checkmark checkmark checkmark
Queue builds, edit build quality checkmark checkmark checkmark
Manage build queues and build qualities checkmark checkmark
Manage build retention policies, delete and destroy builds checkmark checkmark checkmark
Administer build permissions checkmark checkmark
Manage release permissions checkmark checkmark
Create and edit task groups checkmark checkmark checkmark checkmark
Manage task group permissions checkmark checkmark checkmark
Can view library items such as variable groups checkmark checkmark checkmark checkmark checkmark
Use and manage library items such as variable groups checkmark checkmark checkmark

Azure Test Plans

Test

You can define and manage manual tests from the web portal, Test Plans or Test. For an overview of manual test features and functions, see Testing overview. You set test permissions at the project level from Project Settings>Security.

Task Stakeholders Readers Contributors Project Admins
Provide feedback using the Test & Feedback extension checkmark checkmark checkmark checkmark
Exploratory testing, view test runs checkmark checkmark checkmark
Manage test plans and test suites

Manage test configurations and test environments

checkmark checkmark

Exploratory testing, create and delete test runs

checkmark checkmark

Request feedback using the Test & Feedback extension

checkmark checkmark
Azure Test Plans (formerly Test Manager, purchased separately) checkmark checkmark

Azure Artifacts

You can manage feeds from the web portal, Artifacts or Build and release > Packages. Feeds have three permission levels: Owners, Contributors, and Readers. Owners can add any type of identity—individuals, teams, and groups—to any permission level. To set permissions, see Secure feeds using permissions.

Users granted Stakeholder or Basic access, or higher can access Azure Artifacts features.

Users granted Basic access or higher can access Azure Artifacts features. Users granted Stakeholder access have no access to Azure Artifacts.

Package management

You can manage feeds from the web portal, Build and release > Packages. Feeds have three levels of access: Owners, Contributors, and Readers. Owners can add any type of identity—individuals, teams, and groups—to any access level. To set permissions, see Secure feeds using permissions.

Users granted Basic access or higher can access Package management features. Users granted Stakeholder access have no access.

Permission Reader Contributor Owner
List and restore/install packages checkmark checkmark checkmark
Push packages checkmark checkmark
Unlist/deprecate packages checkmark checkmark
Delete/unpublish package checkmark
Edit feed permissions checkmark
Rename and delete feed checkmark

Notifications, alerts, and team collaboration tools

To manage notifications, see Manage personal notifications and Manage team notifications.

Note

There are no UI permissions associated with managing notifications. Instead, you can manage them using the TFSSecurity command line tool.

Task Stakeholders Readers Contributors Team Admins Organization Owner/
Project Admins
Set personal notifications or alerts checkmark checkmark checkmark checkmark
Set team notifications or alerts checkmark checkmark
Set project-level notifications or alerts checkmark
READMEs See Note 1 check mark check mark check mark check mark
View Project Wikis check mark check mark check mark check mark check mark
View Code Wikis check mark check mark check mark check mark
Provision or create a Wiki check mark
Publish Code as Wiki check mark See Note 2 See Note 2
View the project page checkmark checkmark checkmark checkmark checkmark
Edit the project page checkmark
Navigate using the Project pages checkmark checkmark checkmark checkmark checkmark
Request feedback check mark check mark check mark check mark
Provide feedback check mark check mark check mark check mark check mark
Powerful semantic code search checkmark checkmark checkmark checkmark checkmark
Powerful semantic work tracking search checkmark checkmark checkmark checkmark checkmark

Notes

  1. Can view project READMEs, but not READMEs defined for a repository.
  2. Project Admins or Team Admins with contribute permission can publish code as wiki. Project Admins have this permission by default.
Task Stakeholders Readers Contributors Team Admins Organization Owner/
Project Admins
Set personal notifications or alerts checkmark checkmark checkmark checkmark
Set team notifications or alerts checkmark checkmark
Set project-level notifications or alerts checkmark
READMEs See Note 1 check mark check mark check mark check mark
View Project Wikis check mark check mark check mark check mark check mark
View Code Wikis check mark check mark check mark check mark
Provision or create a Wiki check mark
Publish Code as Wiki check mark See Note 2 See Note 2
View the project page checkmark checkmark checkmark checkmark checkmark
Edit the project page checkmark
Navigate using the Project pages checkmark checkmark checkmark checkmark checkmark
Request feedback check mark check mark check mark check mark
Provide feedback check mark check mark check mark check mark check mark
Powerful semantic code search checkmark checkmark checkmark checkmark checkmark
Powerful semantic work tracking search checkmark checkmark checkmark checkmark checkmark

Notes

  1. Can view project READMEs, but not READMEs defined for a repository.
  2. Project Admins or Team Admins with contribute permission can publish code as wiki. Project Admins have this permission by default.
Task Stakeholders Readers Contributors Team Admins Organization Owner/
Project Admins
Set personal notifications or alerts checkmark checkmark checkmark checkmark
Set team notifications or alerts checkmark checkmark
Set project-level notifications or alerts checkmark
Participate in Team (chat) rooms check mark check mark check mark
READMEs

Can view project READMEs, but not READMEs defined for a repository.

Partial access check mark check mark check mark check mark
Request feedback check mark check mark check mark check mark
Provide feedback check mark check mark check mark check mark check mark
Task Stakeholders Readers Contributors Team Admins Organization Owner/
Project Admins
Set personal notifications or alerts checkmark checkmark checkmark checkmark
Set team notifications or alerts checkmark checkmark
Set project-level notifications or alerts checkmark
Participate in Team (chat) rooms check mark check mark check mark
Request feedback check mark check mark check mark check mark
Provide feedback check mark check mark check mark check mark check mark