Default permissions and access

Azure DevOps Services | TFS 2018 | TFS 2017 | TFS 2015 | TFS 2013

To connect and use the functions and features that Azure DevOps Services and Team Foundation Server (TFS) provide, users must be added to a group with the appropriate permissions. The most common built-in groups include Readers, Contributors, and Project Administrators. These groups are assigned the default permissions as listed below.

In addition to permissions, access to specific features are controlled by the access level assigned to a user. Contributors and administrators should be added to Basic (paid) access. Stakeholder access is available to support free access to a limited set of features by an unlimited set of stakeholders.

For a complete reference of all built-in groups and permissions, see Permissions and groups. For information about access levels and supporting stakeholder access, see About access levels.

Boards/Work

You can connect to work items from the web portal, Boards or Work, and using Eclipse, Visual Studio, Excel, Project, and other clients. For an overview of work tracking features and functions, see About Agile tools.

Stakeholders have limited access to select work tracking functions as described in Work as a stakeholder.

In addition to the permissions set at the project level via the built-in groups, you can set permissions for the following objects: area and iteration paths, queries and query folders, and delivery plans.

The team administrator role supports configuration of team settings. To be added as a team administrator, see Add a team administrators.

Note

There are no UI permissions associated with managing tags. Instead, you can manage them using the TFSSecurity command line tool.

Users granted Stakeholder access are granted different access to features depending on whether it is a private or a public project. For private projects, Stakeholders have limited access to select work tracking functions, whereas for public projects, Stakeholders enjoy full access to work tracking features. To learn more, see About access levels, Stakeholder access.

Task Stakeholders Readers Contributors Team admins Organization owner/
Project admins
View work items, such as bugs, requirements, and tasks. checkmark checkmark checkmark checkmark checkmark
Create and edit work items, follow a work item. checkmark checkmark checkmark checkmark
Change work item type. checkmark checkmark checkmark checkmark
Move or delete work items.1 checkmark checkmark checkmark
Search and query work items, save work item queries. checkmark Can't save queries checkmark checkmark checkmark
View backlogs, boards, and plans. checkmark checkmark checkmark checkmark checkmark
Provide feedback. checkmark checkmark checkmark checkmark checkmark
Request feedback. checkmark checkmark checkmark
Agile tools (Kanban boards, backlogs, sprint planning, portfolio management).2 Limited interactions View only checkmark checkmark checkmark
Configure Agile tools, set team defaults.2 checkmark checkmark
Create new work item tags.3 Can assign existing tags check mark check mark check mark
View, add, and configure delivery plans.4 View only check mark check mark check mark
Customize project information (area paths, iteration paths, and work-tracking processes). checkmark checkmark checkmark checkmark
Powerful semantic work-tracking search. checkmark checkmark checkmark checkmark checkmark

Notes:

  1. Public project stakeholders have full access.
  2. Public project stakeholders have full access to all features.
  3. Public project stakeholders can create new tags.
  4. Public project stakeholders can configure delivery plans.
Task Stakeholders Readers Contributors Team admins Project admins
View work items, such as bugs, requirements, and tasks. checkmark checkmark checkmark checkmark checkmark
Create and edit work items, follow a work item. checkmark checkmark checkmark checkmark
Change work item type. checkmark checkmark checkmark checkmark
Move or delete work items. checkmark checkmark checkmark
Search and query work items, save work item queries. checkmark Can't save queries checkmark checkmark checkmark
View backlogs, boards, and plans. checkmark checkmark checkmark checkmark checkmark
Provide feedback. checkmark checkmark checkmark checkmark checkmark
Request feedback. checkmark checkmark checkmark
Agile tools (Kanban boards, backlogs, sprint planning, portfolio management). Limited interactions View only checkmark checkmark checkmark
Configure Agile tools, set team defaults. checkmark checkmark
Create new work item tags. Can assign existing tags check mark check mark check mark
View, add, and configure delivery plans. View only check mark check mark check mark
Customize project information (area paths, iteration paths, and work-tracking processes). checkmark checkmark checkmark
Powerful semantic work-tracking search. checkmark checkmark checkmark checkmark checkmark

Repos/Code

You can connect to your code from the web portal, Repos or Code, or using Xcode, Eclipse, IntelliJ, Android Studio, Visual Studio, or Visual Studio Code. For an overview of code features and functions, see Git and Use Team Foundation Version Control (TFVC). Stakeholders for private projects have no access to Repos or Code features.

From Project Settings, you can set permissions on a repository. From the Code>Branches page, you can set permissions for a specific branch and set branch policies.

Git

Task Readers Contributors Build Admins Account Owner/
Project Admins
Clone, fetch, pull, and explore the contents of a repository checkmark checkmark checkmark checkmark
Unlimited private Git repositories checkmark checkmark checkmark
Create branches and tags, manage notes checkmark checkmark checkmark
Create, delete, and rename repositories checkmark
Manage permissions, manage branches and branch policies checkmark
Powerful semantic code search checkmark checkmark checkmark checkmark

TFVC

Task Readers Contributors Build Admins Account Owner/
Project Admins
Contribute to a centralized version control, including Code Review (Check in, label, lock, merge, pend a change) Read only checkmark checkmark checkmark
Check in, revise, undo, unlock other users' changes checkmark
Manage branches, manage permissions checkmark
Powerful semantic code search checkmark checkmark checkmark checkmark

Pipelines/Build and Release

You can define and manage your builds and releases from the web portal, Pipelines or Build and Release. For an overview of pipelines features and functions, see Continuous integration on any platform.

From the web portal, you can set permissions for all or individual build pipelines, release pipelines, task groups, or variable groups. See Set build and release permissions.

Note

When the Free access to Pipelines for Stakeholders preview feature is enabled for the organization, Stakeholders get access to all Build and Release features. This is indicated by the  preview icon shown in the following table. Without this feature enabled, stakeholders can only view and approve releases. To learn more, see Provide Stakeholders access to edit build and release pipelines.

Task Stakeholders Readers Contributors Build
Admins
Organization Owner/
Project Admins
Release Admins
View build and release pipelines checkmark checkmark checkmark checkmark checkmark checkmark
Define builds with continuous integration preview checkmark checkmark checkmark
Define releases and manage deployments preview checkmark checkmark checkmark
Approve releases preview checkmark checkmark checkmark
Azure Artifacts (5 users free) preview checkmark checkmark checkmark
Queue builds, edit build quality preview checkmark checkmark checkmark
Manage build queues and build qualities preview checkmark checkmark
Manage build retention policies, delete and destroy builds preview checkmark checkmark checkmark
Administer build permissions preview checkmark checkmark
Manage release permissions preview checkmark checkmark
Create and edit task groups preview checkmark checkmark checkmark checkmark
Manage task group permissions preview checkmark checkmark checkmark
Can view library items such as variable groups preview checkmark checkmark checkmark checkmark checkmark
Use and manage library items such as variable groups preview checkmark checkmark checkmark
Task Stakeholders Readers Contributors Build
Admins
Project Admins Release Admins
View build and release pipelines checkmark checkmark checkmark checkmark checkmark checkmark
Define builds with continuous integration checkmark checkmark checkmark
Define releases and manage deployments checkmark checkmark checkmark
Approve releases checkmark checkmark checkmark checkmark
Azure Artifacts (5 users free) checkmark checkmark checkmark
Queue builds, edit build quality checkmark checkmark checkmark
Manage build queues and build qualities checkmark checkmark
Manage build retention policies, delete and destroy builds checkmark checkmark checkmark
Administer build permissions checkmark checkmark
Manage release permissions checkmark checkmark
Create and edit task groups checkmark checkmark checkmark checkmark
Manage task group permissions checkmark checkmark checkmark
Can view library items such as variable groups checkmark checkmark checkmark checkmark checkmark
Use and manage library items such as variable groups checkmark checkmark checkmark

Test Plans/Test

You can define and manage manual tests from the web portal, Test Plans or Test. For an overview of manual test features and functions, see Testing overview.

You set test permissions at the project level from Project Settings>Security.

Task Stakeholders Readers Contributors Account Owner/
Project Admins
Exploratory testing, view test runs checkmark checkmark checkmark
Exploratory testing, create and delete test runs checkmark checkmark
Provide feedback using the Test & Feedback extension checkmark checkmark checkmark checkmark
Request feedback using the Test & Feedback extension checkmark checkmark
Manage test configurations and test environments checkmark checkmark
Manage test plans and test suites checkmark checkmark
Test Manager (purchased separately) checkmark checkmark

Azure Artifacts

You can manage feeds from the web portal, Artifacts or Build and release > Packages Feeds have three levels of access: Owners, Contributors, and Readers. Owners can add any type of identity—individuals, teams, and groups—to any access level.

To set permissions, see Secure feeds using permissions.

Permission Reader Contributor Owner
List and restore/install packages checkmark checkmark checkmark
Push packages checkmark checkmark
Unlist/deprecate packages checkmark checkmark
Delete/unpublish package checkmark
Edit feed permissions checkmark
Rename and delete feed checkmark

Charts, dashboards, and other web portal features

You can define and manage dashboards from the web portal, Dashboard. For an overview of dashboard and chart features, see Dashboards.

You set dashboard permissions at the team level from the team dashboard page.

Users granted Stakeholder access are granted different access to features depending on whether it is a private or a public project. For private projects, Stakeholders have limited access to select work tracking functions, whereas for public projects, Stakeholders enjoy full access to work tracking features. To learn more, see About access levels, Stakeholder access.

Task Stakeholders Readers Contributors Team admins Organization owner/
Project Admins
View charts and dashboards checkmark checkmark checkmark checkmark checkmark
Create work item and test tracking charts 1 checkmark checkmark checkmark
View the project page checkmark checkmark checkmark checkmark checkmark
Edit the project page 1 checkmark
Navigate using the Project pages checkmark checkmark checkmark checkmark checkmark
Add and configure dashboards 1 With permissions set checkmark checkmark

**Notes: **

  1. Public project Stakeholders have full access to all features.
Task Stakeholders Readers Contributors Team admins Project Admins
View charts and dashboards checkmark checkmark checkmark checkmark checkmark
Create work item and test tracking charts checkmark checkmark checkmark
View the project page checkmark checkmark checkmark checkmark checkmark
Edit the project page checkmark
Navigate using the Project pages checkmark checkmark checkmark checkmark checkmark
Add and configure dashboards
With permissions set checkmark checkmark

Analytics

From the web portal Analytics views, you can create and manage Analytics views. An Analytics view provides a simplified way to specify the filter criteria for a Power BI report based on the Analytics Service data store. The Analytics Service is the reporting platform for Azure DevOps. To learn more, see What is the Analytics Service?.

You set permissions for the service at the project level, and for shared Analytics views at the object level.

Task Stakeholders Readers Contributors Team admins Account Owner/
Project Admins
View Analytics service checkmark checkmark checkmark checkmark
View, edit, and delete a shared Analytics view checkmark checkmark checkmark checkmark

Notifications, alerts, and team collaboration tools

To manage notifications, see Manage personal notifications and Manage team notifications.

Note

There are no UI permissions associated with managing notifications. Instead, you can manage them using the TFSSecurity command line tool.

Task Stakeholders Readers Contributors Team Admins Organization Owner/
Project Admins
Set personal notifications or alerts checkmark checkmark checkmark checkmark
Set team notifications or alerts checkmark checkmark
Set project-level notifications or alerts checkmark
Participate in Team (chat) rooms 1< check mark check mark check mark
READMEs See Note 2 check mark check mark check mark check mark
View Wikis check mark check mark check mark check mark check mark
Provision or create a Wiki check mark
View the project page checkmark checkmark checkmark checkmark checkmark
Edit the project page checkmark
Navigate using the Project pages checkmark checkmark checkmark checkmark checkmark
Request feedback check mark check mark check mark check mark
Provide feedback check mark check mark check mark check mark check mark
Powerful semantic code search checkmark checkmark checkmark checkmark checkmark
Powerful semantic work tracking search checkmark checkmark checkmark checkmark checkmark

Notes

  1. Team (chat) rooms have been deprecated for Azure DevOps Services and TFS 2018 and later versions.
  2. Can view project READMEs, but not READMEs defined for a repository.