Set repository permissions for Git or TFVC

Azure DevOps Services | Azure DevOps Server 2019 | TFS 2018 | TFS 2017 | TFS 2015 | TFS 2013

By default, members of the project Contributors group have permissions to contribute to a repository. However, to create and manager permissions for a repository, you must be a member of the Project Administrators group. You can grant or restrict access to a repository by setting the permission state to Allow or Deny for a single user or a security group.

Prerequisites

Default repository permissions

To contribute to the source code, you must be granted Basic access level or greater. Users granted Stakeholder access for private projects have no access to source code. Users granted Stakeholder access for public projects have the same access as Contributors and those granted Basic access. To learn more, see About access levels.

To contribute to the source code, you must be granted Basic access level or greater. Users granted Stakeholder access have no access to source code. To learn more, see About access levels.

For a description of each security group and permission level, see Permissions and group reference.

Git

You can use Git repositories to host and collaborate on your source code. For an overview of code features and functions, see Git.

Set permissions across all Git repositories by making changes to the top-level Git repositories entry. Individual repositories inherit permissions from the top-level Git Repositories entry. Branches inherit a subset of permissions from assignments made at the repository level. For branch permissions and policies, see Set branch permissions and Improve code quality with branch policies.

Task Readers Contributors Build Admins Project Admins
Clone, fetch, contribute to pull requests, and explore the contents of a repository checkmark checkmark checkmark checkmark
Contribute to a repository, create branches, create tags, manage notes checkmark checkmark checkmark
Create, delete, and rename repositories checkmark
Edit policies, Manage permissions, Remove others' locks checkmark
Bypass policies when completing pull requests, Bypass policies when pushing, Force push (rewrite history, delete branches and tags) (not set for any security group)

Set permissions across all Git repositories by making changes to the top-level Git repositories entry. Individual repositories inherit permissions from the top-level Git Repositories entry. Branches inherit a subset of permissions from assignments made at the repository level. For branch permissions and policies, see Set branch permissions and Improve code quality with branch policies.

By default, the project-level Readers groups have read-only permissions.

Task Contributors Build Admins Project Admins
Branch Creation: At the repository level, can push their changes to branches in the repository. Does not override restrictions in place from branch policies. At the branch level, can push their changes to the branch and lock the branch. checkmark checkmark checkmark
Contribute: At the repository level, can push their changes to branches in the repository. Does not override restrictions in place from branch policies. At the branch level, can push their changes to the branch and lock the branch. checkmark checkmark checkmark
Note Management: Can push and edit Git notes to the repository. They can also remove notes from items if they have the Force permission. checkmark checkmark checkmark
Tag Creation: Can push tags to the repository, and can also edit or remove tags if they have the Force permission. checkmark checkmark checkmark
Administer: Delete and rename repositories

If assigned to the top-level Git repositories entry, can add additional repositories. At the branch level, users can set permissions for the branch and unlock the branch. The Administer permission set on an individual Git repository does not grant the ability to rename or delete the repository. These tasks require Administer permissions at the top-level Git repositories entry.

checkmark
Rewrite and destroy history (force push): Can force an update to a branch and delete a branch. A force update can overwrite commits added from any user. Users with this permission can modify the commit history of a branch. checkmark

The Project Collection Build Service can read from all repositories by default. Any pipeline which runs with project collection scope can potentially read any repository in the organization/collection. You can remove this permission for a repository: set "Read" to "Deny" for the Project Collection Build Service.

TFVC

Team Foundation Version Control (TFVC) provides a centralized version control system to manage your source control.

Task Readers Contributors Build Admins Project Admins
Contribute to a centralized version control, including Code Review (Check in, label, lock, merge, pend a change) Read only checkmark checkmark checkmark
Check in, revise, undo, or unlock other users' changes checkmark
Manage branches, manage permissions checkmark

Set Git repository permissions

You can set the permissions for all Git repositories for a project, or for a single repository.

  1. Open the web portal and choose the project where you want to add users or groups. To choose another project, see Switch project, repository, team.

  2. To set the set the permissions for all Git repositories for a project, choose Git Repositories and then choose the security group whose permissions you want to manage.

    For example, here we choose (1) Project Settings, (2) Repositories, (3) Git repositories, (4) the Contributors group, and then (5) the permission for Create repository.

    To see the full image, click to expand.

    Project Settings>Code>Repositories>Git repositories>Security

    Otherwise, choose a specific repository and choose the security group whose permissions you want to manage.

  3. When done, choose Save changes.

  1. Open the web portal and choose the project where you want to add users or groups. To choose another project, see Switch project, repository, team.

  2. Choose the  gear icon to open the administrative context.

    Open Project Settings, horizontal nav

  3. Choose Version Control.

  4. To set the set the permissions for all Git repositories for a project, (1) choose Git Repositories and then (2) choose the security group whose permissions you want to manage.

    Otherwise, choose a specific repository and choose the security group whose permissions you want to manage.

  5. Choose the setting for the permission you want to change.

    Here we grant permissions to the Contributors group to (3) create repositories.

    Security dialog for all Git repositories, Contributors group

  6. When done, choose Save changes.

Set TFVC repository permissions

  1. To set the set the permissions for the TFVC repository for a project, choose TFVC Repository and then choose the security group whose permissions you want to manage.

    For example, here we choose (1) Project Settings, (2) Repositories, (3) the TFVC repository, (4) the Contributors group, and then (5) the permission for Manage branch.

    To see the full image, click to expand.

    Project Settings>Code>Repositories>TFVC repositories>Security

  2. Save your changes.

  1. From the web portal, open the admin context by choosing the  gear Settings icon and choose Version Control.

  2. Choose the TFVC repository for the project and then choose the security group whose permissions you want to manage.

  3. Change the permission setting to Allow or Deny.

    For example, here we change the Manage branch permission to Allow for all members of the Contributors group.

    Security dialog for the TFVC repository, Contributors group

  4. Save your changes.