Add or remove users or groups, manage security groups
Azure DevOps Services | Azure DevOps Server 2020 | Azure DevOps Server 2019 | TFS 2018 - TFS 2013
The recommended method for managing permissions and access is to assign users to a security group. You can assign users to a default security group or create a custom group to grant or restrict permissions. You can add users and groups to more than one security group. For example, you add most developers to the Contributors group. When that same user is added as a member to a team, then they are added to the team's system-generated security group.
This article shows how to perform the following tasks:
- Create a custom security group at the project or collection level
- Add or remove users or groups to a security group
- Change a group name, image, or description
- Delete a custom security group
For information on the following related tasks, see the corresponding articles:
- Add AD/Azure AD users or groups to a built-in security group
- Add users & manage access
- Add users or groups to a team or project
- Remove user accounts
- Grant or restrict access using permissions
- Change project-level permissions
- Change project collection-level permissions
Users inherit permissions from the group(s) that they belong to. If a permission is set to Allow for one group and Deny for another group to which the user belongs, then their effective permission assignment is Deny. To learn more about permission inheritance, see Get started with permissions, access, and security groups, Permission inheritance and security groups.
How Azure DevOps uses security groups
Azure DevOps uses security groups for the following purposes:
- Determine permissions allocated to a group or user
- Determine access level allocated to a group or user
- Filter work item queries based on membership within a group
- Use @mention of a project-level group to send email notifications to members of that group
- Send team notifications to members of a team group
- Add a group to a role-based permission
- Set object-level permissions to a security group
- To manage permissions or groups at the project level, you must be a member of the Project Administrators Group. If you created the project, you are automatically added as a member of this group.
- To manage permissions or groups at the collection or instance level, you must be a member of the Project Collection Administrators Group. If you created the organization or collection, you are automatically added as a member of this group.
Create a custom security group
You create a custom security group from the Project settings>Permissions or Organization settings>Permissions pages. Choose to create a project-level group when you want to manage permissions at the project or object-level for a project. Create a collection-level group when you want to manage permissions at the collection level. To learn more about setting permissions for these areas, see Change project-level permissions and Change project collection-level permissions.
Add users or groups to a security group
As roles and responsibilities change, you might need to change the permission levels for individual members of a project. The easiest way to do that is to add the user or a group of users to either a default or custom security group. If roles change, you can then remove the user from a group.
Here we show how to add a user to the built-in Project Administrators group. The method is similar no matter what group you are adding. If your organization is connected to Azure Active Directory or Active Directory, then you can add security groups defined in those directories to Azure DevOps security groups. To learn more, see Add AD/Azure AD users or groups to a built-in security group.
Change permissions for a user or group
To change the permissions for a user or group, you need to open the security dialog for the user or group. Because permissions are defined at different levels, review the following articles to open the dialog for the permissions you want to change:
Remove users or groups from a security group
You add or remove users from a group from the Members tab of a selected group.
Manage group settings
If your on-premises deployment is integrated with a SharePoint product or SQL Server Reports, you'll need to manage membership for those products separately from their websites.