Roleassignments - Set Role Assignments
Set role assignments on a resource
PUT https://dev.azure.com/{organization}/_apis/securityroles/scopes/{scopeId}/roleassignments/resources/{resourceId}?api-version=7.1-preview.1PUT https://dev.azure.com/{organization}/_apis/securityroles/scopes/{scopeId}/roleassignments/resources/{resourceId}?limitToCallerIdentityDomain={limitToCallerIdentityDomain}&api-version=7.1-preview.1URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
resource
|
path | True |
string |
Id of the resource on which the role is to be assigned |
|
scope
|
path | True |
string |
Id of the assigned scope |
|
organization
|
path |
string |
The name of the Azure DevOps organization. |
|
|
api-version
|
query | True |
string |
Version of the API to use. This should be set to '7.1-preview.1' to use this version of the api. |
|
limit
|
query |
boolean |
Request Body
| Name | Type | Description |
|---|---|---|
| body |
Roles to be assigned |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
successful operation |
Security
oauth2
Type:
oauth2
Flow:
accessCode
Authorization URL:
https://app.vssps.visualstudio.com/oauth2/authorize&response_type=Assertion
Token URL:
https://app.vssps.visualstudio.com/oauth2/token?client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
Scopes
| Name | Description |
|---|---|
| vso.security_manage | Grants the ability to read, write, and manage security permissions. |
Examples
Set Role assignments
Sample Request
PUT https://dev.azure.com/_apis/securityroles/scopes/{scopeId}/roleassignments/resources/{resourceId}?api-version=7.1-preview.1
[
{
"roleName": "Administrator",
"userId": "4189bd2b-de9c-45de-a886-4e3d9c03f1f9"
}
]
Sample Response
{
"count": 1,
"value": [
{
"identity": {
"displayName": "Your Identity Name",
"id": "cbb1d8ac-cee5-47c1-878a-e75c0e94ac89",
"uniqueName": "Your Identity Unique Name"
},
"role": {
"displayName": "Administrator",
"name": "Administrator",
"allowPermissions": 3,
"denyPermissions": 0,
"identifier": "distributedtask.serviceendpointrole.Administrator",
"description": "Administrator can use and manage the service connection.",
"scope": "distributedtask.serviceendpointrole"
},
"access": "assigned",
"accessDisplayName": "Assigned"
}
]
}Definitions
| Name | Description |
|---|---|
|
Identity |
|
|
Reference |
The class to represent a collection of REST reference links. |
|
Role |
Designates the role as explicitly assigned or inherited. |
|
Role |
|
|
Security |
|
|
User |
IdentityRef
| Name | Type | Description |
|---|---|---|
| _links |
This field contains zero or more interesting links about the graph subject. These links may be invoked to obtain additional relationships or more detailed information about this graph subject. |
|
| descriptor |
string |
The descriptor is the primary way to reference the graph subject while the system is running. This field will uniquely identify the same graph subject across both Accounts and Organizations. |
| directoryAlias |
string |
Deprecated - Can be retrieved by querying the Graph user referenced in the "self" entry of the IdentityRef "_links" dictionary |
| displayName |
string |
This is the non-unique display name of the graph subject. To change this field, you must alter its value in the source provider. |
| id |
string |
|
| imageUrl |
string |
Deprecated - Available in the "avatar" entry of the IdentityRef "_links" dictionary |
| inactive |
boolean |
Deprecated - Can be retrieved by querying the Graph membership state referenced in the "membershipState" entry of the GraphUser "_links" dictionary |
| isAadIdentity |
boolean |
Deprecated - Can be inferred from the subject type of the descriptor (Descriptor.IsAadUserType/Descriptor.IsAadGroupType) |
| isContainer |
boolean |
Deprecated - Can be inferred from the subject type of the descriptor (Descriptor.IsGroupType) |
| isDeletedInOrigin |
boolean |
|
| profileUrl |
string |
Deprecated - not in use in most preexisting implementations of ToIdentityRef |
| uniqueName |
string |
Deprecated - use Domain+PrincipalName instead |
| url |
string |
This url is the full route to the source resource of this graph subject. |
ReferenceLinks
The class to represent a collection of REST reference links.
| Name | Type | Description |
|---|---|---|
| links |
object |
The readonly view of the links. Because Reference links are readonly, we only want to expose them as read only. |
RoleAccess
Designates the role as explicitly assigned or inherited.
| Name | Type | Description |
|---|---|---|
| assigned |
string |
Access has been explicitly set. |
| inherited |
string |
Access has been inherited from a higher scope. |
RoleAssignment
| Name | Type | Description |
|---|---|---|
| access |
Designates the role as explicitly assigned or inherited. |
|
| accessDisplayName |
string |
User friendly description of access assignment. |
| identity |
The user to whom the role is assigned. |
|
| role |
The role assigned to the user. |
SecurityRole
| Name | Type | Description |
|---|---|---|
| allowPermissions |
integer |
Permissions the role is allowed. |
| denyPermissions |
integer |
Permissions the role is denied. |
| description |
string |
Description of user access defined by the role |
| displayName |
string |
User friendly name of the role. |
| identifier |
string |
Globally unique identifier for the role. |
| name |
string |
Unique name of the role in the scope. |
| scope |
string |
Returns the id of the ParentScope. |
UserRoleAssignmentRef
| Name | Type | Description |
|---|---|---|
| roleName |
string |
The name of the role assigned. |
| uniqueName |
string |
Identifier of the user given the role assignment. |
| userId |
string |
Unique id of the user given the role assignment. |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for