Set build and release permissions

VSTS | TFS 2018 | TFS 2017 | TFS 2015 | TFS 2013

Permissions for build and release functions are primarily set at the object-level for a specific build or release, or for select tasks, at the collection level. For a simplified view of permissions assigned to built-in groups, see Permissions and access.

In addition to permission assignments, you manage security for several resources—such as variable groups, secure files, and deployment groups—by adding users or groups to a role. You grant or restrict permissions by setting the permission state to Allow or Deny, either for a security group or an individual user. For definitions of each build and release permission and role, see Build and release permissions.

Set permissions for build definitions

  1. To set the permissions for all build definitions, click the Security From the web portal Build-Release hub, Builds page

    Open the Security dialog for all build definitions

    To set the permissions for a specific build definition, open the context menu for the build and click Security.

    Open the security dialog for a build definition

  2. Choose the group you want to set permissions for, and then change the permission setting to Allow or Deny.

    For example, here we change the permission for Edit build definition for the Contributors group to Allow.

    Security dialog for a build definition

  3. Save your changes.

Set permissions for release definitions

  1. From the web portal Build-Release hub, Releases page, open the Security dialog for all release definitions.

    Open the security dialog for a build definition

    If you want to manage the permissions for a specific release, then open the Security dialog for that release.

  2. Choose the group you want to set permissions for, and then change the permission setting to Allow or Deny.

    For example, here we deny access to several permissions for the Contributors group.

    Security dialog for a release definition

  3. Save your changes.

Manage Library roles for variable groups, secure files, and deployment groups

Permissions for variable groups, secure files, and deployment groups are managed by roles. For a description of the roles, see About security roles.

Note

Feature availability: These features are available on VSTS and TFS 2017 and later versions.

You can set the security for all artifacts for a team project, as well as set the security for individual artifacts. The method is similar for all three artifact types. You set the security for variable groups and secure files from the Build and Release hub, Library page, and for deployment groups, from the Deployment groups page.

For example, here we show how to set the security for variable groups.

  1. Build-Release hub, Library page, open the Security dialog for all variable groups.

    Open the Security dialog for all variable groups

    If you want to manage the permissions for a specific variable group, then open the Security dialog for that group.

    Open the Security dialog for a specific variable group

  2. Add the user or group and choose the role you want them to have.

    For example, here we deny access to several permissions for the Contributors group.

    Add user to a Library role

  3. Click Add.

Manage task group permissions

Permissions for task groups are subject to a hierarchical model. You use task groups to encapsulate a sequence of tasks already defined in a build or a release definition into a single reusable task. You define and manage task groups in the Task groups tab of the Build and Release hub.

Note

Feature availability: These features are available on VSTS and TFS 2017 and later versions.

  1. From the web portal Build-Release hub, Task groups page, open the Security dialog for all task groups.

    Open the Security dialog for all task groups

    If you want to manage the permissions for a specific task group, then open the Security dialog for that group.

  2. Add the user or group and then set the permissions you want them to have.

    For example, here we add Raisa and set her permissions to Administer all task groups.

    Set task group permissions

  3. Click Add.

Set collection-level permissions to administer build resources

  1. From the web portal user context, open the admin context by clicking the gear icon gear Settings icon and choosing Account settings or Collection settings.

  2. Click Security, and then choose the group whose permissions you want to modify.

    Here we choose the Build Administrators group and change the Use build resources permission. For a description of each permissions, see Permissions and groups reference, Collection-level permissionss.

    Security dialog for Project Collection Build Administrators group

  3. Save your changes.

Manage permissions for agent queues and service endpoints

You manage the security for agent pools and service endpoints by adding users or groups to a role. The method is similar for both agent queues and service endpoints. You will need to be a member of the Project Administrator group to manage the security for these resources.

Note

Feature availability: These features are available on VSTS and TFS 2015 and later versions.

For example, here we show how to add a user to the Administrator role for a service endpoint.

  1. From the web portal, click the gear settings icon gear Settings icon to open the project settings admin context.

  2. Click Services, click the service endpoint that you want to manage, and then click Roles.

    Open the Roles tab for a service endpoint

  3. Add the user or group and choose the role you want them to have. For a description of each role, see About security roles.

    For example, here we add Raisa to the Administrator role.

    Add a user to the Adminstrator role

  4. Click Add.

Manage permissions for agent pools and deployment pools

You manage the security for agent pools and deployment pools by adding users or groups to a role. The method is similar for both types of pools.

Note

Feature availability: These features are available on VSTS and TFS 2018 and later versions.

You will need to be a member of the Project Collection Administrator group to manage the security for a pool. Once you've been added to the Administrator role, you can then manage the pool. For a description of each role, see About security roles.

  1. From the web portal, click the gear settings icon gear Settings icon and choose Account settings or Collection settings to open the collection-level settings admin context.

  2. Click Deployment Pools, and then open the Security dialog for all deployment pools.

    Open the Roles tab for a service endpoint

    If you want to manage the permissions for a specific deployment group, then open the Security dialog for that group.

  3. Add the user or group and choose the role you want them to have.

    For example, here we add Raisa to the Administrator role.

    Add a user to the Adminstrator role

  4. Click Add.

Default build and release permissions