Open in app

Sign in

Write

Sign in

How to: Extract Iteration Path Permissions from the respective user, and project in Azure DevOps

Vinicius Moura
4 min readMay 13, 2021

This script and report extract Iteration Path Permissions from user. Before that, it’s necessary to get all groups to which that user belongs.

DISCLAIMER: Due to the number of records generated by this report, two mandatory filters were placed: the name of the user and the name of Team Project. This report was based on the ALM Rangers project Extracting effective permissions from TFS

An original script is available on my GitHub repository. See below this script:

Let’s go understand each command used.

  1. PowerShell script will receive the following parameters:
  • $PAT = Personal Access token to connect on Azure DevOps;
  • $Organization = Organization URL to list permissions on Iteration Paths;
  • ProjectName = Team Project name that contains Iterations to which permissions will be extracted;
  • mailAdress = e-mail from respective user to which permissions will be extracted;
  • $Connstr = connection string to Azure SQL Database to store the report information. To create this report, it’s necessary to create previously a Azure SQL Server and Database and run a script below:

2. az devops user list = use this command to list all users on Azure DevOps organization. After that, it’s necessary to filter a respective user that was received by parameter.

$allUsers = az devops user list 
--org $Organization | ConvertFrom-Json$allUsers = $allUsers.members $allUsers = $allusers.user | where-object {$_.mailAddress -eq $mailAddress}

3. az devops project list = use this command to list all projects on Azure DevOps organization. After that, it’s necessary to filter a respective Team Project that was received by parameter.

$allProjects = az devops project list 
--org $Organization --top 500 | ConvertFrom-Json$allProjects = $allProjects.value | Where name -EQ $ProjectName

4. Classification Nodes, Get Root Nodes = use this command to get root Iteration node under the project.

#Get Root Iteration Path$AzureDevOpsAuthenicationHeader = @{Authorization = 'Basic ' + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(":$($PAT)")) }$uriProjectRootIteration = $Organization + "/$($ProjectName)/_apis/wit/classificationnodes?api-version=6.0"$ProjectRootIterationResult = Invoke-RestMethod -Uri $uriProjectRootIteration -Method get -Headers $AzureDevOpsAuthenicationHeader$ProjectRootIterationResult = $ProjectRootIterationResult.value | Where structureType -EQ "iteration"$iterationRootToken = "vstfs:///Classification/Node/$($ProjectRootIterationResult.identifier)*"

5. az devops security group membership list = use this command to list all groups that user (received by parameter) is contained in.

$activeUserGroups = az devops security group membership list 
--id $allUsers.principalName 
--org $Organization 
--relationship memberof | ConvertFrom-Json

6. In Azure DevOps, when working with permissions, it’s necessary to understand SecurityNameSpaces. Basically, each namespace represents the respective set of permissions on Azure DevOps (Git, Area Path, Project Level, Iterations, etc.). In this example, will be used namespace “Iteration”, which is represented by the constant below:

$SecurityNameSpaceIdIteration = "bf7bfa03-b2b7-47db-8113-fa2e002cc5b1"

7. az devops security permission list = use this command to list tokens for given user/group and namespace. In this case, I’ll filter NameSpace Iteration and groups to that respective user belongs:

#Get All Tokens from respective group and filter respective project        $allIterationsTokens = az devops security permission list 
--id $SecurityNameSpaceIdIteration 
--subject $activeUserGroups.$aug.descriptor | ConvertFrom-Json$allIterationsTokens = $allIterationsTokens | where-object {$_.token -like $iterationRootToken}

8. Token = At the moment that we extract any kind of permission on Azure DevOps, it’s necessary to work with tokens. For each type of permission, there is a specific rule to produce that token. In the specific case of Iteration Path (Iteration) permissions, the rule below is valid:

$iterationToken = "vstfs:///Classification/Node/$($ProjectRootIterationResult.identifier)
  • Identifier = Identifier of respective Iteration Path.

9. More details about other tokens can be found in the links below:

10. az devops security permission show = Show details of permissions available in each namespace

$IterationCommands = az devops security permission show 
--id $SecurityNameSpaceIdIteration 
--subject $activeUserGroups.$aug.descriptor 
--token $ait.token 
--org $Organization | ConvertFrom-Json

11. After extract all permissions, this information is stored in a table in Azure SQL.

12. After insert information into a table, I connected this database on Power BI:

  • Iteration Path (1) = Filter Iteration Path to verify respective permissions;
  • Azure DevOps Groups (2) = Filter Azure DevOps Groups to which the user belongs;
  • Azure DevOps Groups (3) = list all Azure DevOps groups to which the user belongs;
  • Command (4) = List of commands available to Iteration Path;
  • Permission (5) = Permission type (Allow, Deny, Not set, etc.).

One more time, I wanted to thank Ewerton Rodrigues Jordão for the great help with PowerShell.

Azure Devops
Iteration
Permissions

--

--

Vinicius Moura

Written by Vinicius Moura

363 Followers

Tech Solution Architect Manager na Accenture

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams