How to: Extract Organization Level Permissions from the respective user in Azure DevOps

Vinicius Moura
3 min readMay 5, 2021

--

This script and report extract Organization Level Permissions from the user. Before that, it’s necessary to get all groups to which that user belongs.

DISCLAIMER: Due to the number of records generated by this report, one mandatory filter was placed: the name of the user. This report was based on the ALM Rangers project Extracting effective permissions from TFS. Within Azure DevOps, click on Organization Settings, after clicking in Permissions, and select a respective group.

An original script is available on my GitHub repository. See below this script:

Let’s go understand each command used.

  1. PowerShell script will receive the following parameters:
  • $PAT = Personal Access token to connect on Azure DevOps;
  • $Organization = Organization URL to list permissions on Organization Level;
  • mailAdress = e-mail from respective user to which permissions will be extracted;
  • $Connstr = connection string to Azure SQL Database to store the report information. To create this report, it’s necessary to create previously a Azure SQL Server and Database and run a script below:

2. az devops user list = use this command to list all users on Azure DevOps organization. After that, it’s necessary to filter a respective user that was received by parameter.

$allUsers = az devops user list 
--org $Organization | ConvertFrom-Json
$allUsers = $allUsers.members $allUsers = $allusers.user | where-object {$_.mailAddress -eq $mailAddress}

3. az devops security group membership list = use this command to list all groups that user (received by parameter) is contained in.

$activeUserGroups = az devops security group membership list 
--id $allUsers.principalName
--org $Organization
--relationship memberof | ConvertFrom-Json

4. In Azure DevOps, when working with permissions, it’s necessary to understand SecurityNameSpaces. Basically, each namespace represents the respective set of permissions on Azure DevOps (Git, Area Path, Project Level, Iterations, Builds, Releases, etc.). To this example, to represent permission on Organization Level will be used namespaces AuditLog, Collection, BuildAdministration, Project, VersionControlPrivileges, Process, and Server, which is represented by the constants below:

$SecurityNameSpaceIds = @(    [pscustomobject]@{
SecurityNameSpace='AuditLog';
SecurityIdSpace='a6cc6381-a1ca-4b36-b3c1-4e65211e82b6'}
[pscustomobject]@{
SecurityNameSpace='Collection';
SecurityIdSpace='3e65f728-f8bc-4ecd-8764-7e378b19bfa7'}
[pscustomobject]@{
SecurityNameSpace='BuildAdministration';
SecurityIdSpace='302acaca-b667-436d-a946-87133492041c'}
[pscustomobject]@{
SecurityNameSpace='Project';
SecurityIdSpace='52d39943-cb85-4d7f-8fa8-c6baac873819'}
[pscustomobject]@{
SecurityNameSpace='VersionControlPrivileges';
SecurityIdSpace='66312704-deb5-43f9-b51c-ab4ff5e351c3'}
[pscustomobject]@{
SecurityNameSpace='Process';
SecurityIdSpace='2dab47f9-bd70-49ed-9bd5-8eb051e59c02'}
[pscustomobject]@{
SecurityNameSpace='Server';
SecurityIdSpace='1f4179b3-6bac-4d01-b421-71ea09171400'}
)

5. Token = At the moment that we extract any kind of permission on Azure DevOps, it’s necessary to work with tokens. For each type of permission, there is a specific rule to produce that token. For each namespace, there is the specific rule:

  • AuditLog
'AuditLog' { $Token = "/AllPermissions" }
  • Collection
'Collection' { $Token = "NAMESPACE" }
  • BuildAdministration
'BuildAdministration' { $Token = "BuildPrivileges" }
  • Project
'Project' { $Token = "`$PROJECT" }
  • VersionControlPrivileges
'VersionControlPrivileges' { $Token = "Global"}
  • Process
'Process' { $Token = "`$PROCESS" }
  • Server
'Server' { $Token = "FrameworkGlobalSecurity" }

6. More details about other tokens can be found in the links below:

7. az devops security permission show = Show details of permissions available in each namespace

$organizationCommands = az devops security permission show 
--id $snsi.SecurityIdSpace
--subject $activeUserGroups.$aug.descriptor
--token $Token
--org $Organization | ConvertFrom-Json

8. After extract all permissions, this information is stored in a table in Azure SQL.

9. After insert information into a table, I connected this database on Power BI:

  • Azure DevOps Groups (1) = Filter Azure DevOps Groups to which the user belongs;
  • Azure DevOps Groups (2) = list all Azure DevOps groups to which the user belongs;
  • Permission Group Type (3) = List of Permission Group Type (General, Service Account, Boards, Repos, Pipelines, Test Plans, Auditing, Policies);
  • Command (4) = List of commands available to Organization Level;
  • Permission (5) = Permission type (Allow, Deny, Not set, etc.).

--

--

Vinicius Moura
Vinicius Moura

Written by Vinicius Moura

Tech Solution Architect Manager na Accenture

No responses yet