Skip to content

Latest commit

 

History

History
151 lines (94 loc) · 8.01 KB

feed-permissions.md

File metadata and controls

151 lines (94 loc) · 8.01 KB
Raw
title description ms.assetid ms.service ms.topic ms.date monikerRange recommendations
Configure permissions
How to configure permissions for Artifacts feeds, views, and pipelines access
70313C3C-2E52-4FFC-94C2-41F1E37C9D26
azure-devops-artifacts
conceptual
03/15/2024
<= azure-devops
true

Manage permissions

[!INCLUDE version-lt-eq-azure-devops]

Azure Artifacts enables you to publish, consume, and store various types of packages in your feed. By configuring permissions for your feed, you can manage access to your packages and control who can interact with them.

Azure Artifacts settings

  1. Sign in to your Azure DevOps organization, and then navigate to your project.

  2. Select Artifacts, and then select your feed from the dropdown menu. Select the Azure Artifacts settings icon on the right.

    :::image type="content" source="media/configure-artifacts-settings.png" alt-text="A screenshot showing how to access Azure Artifacts settings.":::

    ::: moniker range="< azure-devops-2022"

    [!NOTE] By default, the Azure Artifacts settings icon is only visible to feed owners and project collection administrators. ::: moniker-end

  3. Choose the users or groups who should have the ability to create and/or administer feeds, and then select Save when you're done.

    :::image type="content" source="media/artifact-feed-settings.png" alt-text="Screenshot showing how to set up Azure Artifacts settings.":::

Feed settings

::: moniker range=">= azure-devops-2019"

  1. Sign in to your Azure DevOps organization, and then navigate to your project.

  2. Select Artifacts, and then select your feed from the dropdown menu. Select the gear icon to navigate to your feed's settings.

    :::image type="content" source="../media/feed-settings.png" alt-text="A screenshot showing how to navigate to the feed's settings.":::

  3. Select Permissions, and then select Add users/groups.

    :::image type="content" source="media/feed-permissions.png" alt-text="A screenshot showing how to access feed permissions.":::

  4. Add new user(s)/group(s) and choose the appropriate Role for them.

    :::image type="content" source="media/add-users-groups-dialogue.png" alt-text="Screenshot showing how to add new users or groups.":::

  5. Select Save when you're done.

::: moniker-end

::: moniker range="azure-devops"

Note

By default, the Project Collection Build Service (org-scoped) and the project-level Build Service (project-scoped) are assigned the Feed and Upstream Reader (Collaborator) role.

::: moniker-end

:::moniker range=">= azure-devops-2022"

Note

By default, the Project Collection Build Service is automatically assigned the Feed and Upstream Reader (Collaborator) role for newly created collection-scoped feeds.

::: moniker-end

Permissions table

Permission Feed Reader Feed and Upstream Reader (Collaborator) Feed Publisher (Contributor) Feed Owner
List packages in the feed
Download/install/restore packages
Save packages from upstream sources
Publish packages
Promote packages to a view
Deprecate/unlist/yank packages
Delete/unpublish packages
Add/remove upstream sources
Allow external package versions
Edit feed settings

Note

Azure Artifacts Administrators, including Project Collection Administrators, automatically have the Feed Owner role on all feeds.

Note

In Azure Artifacts, feeds may be scoped to a single project or to the entire organization. To access a project-scoped feed, a user must also have access to the project containing that feed.

Feed views settings

Feed views enable users to share certain packages while keeping others private. A common scenario for using a feed view is sharing a package version that has already been tested and validated but keeping packages under development private.

By default, there are three views in a feed: @Local, @Prerelease, and @Release. The latter two are suggested views that you can rename or delete as desired. The @Local view is the default view and it includes all the packages published to the feed as well as all the packages downloaded from upstream sources.

Important

Users who have access to a specific view are able to access and download packages from the feed through that view even if they don't have direct access to that feed. If you want to completely hide your packages, you must restrict access to both the feed and its views.

  1. Sign in to your Azure DevOps organization, and then navigate to your project.

  2. Select Artifacts, and then select your feed from the dropdown menu. Select the gear icon to navigate to your feed's settings.

  3. Select Views, and then select the ellipsis button, and then select Edit to modify its permission. To restrict access to your view, change its visibility to specific people.

    :::image type="content" source="media/edit-view-permission.png" alt-text="A screenshot showing how to change views visibility.":::

  4. Select Save when you're done. The access permissions column should reflect your changes.

    :::image type="content" source="media/edit-views.png" alt-text="A screenshot showing the prerelease view permissions.":::

Important

Views inherit permissions from the parent feed. If you set a view's visibility to Specific people without specifying any users or groups, the view's permissions will default back to the permissions of its parent feed.

Pipelines permissions

To access your feed from your pipeline, the corresponding build identity must have the necessary permissions. If your pipeline is unable to access your feed, you might need to add the corresponding build identity to your feed's permissions.

Tip

  • The project-level build identity is named [Project name] Build Service ([Organization name]), for example FabrikamFiber Build Service (codesharing-demo).
  • The organization-level build identity is named Project Collection Build Service ([Organization name]), for example Project Collection Build Service (codesharing-demo).

  1. Sign in to your Azure DevOps organization, and then navigate to your project.

  2. Select Artifacts, and then select your feed from the dropdown menu. Select the gear icon gear icon to navigate to Feed settings.

  3. Select Permissions, and then select Add users/groups. Add your build identity and set its role to Feed and Upstream Reader (Collaborator). If you have a pipeline that needs to publish packages to the feed, set the role to Feed Publisher (Contributor) instead.

    :::moniker range=">= azure-devops-2022"

    :::image type="content" source="media/feed-pipelines-permissions.png" alt-text="A screenshot showing the build identity permission.":::

    ::: moniker-end

Note

If you want to access a feed in a different project from your pipeline, and your pipeline uses the project-level build identity, you must set up the other project to grant that identity at least the "Read project-level information" permission.

Related articles