Change permissions at the organization or collection-level

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019

This article shows you how to manage permissions at the organization or collection level. Several permissions are set at these levels. You can only grant these permissions if you're a member of the Project Collection Administrators group.

An organization is the container for several projects that share resources. For more information, see Plan your organizational structure.

A project collection is the container for several projects that share resources. For more information, see About projects and scaling your organization.

You might find the following articles helpful:

Note

Security groups are managed at the organization level, even if they are used for specific projects. Depending on user permissions, some groups might be hidden in the web portal. To view all group names within an organization, you can use the Azure DevOps CLI tool or our REST APIs. For more information, see Add and manage security groups.

Note

Security groups are managed at the collection level, even if they are used for specific projects. Depending on user permissions, some groups might be hidden in the web portal. To view all group names within a collection, you can use the Azure DevOps CLI tool or our REST APIs. For more information, see Add and manage security groups.

Note

Security groups are managed at the collection level, even if they are used for specific projects. Depending on user permissions, some groups might be hidden in the web portal. To view all group names in a collection, you can use the REST APIs. For more information, see Add and manage security groups.

Collection-level permissions

The following table lists the permissions assigned at the organization or collection level. All permissions, except for Make requests on behalf of others, are granted to members of the Project Collection Administrators group. For more information, see Permissions and groups reference, Groups.

General

  • Alter trace settings
  • Create new projects
  • Delete team project
  • Edit instance-level information
  • View instance-level information

Service Account

  • Make requests on behalf of others
  • Trigger events
  • View system synchronization information

Boards

  • Administer process permissions
  • Create process
  • Delete field from organization or account
  • Delete process
  • Edit process

Repos (TFVC)

  • Administer shelved changes
  • Administer workspaces
  • Create a workspace

Pipelines

  • Administer build resource permissions
  • Manage build resources
  • Manage pipeline policies
  • Use build resources
  • View build resources

Test Plans

  • Manage test controllers

Auditing

  • Delete audit streams
  • Manage audit streams
  • View audit log

Policies

  • Manage enterprise policies

Note

Project Collection Administrators can manage organization or collection-level security groups, group membership, and edit permission ACLs. This permission isn't controlled through the user interface.

Prerequisites

Permissions:

Note

Note

Users with Stakeholder access can't access specific features even if they have permissions to those features. For more information, see Stakeholder access quick reference.

Add members to the Project Administrators group

Do the following steps to add users to the Project Administrators group or any other group at the organization or collection level. To add a custom security group, first create the group.

Note

To turn on the Organization Permissions Settings Page v2 preview page, see Enable preview features.

  1. Sign in to your organization (https://dev.azure.com/{Your_Organization}).

  2. Select Organization settings > Permissions.

    Screenshot showing Organization settings and Permissions selections.

  3. Select Project Administrators group, Members, and then Add.

    Screenshot showing Project Settings > Permissions, Add member.

  4. Enter the name of the user account or custom security group into the text box and select the matching result. You can enter multiple identities into the Add users and/or groups box, and the system automatically searches for matches. Select the appropriate matches.

    Screenshot showing Add users and group dialog, preview page.

  5. Select Save.

  1. Open the web portal and choose the collection where you want to add users or groups.

  2. Select Collection Settings > Security.

    Screenshot of Project Settings, Security selection.

  3. Select Project Administrators > Members > Add.

    Screenshot of Project Settings>Security, Add member selection sequence.

  4. Enter the name of the user account into the text box. You can enter several identities into the text box, separated by commas. The system automatically searches for matches. Select one or more matches.

    Screenshot of Add users and group dialog, on-premises.

  5. Select Save changes and the refresh icon to see the additions.

Change permissions for a group

You can change the permissions for any organization or collection-level group, except the Project Collection Administrators group. Adding security groups to a collection is similar to adding them to a project. For more information, see Add or remove users or groups, manage security groups and About permissions, Permission states.

Note

To turn on the Organization Permissions Settings Page v2 preview page, see Enable preview features.

  1. Go to the Permissions page as described in the previous section, Add a user or group to the Project Administrators group.

    Note

    By design, you can't change the permission settings for the Project Collection Administrators group.

  2. Choose the group whose permissions you want to change.

    In the following example, we choose the Stakeholders Limited group, and change several permissions.

    Screenshot of Collection-level Permissions for a selected group, preview page.

    Your changes automatically save.

  1. Go to the Security page as described in the previous section, Add a user or group to the Project Collection Administrators group.

  2. Choose the group whose permissions you want to change.

    In the following example, we choose the Stakeholders Limited group and change several permissions.

    Screenshot of Collection-level Permissions for a selected group, current page.

  3. Select Save changes.

Change permissions for a user

You can change the collection-level permissions for a specific user. For more information, see About permissions, Permission states.

Note

To turn on the Organization Permissions Settings Page v2 preview page, see Enable preview features.

  1. Go to the Permissions page as described in the previous section, Add a user or group to the Project Administrators group.

  2. Select Users, then choose the user whose permissions you want to change.

    Screenshot of Users tab, choose a user.

  3. Change the assignment for one or more permissions.

    In the following example, we change the Edit project-level information for Christie Church.

    Screenshot of selected users, Permissions.

    Dismiss the dialog and your changes automatically save.

  1. Open the Security page as described in the previous section, Add a user or group to the Project Administrators group.

  2. In the Filter users and groups text box, enter the name of the user whose permissions you want to change.

  3. Change change the assignment for one or more permissions.

    In the following example, we change the Edit project-level information for Christie Church.

    Screenshot of selected user, change Edit project-level information permission level.

  4. Select Save changes.

On-premises deployments

For on-premises deployments, see the following articles:

If your on-premises deployment is integrated with SQL Server Reports, manage membership for those products separately from their websites. For more information, see Grant permissions to view or create SQL Server reports.

FAQs

Q: When do I need to add someone to the Project Collection Administrator role?

A: It varies. In most organizations, Project Collection Administrators manage the collections created by the Team Foundation Administrators group. They don’t create collections themselves but handle tasks like creating team projects, adding users to groups, and modifying collection settings.

Q: What are the optimal permissions to administer a project collection across all of its components and dependencies?

A: Project Collection Administrators need the following permissions:

  • Team Foundation Server: Members of the Project Collection Administrators group, or have the necessary collection-level permissions set to Allow.
  • SharePoint Products: Members of the Site Collection Administrators group if the collection includes a site collection resource.
  • Reporting Services: Members of the Team Foundation Content Manager group if the collection includes reporting resources.

Q: I'm an admin, but I don't have permission to add a Project Collection Administrator. What do I need?

A: You need the following permissions:

  • Project Collection Administrator or View Server-Level Information and Edit Server-Level Information set to Allow.
  • For SharePoint Products, membership in the Site Collection Administrators or Farm Administrators groups.
  • For Reporting Services, membership in the Content Managers or Team Foundation Content Managers groups.

Important

To create project collections and perform other administrative tasks, users need administrative permissions. Additionally, the service account for the Team Foundation Background Job Agent must have specific permissions. For more information, see Service accounts and dependencies in Team Foundation Server and Team Foundation Background Job Agent.

Next steps