Permissions - Remove Permission

Removes the specified permissions on a security token for a user or group.

DELETE https://dev.azure.com/{organization}/_apis/permissions/{securityNamespaceId}/{permissions}?descriptor={descriptor}&api-version=7.1
DELETE https://dev.azure.com/{organization}/_apis/permissions/{securityNamespaceId}/{permissions}?descriptor={descriptor}&token={token}&api-version=7.1

URI Parameters

Name In Required Type Description
securityNamespaceId
path True

string

uuid

Security namespace identifier.

organization
path

string

The name of the Azure DevOps organization.

permissions
path

integer

int32

Permissions to remove.

api-version
query True

string

Version of the API to use. This should be set to '7.1' to use this version of the api.

descriptor
query True

string

Identity descriptor of the user to remove permissions for.

token
query

string

Security token to remove permissions for.

Responses

Name Type Description
200 OK

AccessControlEntry

successful operation

Security

oauth2

Type: oauth2
Flow: accessCode
Authorization URL: https://app.vssps.visualstudio.com/oauth2/authorize&response_type=Assertion
Token URL: https://app.vssps.visualstudio.com/oauth2/token?client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

Scopes

Name Description
vso.security_manage Grants the ability to read, write, and manage security permissions.

Examples

Sample request

DELETE https://dev.azure.com/fabrikam/_apis/permissions/5a27515b-ccd7-42c9-84f1-54c998f03866?descriptor=Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-1&token=token1&api-version=7.1

Sample response

{
  "descriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-1",
  "allow": 1,
  "deny": 0
}

Definitions

Name Description
AccessControlEntry

Class for encapsulating the allowed and denied permissions for a given IdentityDescriptor.

AceExtendedInformation

Holds the inherited and effective permission information for a given AccessControlEntry.

IdentityDescriptor

An Identity descriptor is a wrapper for the identity type (Windows SID, Passport) along with a unique identifier such as the SID or PUID.

AccessControlEntry

Class for encapsulating the allowed and denied permissions for a given IdentityDescriptor.

Name Type Description
allow

integer

The set of permission bits that represent the actions that the associated descriptor is allowed to perform.

deny

integer

The set of permission bits that represent the actions that the associated descriptor is not allowed to perform.

descriptor

IdentityDescriptor

The descriptor for the user this AccessControlEntry applies to.

extendedInfo

AceExtendedInformation

This value, when set, reports the inherited and effective information for the associated descriptor. This value is only set on AccessControlEntries returned by the QueryAccessControlList(s) call when its includeExtendedInfo parameter is set to true.

AceExtendedInformation

Holds the inherited and effective permission information for a given AccessControlEntry.

Name Type Description
effectiveAllow

integer

This is the combination of all of the explicit and inherited permissions for this identity on this token. These are the permissions used when determining if a given user has permission to perform an action.

effectiveDeny

integer

This is the combination of all of the explicit and inherited permissions for this identity on this token. These are the permissions used when determining if a given user has permission to perform an action.

inheritedAllow

integer

These are the permissions that are inherited for this identity on this token. If the token does not inherit permissions this will be 0. Note that any permissions that have been explicitly set on this token for this identity, or any groups that this identity is a part of, are not included here.

inheritedDeny

integer

These are the permissions that are inherited for this identity on this token. If the token does not inherit permissions this will be 0. Note that any permissions that have been explicitly set on this token for this identity, or any groups that this identity is a part of, are not included here.

IdentityDescriptor

An Identity descriptor is a wrapper for the identity type (Windows SID, Passport) along with a unique identifier such as the SID or PUID.

Name Type Description
identifier

string

The unique identifier for this identity, not exceeding 256 chars, which will be persisted.

identityType

string

Type of descriptor (for example, Windows, Passport, etc.).