Permissions - Remove Permission
Removes the specified permissions on a security token for a user or group.
DELETE https://dev.azure.com/{organization}/_apis/permissions/{securityNamespaceId}/{permissions}?descriptor={descriptor}&api-version=7.1DELETE https://dev.azure.com/{organization}/_apis/permissions/{securityNamespaceId}/{permissions}?descriptor={descriptor}&token={token}&api-version=7.1URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
security
|
path | True |
string uuid |
Security namespace identifier. |
|
organization
|
path |
string |
The name of the Azure DevOps organization. |
|
|
permissions
|
path |
integer int32 |
Permissions to remove. |
|
|
api-version
|
query | True |
string |
Version of the API to use. This should be set to '7.1' to use this version of the api. |
|
descriptor
|
query | True |
string |
Identity descriptor of the user to remove permissions for. |
|
token
|
query |
string |
Security token to remove permissions for. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
successful operation |
Security
oauth2
Type:
oauth2
Flow:
accessCode
Authorization URL:
https://app.vssps.visualstudio.com/oauth2/authorize&response_type=Assertion
Token URL:
https://app.vssps.visualstudio.com/oauth2/token?client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
Scopes
| Name | Description |
|---|---|
| vso.security_manage | Grants the ability to read, write, and manage security permissions. |
Examples
Sample request
DELETE https://dev.azure.com/fabrikam/_apis/permissions/5a27515b-ccd7-42c9-84f1-54c998f03866?descriptor=Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-1&token=token1&api-version=7.1
Sample response
{
"descriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-1",
"allow": 1,
"deny": 0
}Definitions
| Name | Description |
|---|---|
|
Access |
Class for encapsulating the allowed and denied permissions for a given IdentityDescriptor. |
|
Ace |
Holds the inherited and effective permission information for a given AccessControlEntry. |
|
Identity |
An Identity descriptor is a wrapper for the identity type (Windows SID, Passport) along with a unique identifier such as the SID or PUID. |
AccessControlEntry
Class for encapsulating the allowed and denied permissions for a given IdentityDescriptor.
| Name | Type | Description |
|---|---|---|
| allow |
integer |
The set of permission bits that represent the actions that the associated descriptor is allowed to perform. |
| deny |
integer |
The set of permission bits that represent the actions that the associated descriptor is not allowed to perform. |
| descriptor |
The descriptor for the user this AccessControlEntry applies to. |
|
| extendedInfo |
This value, when set, reports the inherited and effective information for the associated descriptor. This value is only set on AccessControlEntries returned by the QueryAccessControlList(s) call when its includeExtendedInfo parameter is set to true. |
AceExtendedInformation
Holds the inherited and effective permission information for a given AccessControlEntry.
| Name | Type | Description |
|---|---|---|
| effectiveAllow |
integer |
This is the combination of all of the explicit and inherited permissions for this identity on this token. These are the permissions used when determining if a given user has permission to perform an action. |
| effectiveDeny |
integer |
This is the combination of all of the explicit and inherited permissions for this identity on this token. These are the permissions used when determining if a given user has permission to perform an action. |
| inheritedAllow |
integer |
These are the permissions that are inherited for this identity on this token. If the token does not inherit permissions this will be 0. Note that any permissions that have been explicitly set on this token for this identity, or any groups that this identity is a part of, are not included here. |
| inheritedDeny |
integer |
These are the permissions that are inherited for this identity on this token. If the token does not inherit permissions this will be 0. Note that any permissions that have been explicitly set on this token for this identity, or any groups that this identity is a part of, are not included here. |
IdentityDescriptor
An Identity descriptor is a wrapper for the identity type (Windows SID, Passport) along with a unique identifier such as the SID or PUID.
| Name | Type | Description |
|---|---|---|
| identifier |
string |
The unique identifier for this identity, not exceeding 256 chars, which will be persisted. |
| identityType |
string |
Type of descriptor (for example, Windows, Passport, etc.). |