Compartir a través de

Manage security in Azure Pipelines

  • Artículo

Azure DevOps Server 2019

Azure Pipelines security controls access to pipelines and their resources through a hierarchy of security groups and users. This system governs resources like release pipelines, task groups, agent pools, and service connections, though external to pipelines. Upon creation, pipelines and resources inherit project-level permissions from predefined security groups and users, affecting all project pipelines.

Administrators typically have unrestricted access, contributors oversee resources, and readers have view-only permissions, with user roles determining group assignments. For more information, see About pipeline security roles.

Prerequisites

Security area Prerequisites
Pipelines security - To manage project collection groups, be a member of the Project Collection Administrators group.
- To manage project level users and groups, be a member of an administrator group or have Administer build permissions.
Agent pool security - To manage agent pool security at the organization, collection, or project level, be a member of the Project Collection Administrators group or have the Administrator role for agent pools.
- To manage agent pool security at the object level, have the Administrator role for the agent pool.
Deployment group security - To manage project-level deployment group security, be a member of an administrator group or be assigned an administrator role.
- To manage security for individual deployment groups, have an administrator role.
Environment security - To manage project-level environment security, be a member of an administrator group or assigned an administrator role.
- To manage object-level security for individual environments, have an administrator role.
Library security - To manage library security, be a member of an administrator group or assigned an administrator role.
- To manage security for individual library assets, e an administrator or have the appropriate role.
Release pipeline security - To manage release pipeline security, be a member of an administrator group or have Administer release permissions.
- Have a release pipeline.
Service connection security - To manage service connection security, be a member of the Project Administrators group or have an administrator role. - To manage security at the project level, be a member of the Project Administrators group or have the Administrator role for service connections.
- To manage security at the object level, have the Administrator role for the service connection.
Task group security To manage task group security, be a member of an administrator group or have Administer task group permissions.
- Have a task group.

Set pipeline permissions in Azure Pipelines

Pipeline security follows a hierarchical model of user and group permissions. Project-level permissions are inherited at the object level by all pipelines in the project. You can change inherited and default user and group permissions for all pipelines at the project- and object-levels. You can't change the permissions set by the system.

The following table shows the default security groups for pipelines:

Group Description
Build Administrators Administer build permissions and manage pipelines and builds.
Contributors Manage pipelines and builds, but not build queues. This group includes all team members.
Project Administrators Administer build permissions and manage pipelines and builds.
Readers View pipeline and builds.
Project Collection Administrators Administer build permissions and manage pipelines and builds.
Project Collection Build Administrators Administer build permissions and manage pipelines and builds.
Project Collection Build Service Accounts Manage builds.
Project Collection Test Service Accounts View pipelines and builds.

The system automatically creates the <project name> Build Service (collection name) user, a member of the Project Collection Build Service Accounts group. This user executes build services within the project.

Depending on the resources you use in your pipelines, your pipeline could include other built-in users. For instance, if you're using a GitHub repository for your source code, a GitHub user is included.

The following table shows default permissions for security groups:

Task Readers Contributors Build Admins Project Admins
View builds ✔️ ✔️ ✔️ ✔️
View build pipeline ✔️ ✔️ ✔️ ✔️
Administer build permissions ✔️ ✔️
Delete or edit build pipeline ✔️ ✔️ ✔️
Delete or destroy builds ✔️ ✔️ ✔️
Edit build quality ✔️ ✔️ ✔️
Manage build qualities ✔️ ✔️
Manage build queue ✔️ ✔️
Override check-in validation by build ✔️
Queue builds ✔️ ✔️ ✔️
Retain indefinitely ✔️ ✔️ ✔️
Stop builds ✔️ ✔️ ✔️
Update build information ✔️ ✔️ ✔️

For a description of pipeline permissions, see Pipeline or Build permissions.

Set project-level pipeline permissions

To manage project-level permissions for users and groups across all build pipelines in your project, do the following steps:

  1. From your project, select Builds.

  2. Select the folders icon and select the All build pipelines folder.

  3. Select More actions > Security.

    Screenshot showing all pipelines security selections.

  4. To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.

    Screenshot of pipeline security add user or group selection.

  5. Select a user or group and set the permissions.

    Screenshot of pipeline security dialog.

  6. Select Save changes or Undo changes, if necessary.

  7. Repeat the previous step to change the permissions for more groups and users.

  8. To remove a user or group from the list, select the user or group, and then Remove.

  9. Select Close.

Set object-level pipeline permissions

Object-level permissions for individual pipelines inherit the project-level permissions by default. You can override these inherited permissions for an individual pipeline.

You can set the permissions to Allow, Deny, or to Not set if the permission isn't inherited. If inheritance is enabled, you can change an explicitly set permission back to the inherited value.

To set object-level permissions for a pipeline, do the following steps:

  1. From your project, select the Builds from the menu.

  2. Select the folders icon and select the All build pipelines folder.

  3. Select More actions > Security.

    Screenshot showing all pipelines security navigation selections.

  4. To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.

    Screenshot of pipeline security add user or group.

  5. Select a user or group and set the permissions.

  6. You can select more users and groups to change their permissions.

  7. Select Save changes or you can select Undo changes to undo the changes.

  8. To remove a user or group, select the user or group and select Remove. Inherited users and groups can't be removed unless inheritance is disabled.

  9. Select Close when you're finished.

When you explicitly set an inherited user or group permission, inheritance is disabled for that specific permission. To restore inheritance, set the permission to Not set. Select Clear explicit permissions to reset all explicitly set permissions to their inherited settings. To disable inheritance for all user and group permissions, turn off the Inheritance setting. When you reenable inheritance, the permissions for all users and groups revert to their project-level settings.

Set deployment group security in Azure Pipelines

A deployment group is a pool of physical or virtual target machines that have agents installed. Deployment groups are only available with classic release pipelines. You can create deployment groups in the following circumstances:

  • When dependent deployment groups are provisioned for projects from organization deployment pools
  • When a deployment group is created at the project level
  • When a project shares a deployment group, dependent deployment groups are created in the recipient projects

Individual deployment groups inherit the security roles from the project-level assignments. You can override the project-level assignments for a user or group. To remove an inherited user or group, or lower the privilege level of an inherited role, you must disable inheritance.

When a deployment group gets shared with another project, a separate deployment group, which inherits its security roles, is created in the other project. If sharing is disabled, the deployment group is removed from the other project.

The following table shows security roles for deployment groups:

Role Description
Reader Can only view deployment groups.
Creator Can create deployment groups. This role is a project-level role only.
User Can view and use deployment groups.
Service Account Can view agents, create sessions, and listen for jobs. This role is a collection- or organization-level role only.
Administrator Can administer, manage, view, and use deployment groups.

The following table shows default user and group role assignments:

Group Role
[project name]\Contributors Creator (project-level), Reader (object-level)
[project name]\Deployment Group Administrators Administrator
[project name]\Project Administrators Administrator
[project name]\Release Administrators Administrator

Set project-level deployment group security roles

Do the following steps to set project-level security roles for all deployment groups:

  1. From your project, select Deployment groups under Pipelines.

  2. Select Security.

    Screenshot of security selection for all deployment groups.

  3. Set roles for users and groups.

    Screenshot of security dialog for all deployment groups.

  4. To remove a user or group, select the user or group and select Delete .

  5. Select Save changes to save your changes or Reset changes to revert unsaved changes.

Do the following steps to add project users or groups that aren't listed in the security dialog:

  1. Select Add.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.

Set object-level deployment group security roles

Do the following steps to set security roles for an individual deployment group:

  1. From your project, select Deployment groups under Pipelines.

  2. Select a deployment group under Groups.

  3. Select Security.

    Screenshot of security selection for an individual deployment group.

  4. Set roles for users and groups. To lower the privilege level of an inherited role, disable inheritance.

    Screenshot of object-level deployment group security dialog.

  5. To remove a user or group, select the user or group and select Delete . Inherited users and groups can't be removed unless inheritance is disabled.

  6. Select Save changes to save your changes or Reset changes to revert unsaved changes.

When you explicitly set a role, the inheritance for that user or group is turned off. To disable inheritance for all users and groups, turn off the Inheritance setting. When you re-enable inheritance, the roles for all users and groups revert to their project-level assignments.

Do the following steps to add project users or groups that aren't listed in the security dialog:

  1. Select Add.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.

Set security for environments in Azure Pipelines

Environments bundle deployment targets for YAML pipelines but aren't compatible with classic pipelines. All environments inherit, security roles, assigned at the project level to default users and groups. You can customize these settings for individual environments, including removing inherited users or groups and adjusting privilege levels, by disabling inheritance. Additionally, you can manage pipeline access for each environment.

The following table shows security roles for environments:

Role Description
Creator Can create environments in the project. It only applies to project-level security. Contributors are automatically assigned this role.
Reader Can view the environment.
User Can use the environment when creating or editing YAML pipelines.
Administrator Can administer permissions, create, manage, view and use environments. The creator of an environment is granted the administrator role for that environment. Administrators can also open access to an environment for all pipelines in the project.

The following table shows default user and group role assignments:

Group Role
[project name]\Contributors Creator (project-level) Reader (object-level)
[project name]\Project Administrators Creator
[project name]\Project Valid Users Reader

The individual who creates an environment is automatically given the Administrator role for that specific environment. This role assignment is permanent and can't be changed.

Set project-level environment security roles

To set project-level security roles for all environments, do the following steps:

  1. From your project, Environments under Pipelines.

  2. Select More actions and select Security.

    Screenshot of security selection for all environments.

  3. Set roles for user and groups to Administrator, Creator, User, or Reader.

    Screenshot of project-level environments security dialog.

  4. To remove a user or group, select the user or group and select Delete .

  5. Select Save to save your changes or Undo to revert unsaved changes.

To add project users or groups that aren't listed in the security dialog, do the following steps:

  1. Select Add.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.

Set object-level environment security

By default, object-level security roles inherit from project-level settings. But, you can customize these settings for individual environments, including removing inherited users or groups and adjusting privilege levels, by disabling inheritance. Additionally, you can manage pipeline access for each environment.

Set object-level environment user and group security roles

To set user and group security roles for an environment, do the following steps:

  1. From your project, select Environments under Pipelines.

  2. Select an environment.

  3. Select More actions and select Security.

    Screenshot of security selection for a single environment.

  4. Set roles for user and groups to Administrator, User, or Reader.

    Screenshot of object-level security dialog for environments.

  5. To remove a user or group, select the user or group and select Delete . Inherited users and groups can't be removed unless inheritance is disabled.

  6. Select Save to save your changes or Undo to revert unsaved changes.

Setting a role explicitly for a user or group disables their inheritance. To halt inheritance for everyone, deactivate the Inheritance option. Reactivating inheritance resets all users and groups to their original project-level role assignments.

To add project users or groups that aren't listed in the security dialog, do the following steps:

  1. Select Add.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.

Set pipeline access for an environment

Pipeline permissions can be set to Open access to allow access to all pipelines in a project or restricted access to specific pipelines. Only Project administrators can set pipeline permissions to Open access.

To set open access to all pipeline in a project, do the following steps:

  1. Select More actions and select Open access.

    Screenshot of open access for pipelines in an environment.

  2. Select Open access on the confirmation dialog.

To restrict access and manage pipeline access, do the following steps:

  1. Select Restrict access.

  2. Select Add pipeline and select a pipeline from the dropdown menu.

  3. To remove a pipeline, select the pipeline and select the Revoke access icon.

    Screenshot of revoke pipeline option.

Set library security in Azure Pipelines

The library facilitates asset sharing, like variable groups and secure files, across build and release pipelines. It employs a unified security model, allowing role assignments for asset management, creation, and usage. These roles, once set at the library level, automatically apply to all contained assets but can be individually adjusted.

Role Description
Administrator Edit, delete, and manage security for library assets. The creator of an asset is automatically assigned this role for the asset.
Creator Create library assets.
Reader Read library assets.
User Consume library assets in pipelines.

The following table shows default roles:

Group Role
[project name]\Project Administrators Administrator
[project name]\Build Administrators Administrator
[project name]\Project Valid Users Reader
[project name]\Contributors Creator (project-level) Reader (object-level)
[project name]\Release Administrators Administrator
project name Build Service (collection or organization name) Reader

For individual library assets, the creator is automatically assigned the Administrator role.

Set project-level library security roles

You can manage access for all library assets, such as variable groups and secure files, from the project-level library security settings.

Set secure file security roles

Security roles for Secure files are inherited from the project-level library role assignments by default. You can override these assignments for an individual file. To remove an inherited user or group, or lower the privilege level of an inherited role, you must disable inheritance.

The creator of the secure file is automatically assigned the Administrator role for that file, which can't be changed.

To set permissions for a secure file, do the following steps:

  1. From your project, select Pipelines > Library.
  2. Select Secure files.
  3. Select a file.
  4. Select Security. Screenshot of secure file permission dialog.
  5. Set the desired role for users and groups.
  6. To remove a user or group, select the user or group and select Delete . Inherited users and groups can't be removed unless inheritance is disabled.
  7. Select Save changes to save your changes or Reset changes to revert unsaved changes.

When you explicitly set a role, the inheritance for that user or group is turned off. To disable inheritance for all users and groups, turn off the Inheritance setting. When you re-enable inheritance, the roles for all users and groups revert to their project-level assignments.

To add project users or groups that aren't listed in the security dialog, do the following steps:

  1. Select Add.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.

Set variable group security roles

Security roles for variable groups are inherited from the project-level library role assignments by default. You can override these assignments for an individual variable group. To remove an inherited user or group, or lower the privilege level of an inherited role, you must disable inheritance.

The creator of the variable group is automatically assigned the Administrator role for that group, which can't be changed.

To set access for a variable group, do the following steps:

  1. From your project, select Pipelines > Library.
  2. Select a variable group.
  3. Select Security. Screenshot of variable group permission dialog.
  4. Set the desired role for users and groups.
  5. To remove a user or group, select the user or group and select Delete . Inherited users and groups can't be removed unless inheritance is disabled.
  6. Select Save changes to save your changes or Reset changes to revert unsaved changes.

When you explicitly set a role, the inheritance for that user or group is turned off. To disable inheritance for all users and groups, turn off the Inheritance setting. When you re-enable inheritance, the roles for all users and groups revert to their project-level assignments.

To add project users or groups that aren't listed in the security dialog, do the following steps:

  1. Select Add.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.

Set release pipeline permissions in Azure Pipelines

Once you create a release pipeline, you can set project-level permissions for all release pipelines and object-level permissions for individual release pipelines and stages. You can also set permissions for release stages, which are a subset of permissions inherited from the object-level release pipeline permissions.

The following table shows the permission hierarchy for release pipelines:

  • Project-level release pipelines permissions
  • Object-level release pipeline permissions
  • Object-level stage permissions

The following table shows default user and group roles:

Group Role
Contributors All permissions except Administer release permissions.
Project Administrators All permissions.
Readers Can view pipelines and releases.
Release Administrators All permissions.
Project Collection Administrators All permissions.
<project name> Build Service(<organization/collection name>) Can view pipelines and releases.
Project Collection Build Server (<organization/collection name>) Can view pipelines and releases.

For permission descriptions, see Permissions and groups.

Set project-level release pipeline permissions

To set permissions for all releases, do the following steps:

  1. From your project, select Pipelines > Releases.

  2. Select the file view icon.

    Screenshot showing selection of the all files view.

  3. Select the All pipelines folder.

    Screenshot showing selection of all release pipelines folder.

  4. Select More actions and select Security.

    Screenshot of all release pipelines security dialog.

  5. To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.

  6. Select a user and group and set the permission to Allow, Deny or Not set, then select Save changes or Undo changes.

    Screenshot of all release pipelines security add user or group selection.

  7. Repeat the previous step for each user or group to modify their permissions.

  8. When you're finished, close the dialog.

Set object-level release pipeline permissions

By default, the object-level permissions for individual release pipelines are inherited from the project-level release pipeline permissions. You can override these inherited permissions for a specific release pipeline.

To override permissions for a release, do the following steps:

You can set the permissions to Allow, Deny, or to Not set if the permission isn't inherited. If inheritance is enabled, you can change an explicitly set permission back to the inherited value.

  1. From your project, select Pipelines > Releases.

  2. Select the file view icon .

  3. Select the release pipeline you want to modify, select More actions , and select Security.

    Screenshot of object-level release pipeline security dialog.

  4. To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.

  5. Select a user and group and set the permission to Allow, Deny, or Not set, or the inherited value (for example, Allow (inherited)).

    Screenshot of release pipeline security add user or group selection.

  6. Select Save changes or you can select Undo changes to undo the changes. You must save the changes to apply the permissions before selecting another user or group.

  7. To remove a user or group, select the user or group and select Remove. Inherited users and groups can't be removed unless inheritance is disabled.

  8. Select OK when you're finished.

When you explicitly set an inherited user or group permission, inheritance is disabled for that specific permission. To restore inheritance, set the permission to Not set. Select Clear explicit permissions to reset all explicitly set permissions to their inherited settings. To disable inheritance for all user and group permissions, turn off the Inheritance setting. Upon re-enabling inheritance, the permissions for all users and groups revert to their project-level settings.

Set release stage permissions

Stage permissions are a subset of permissions that are inherited from the object-level release pipeline permissions.

To set permissions for a stage, do the following steps:

  1. From your project, select Pipelines > Releases.

  2. Select the file view icon and select All pipelines.

  3. Select the release pipeline you want to modify from All pipelines

    Screenshot of the release pipeline stage security dialog.

  4. Select the stage you want to modify.

  5. Select the More options icon and select Security.

    Screenshot showing release stage security navigation selections.

  6. To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.

  7. Select users and groups to set their permissions to Allow, Deny or Not set.

    Screenshot of release pipeline stage security dialog.

  8. Select Save changes or you can select Undo changes to undo the changes. You must save the changes to apply the permissions before selecting another user or group.

  9. You can select more users and groups to change their permissions.

  10. To remove a user or group, select the user or group and select Remove. Inherited users and groups can't be removed unless inheritance is disabled.

  11. Select OK when you're finished.

When you explicitly set an inherited user or group permission, inheritance is disabled for that specific permission. To restore inheritance, set the permission to Not set. Select Clear explicit permissions to reset all explicitly set permissions to their inherited settings. To disable inheritance for all user and group permissions, turn off the Inheritance setting. Upon re-enabling inheritance, the permissions for all users and groups revert to their project-level settings.

Set service connection security in Azure Pipelines

Service connections are used to connect to external and remote services. You can set service connection security for:

  • Pipelines: Permissions are set at the object level.
  • Users and Groups: Security roles are set at the project and object levels.

The following table show service connection roles:

Role Purpose
User Can use service connections in classic and YAML build and release pipelines.
Administrator Can use the service connection and manage roles for other users and groups.

By default, the [project]/\Endpoint Administrators group is assigned the Administrator role for all service connections in the project. The user who creates the service connection is automatically assigned the Administrator role for that service connection.

For more information, see Service connections.

Set security roles for individual service connections

To set the security role for users and groups for individual connections, do the following steps:

  1. From your project, select Project settings .

  2. Select Service connections under Pipelines.

  3. Select a service connection.

    Screenshot of individual service connection security selection.

  4. Select a user or group and change the role to User or Administrator. To lower the privilege level of an inherited role, inheritance must be disabled for the service connection.

  5. Select Save changes to save your changes or Reset changes to revert unsaved changes.

When you explicitly set a role, the inheritance for that user or group is turned off. To disable inheritance for all users and groups, turn off the Inheritance setting. When you re-enable inheritance, the roles for all users and groups revert to their project-level assignments.

To add project users or groups that aren't listed in the security dialog, do the following steps:

  1. Select Add.
  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.
  3. Select the Role.
  4. Select Add to save the changes.

To remove a user or group from the list, select the user or group and select Delete . Inherited users and groups can't be removed unless inheritance is disabled.

If you're having trouble with permissions and service connections, see Troubleshoot Azure Resource Manager service connections.

Set task group permissions in Azure Pipelines

The permissions for task groups follow a hierarchical model. By default, all task groups inherit the project-level permissions. Once a task group is created, you can modify the project-level permissions and the object-level permissions for individual task groups.

The following table show permissions for task groups:

Permission Description
Administer task group permissions Can add and remove users or groups to task group security.
Delete task group Can delete a task group.
Edit task group Can create, modify, or delete a task group.

The following table shows default permissions for security groups:

Task Readers Contributors Build Admins Project Admins Release Admins
Administer task group permissions ✔️ ✔️ ✔️
Delete task group ✔️ ✔️ ✔️
Edit task group ✔️ ✔️ ✔️ ✔️

The creator of a task group has all permissions to the task group.

Note

Task groups aren't supported in YAML pipelines, but templates are. For more information, see YAML schema reference.

Set project-level task group permissions

To set permissions for project-level task groups, do the following steps:

  1. From your project, select Pipelines > Task groups.

    Screenshot of task group selection.

  2. Select Security.

    Screenshot of task groups security selection.

  3. To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.

  4. Select a user or group to set the permissions to Allow, Deny or Not set.

    Screenshot of pipeline task groups security dialog.

  5. Select Save changes or you can select Undo changes to undo the changes. You must save the changes to apply the permissions before selecting another user or group.

  6. You can select more users and groups to change their permissions.

  7. Select Close when you're finished.

Set object-level task group permissions

You can set the permissions to Allow, Deny, or to Not set if the permission isn't inherited. If inheritance is enabled, you can change an explicitly set permission back to the inherited value.

To set permissions for a task group, do the following steps:

  1. From your project, select Pipelines > Task groups.

    Screenshot of task group menu item.

  2. Select a task group.

  3. Select More commands > Security.

  4. To add users or groups that aren't listed in the permissions dialog, select Add, enter the user or group, and select Save changes.

  5. Select users and groups to set their permissions to Allow, Deny or Not set.

    Screenshot of object-level task group security dialog.

  6. Select Save changes or you can select Undo changes to undo the changes. You must save the changes to apply the permissions before selecting another user or group.

  7. You can select more users and groups to change their permissions.

  8. To remove a user or group, select the user or group and select Remove. Inherited users and groups can't be removed unless inheritance is disabled.

  9. Select OK when you're finished.

When a permission for an inherited user or group is explicitly set, inheritance is disabled for that specific permission. Change the permission to Not set to restore inheritance. Select Clear explicit permissions to reset all explicitly set permissions to their inherited settings. To disable inheritance for all user and group permissions, turn off the Inheritance setting. Upon re-enabling inheritance, the settings for all permissions revert to the project level.

Set agent pool security in Azure Pipelines

Agent pools are a collection of agents that you use to run build and release jobs.

You can create agent pools with either collection scope or project scope. Collection scoped agent pools are accessible to all existing or new projects in the collection, and by default, each collection has two agent pools: Azure Pipelines and Default. These default pools are accessible by all projects in the collection.

Project-scoped agent pools are created at the project level and are accessible only to that project.

From the collection settings, you can manage the collection-level security settings for all agent pools in the collection, and for individual agent pools. Both collection- and project-level security roles can be managed at the object level from the project settings.

Use predefined security roles to manage security for agent pools.

The following table shows security roles for agent pools:

Role Purpose
Reader Can view agent pools.
User Can use agent pools in classic and YAML build and release pipelines.
Creator Can create agent pools in the project. This role is a project-level role only.
Service Account Can view agents, create sessions, and listen for jobs from the agent pool. This role is set at the organization/collection level only.
Administrator Can manage and use agent pools and manage roles for other users and groups.

The following table shows default project and object security roles for agent pools:

Group Role
[project name]\Project Administrators Administrator
[project name]\Build Administrators Administrator
[project name]\Project Valid Users Reader
[project name]\Release Administrators Administrator
The user who created the agent pool Administrator

Set collection security for agent pools

You can manage collection-level users and groups for all agent pools in the collection or at the object level, specifically for project-scoped agent pools. The security roles for agent pools are Reader, Service Account, and Administrator. The User and Creator roles aren't available at the collection level.

Set collection security for all agent pools

By default, no users or groups have explicit roles for all pools in the collection. You can add collection-level users and groups and manage security roles for all agent pools in the collection.

To manage security roles for all agent pools in the collection, do the following steps:

  1. Go to Collection settings : and select Agent pools.

  2. Select All agent pools.

  3. To add users and groups:

    1. Select Add

    2. Enter a user or group and select it from the search results.

    3. Repeat the previous step to add more users and groups.

    4. Select a role and select Add.

      Screenshot of collection-level add user dialog.

  4. To remove a user or group from the list, select the user or group and select Delete .

  5. To change a security role, select the user or group and select the role from the dropdown list.

  6. Select Save changes to save your changes or Reset changes to revert unsaved changes.

Set collection security for individual agent pools

Individual agent pools inherit their user and group roles from the collection-level assignments by default.

You can add and remove users and groups and set security roles for an individual agent pool. To remove an inherited user or group, or to lower the privilege level of an inherited role, you must disable inheritance.

The security roles at this level are Reader, Service Account, and Administrator.

To manage security roles for all agent pools in the collection, do the following steps:

  1. Go to Collection settings : and select Agent pools.

  2. Select an agent pool.

  3. Select the Roles tab.

  4. To add users and groups:

    1. Select Add

    2. Enter a user or group and select it from the search results.

    3. Repeat the previous step to add more users and groups.

    4. Select a role and select Add.

      Screenshot of collection-level add user dialog.

  5. To remove a user or group from the list, select the user or group and select Delete .

  6. To change a security role, select the user or group and select the role from the dropdown list.

  7. Select Save changes to save your changes or Reset changes to revert unsaved changes.

Set project-level agent pool security

To set project-level security roles for all agent pools, do the following steps:

  1. From your project, select Project settings and select Agent pools.

  2. Select Security.

    Screenshot of security selection for all agent pools.

  3. Select a user or group and set the role to Reader, User, Creator, or Administrator.

    Screenshot of security dialog for all agent pools.

  4. To remove a user or group, select the user or group and select Delete .

  5. Select Save changes to save your changes or Reset changes to revert unsaved changes.

To add project users or groups that aren't listed in the security dialog:

  1. Select Add.

  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.

  3. Select the Role.

  4. Select Add to save the changes.

    Screenshot of add user dialog.

Set object-level agent pool security

You can override project-level user and group role assignments and set pipeline permissions for an individual agent pool. To remove an inherited user or group, or lower the privilege level of an inherited role, you must disable inheritance.

To set pipeline and user security roles and pipeline permissions for an individual agent pool, do the following steps.

  1. Go to your agent pool and select Security.

  2. Use the Grant access permissions to all pipelines switch to enable or disable permissions to all pipelines in the project:

    Screenshot of agent Grant access permissions to all pipelines switch.

To set object-level user and group roles for an agent pool:

  1. From the User permissions section of the security dialog:

  2. Select a user or group and set the role to Reader, User, or Administrator.

    Screenshot of object-level user permissions dialog for an agent pool.

  3. To remove a user or group, select the user or group and select Delete . Inherited users and groups can't be removed unless inheritance is disabled.

  4. Select Save changes to save your changes or Reset changes to revert unsaved changes.

When you explicitly set a role, the inheritance for that user or group is turned off. To disable inheritance for all users and groups, turn off the Inheritance setting. When you re-enable inheritance, the roles for all users and groups revert to their project-level assignments.

To add project users or groups that aren't listed in the security dialog, do the following steps:

  1. Select Add.

  2. Enter the user or group in the search bar, then select the user or group from the search result. You can add multiple users and groups.

  3. Select the Role.

  4. Select Add to save the changes.

    Screenshot of add user dialog.