DEV Community

loading...

Permissions calculator for Azure devops security model

melezhik profile image Alexey Melezhik ・4 min read

Brand new Sparrow6 plugin Ado-permissions-calculator enables user friendly API to deal with Azure devops security model calculations.

The plugins is very handy for people doing automation to manage Azure devops permissions for various kinds of objects ( Git, Pipelines, Libraries )


Install

s6 --install ado-permissions-calculator

Usage

Following are some typical use cases, follow the documentation to know more.

List namespaces

s6 --plg-run ado-permissions-calculator

18:09:53 10/23/2019 [task-cli] run plg ado-permissions-calculator
18:09:53 10/23/2019 [task-cli] run thing ado-permissions-calculator
18:10:00 10/23/2019 [ado-permissions-calculator] Analytics
18:10:00 10/23/2019 [ado-permissions-calculator] AnalyticsViews
18:10:00 10/23/2019 [ado-permissions-calculator] AuditLog
18:10:00 10/23/2019 [ado-permissions-calculator] PipelineCachePrivileges
18:10:00 10/23/2019 [ado-permissions-calculator] ReleaseManagement
18:10:00 10/23/2019 [ado-permissions-calculator] ReleaseManagement
18:10:00 10/23/2019 [ado-permissions-calculator] Identity
18:10:00 10/23/2019 [ado-permissions-calculator] WorkItemTrackingAdministration
18:10:00 10/23/2019 [ado-permissions-calculator] DistributedTask
18:10:00 10/23/2019 [ado-permissions-calculator] WorkItemQueryFolders
18:10:00 10/23/2019 [ado-permissions-calculator] Git Repositories

... output truncated ... 

18:10:01 10/23/2019 [ado-permissions-calculator] Social
18:10:01 10/23/2019 [ado-permissions-calculator] Security
18:10:01 10/23/2019 [ado-permissions-calculator] IdentityPicker
18:10:01 10/23/2019 [ado-permissions-calculator] ServicingOrchestration
18:10:01 10/23/2019 [ado-permissions-calculator] Build
18:10:01 10/23/2019 [ado-permissions-calculator] DashboardsPrivileges
18:10:01 10/23/2019 [ado-permissions-calculator] VersionControlItems

List permissions for Library

s6 --plg-run ado-permissions-calculator@namespace=Library

18:10:30 10/23/2019 [task-cli] run thing ado-permissions-calculator
18:10:42 10/23/2019 [ado-permissions-calculator] Name         Permission Description     Permission Bit
18:10:42 10/23/2019 [ado-permissions-calculator] -----------  -------------------------  ----------------
18:10:42 10/23/2019 [ado-permissions-calculator] View         View library item          1
18:10:42 10/23/2019 [ado-permissions-calculator] Administer   Administer library item    2
18:10:42 10/23/2019 [ado-permissions-calculator] Create       Create library item        4
18:10:42 10/23/2019 [ado-permissions-calculator] ViewSecrets  View library item secrets  8
18:10:42 10/23/2019 [ado-permissions-calculator] Use          Use library item           16
18:10:42 10/23/2019 [ado-permissions-calculator] Owner        Owner library item         32

Calculate all permissions for Library

s6 --plg-run ado-permissions-calculator@namespace=Library,actions=all

18:14:21 10/23/2019 [task-cli] run plg ado-permissions-calculator@namespace=Library,actions=all
18:14:21 10/23/2019 [task-cli] run thing ado-permissions-calculator
18:14:35 10/23/2019 [ado-permissions-calculator] Name         Permission Description     Permission Bit
18:14:35 10/23/2019 [ado-permissions-calculator] -----------  -------------------------  ----------------
18:14:35 10/23/2019 [ado-permissions-calculator] View         View library item          1
18:14:35 10/23/2019 [ado-permissions-calculator] Administer   Administer library item    2
18:14:35 10/23/2019 [ado-permissions-calculator] Create       Create library item        4
18:14:35 10/23/2019 [ado-permissions-calculator] ViewSecrets  View library item secrets  8
18:14:36 10/23/2019 [ado-permissions-calculator] Use          Use library item           16
18:14:36 10/23/2019 [ado-permissions-calculator] Owner        Owner library item         32
18:14:40 10/23/2019 [ado-permissions-calculator] ===
18:14:40 10/23/2019 [ado-permissions-calculator] actions: "all"
18:14:40 10/23/2019 [ado-permissions-calculator] sum: 63

Calculate CreateTag, CreateBranch permissions for Git Repositories

s6 --plg-run ado-permissions-calculator@namespace=GitRepositories,actions=CreateTag:CreateBranch

18:13:35 10/23/2019 [task-cli] run plg ado-permissions-calculator@namespace=GitRepositories,actions=CreateTag:CreateBranch
18:13:35 10/23/2019 [task-cli] run thing ado-permissions-calculator
18:13:49 10/23/2019 [ado-permissions-calculator] Name                     Permission Description                                  Permission Bit
18:13:49 10/23/2019 [ado-permissions-calculator] -----------------------  ------------------------------------------------------  ----------------
18:13:49 10/23/2019 [ado-permissions-calculator] Administer               Administer                                              1
18:13:49 10/23/2019 [ado-permissions-calculator] GenericRead              Read                                                    2
18:13:49 10/23/2019 [ado-permissions-calculator] GenericContribute        Contribute                                              4
18:13:49 10/23/2019 [ado-permissions-calculator] ForcePush                Force push (rewrite history, delete branches and tags)  8
18:13:49 10/23/2019 [ado-permissions-calculator] CreateBranch             Create branch                                           16
18:13:49 10/23/2019 [ado-permissions-calculator] CreateTag                Create tag                                              32
18:13:49 10/23/2019 [ado-permissions-calculator] ManageNote               Manage notes                                            64
18:13:49 10/23/2019 [ado-permissions-calculator] PolicyExempt             Bypass policies when pushing                            128
18:13:49 10/23/2019 [ado-permissions-calculator] CreateRepository         Create repository                                       256
18:13:49 10/23/2019 [ado-permissions-calculator] DeleteRepository         Delete repository                                       512
18:13:50 10/23/2019 [ado-permissions-calculator] RenameRepository         Rename repository                                       1024
18:13:50 10/23/2019 [ado-permissions-calculator] EditPolicies             Edit policies                                           2048
18:13:50 10/23/2019 [ado-permissions-calculator] RemoveOthersLocks        Remove others' locks                                    4096
18:13:50 10/23/2019 [ado-permissions-calculator] ManagePermissions        Manage permissions                                      8192
18:13:50 10/23/2019 [ado-permissions-calculator] PullRequestContribute    Contribute to pull requests                             16384
18:13:50 10/23/2019 [ado-permissions-calculator] PullRequestBypassPolicy  Bypass policies when completing pull requests           32768
18:13:56 10/23/2019 [ado-permissions-calculator] ===
18:13:56 10/23/2019 [ado-permissions-calculator] actions: [
18:13:56 10/23/2019 [ado-permissions-calculator]     "CreateTag",
18:13:56 10/23/2019 [ado-permissions-calculator]     "CreateBranch"
18:13:57 10/23/2019 [ado-permissions-calculator] ]
18:13:57 10/23/2019 [ado-permissions-calculator] sum: 48

Use pragramatic API

One can run the plugin using modern and shiny Raku programming language as well.


# Calculate View, Create permissions for Library
task-run "permissions sum", "ado-permissions-calculator", %(
    namespace => "Library",
    actions => qqw{View Create)
);

Documentation

Ado-permissions-calculator


Thank you for reading.

Discussion

pic
Editor guide