Skip to main content

Grant access to a single repository

· 3 min read

I've stumbled across this use-case recently whereby a user required access to a repository within an Azure DevOps project to make contributions. However, to reduce unnecessary exposure to other areas of the project, the permissions needed to be scoped to just a single repository only. The official docs do not cover this topic terribly well so below explains how this can achieved.

Adding to the Organisation

Firstly, the user that requires access needs to be a member of the Azure DevOps organisation. The general recommendation is to connect your Azure DevOps organisation to an Azure Active Directory instance. Otherwise, you can invite them into the organisation instead.

Docusaurus themed imageDocusaurus themed image

After they have been added, the default access level in Azure DevOps is set to Stakeholder. This is a limited access level that does not allow you to view repositories so this means either a Basic license needs assigning or purchasing a Visual Studio subscription allows greater access to Azure DevOps.

Project Permissions

This was the area that isn't immediately clear - for the user to be able to access a repository they also need permissions to view some metadata within the project. To assign this permission, the user needs to be in an Azure Devops group as this is the only way we can only assign the required permissions.

Head to the permissions pane within project settings https://dev.azure.com/<Organisation-name>/<Project-Name>/_settings/permissions and click new group

Here you can name the group and assign the required user(s)

Project Group CreationProject Group Creation

Once this has been created, you now need to assign permissions to the group to allow the group to view the project-level information.

To do this, navigate to the group you have just created. Then under the permissions tab you will need to set View project-level information to Allow. This gives the most basic access to the project.

Group Project PermissionsGroup Project Permissions

Once this permission has been granted, we are left with only needing to grant access to the repository.

Repository Permissions

To set the permissions on the repository you will need to navigate to https://dev.azure.com/<Organisation-name>/<Project-Name>/_settings/repositories and find your repository in here.

Once you navigate to the Security tab on the repository, you can then enter the group name you've created earlier to start assigning permissions. I recommend for a basic contributor the following permissions

  • Contribute
  • Contribute to pull requests
  • Create branch
  • Read
Repository PermissionsRepository Permissions

This should then be all that is needed, and going forward any users added into the External collaborators group will also only have access to this single repository (Unless they are a member of another group in the project with other permissions).

Permission granted

Summary

This process isn't the simplest to allow collaborating users to contribute to a project. This is what partly inspired me to create this extension to supplement the repository creation process to include additonal groups. This allows the option to create a repository and create groups for maintainers/collaborators in a single step!

Repo Creation ExtensionRepo Creation Extension