| title | Change project-level permissions or group membership |
|---|---|
| titleSuffix | Azure DevOps |
| description | Quickstart guide to change project-level permissions or group membership in Azure DevOps |
| ms.subservice | azure-devops-security |
| ms.custom | security-refresh |
| ms.author | chcomley |
| author | chcomley |
| ms.topic | quickstart |
| monikerRange | <= azure-devops |
| ms.date | 05/21/2024 |
[!INCLUDE version-lt-eq-azure-devops]
Many permissions get set at the project level. You can grant these permissions by adding a user or group to the Project Administrators group. Or, you can grant specific project-level permissions to a custom security group or to a user.
Consider adding users to the Project Administrators group when they're tasked with adding or managing teams, area and iteration paths, repositories, service hooks, and service end points.
[!INCLUDE project-level-permissions]
Note
The permission to add or remove project-level security groups and add and manage project-level group membership is assigned to all members of the Project Administrators group. It isn't controlled by a permission surfaced within the user interface.
By default, members of the Contributors group are assigned the Create tag definition permission. Although the Create tag definition permission appears in the security settings at the project-level, tagging permissions are actually collection-level permissions that are scoped at the project level when they appear in the user interface. To scope tagging permissions to a single project when using a command-line tool, you must provide the GUID for the project as part of the command syntax. Otherwise, your change applies to the entire collection. For more information, see Security groups, service accounts, and permissions, Work item tags.
| Category | Requirements |
|---|---|
| Permissions | Member of the Project Administrators security group. If you created the organization or collection, you're automatically a member of this group. |
| Directory services | Security groups defined in Microsoft Entra ID or Active Directory before adding them to Azure DevOps. |
Note
Users granted Stakeholder access can't access select features even if granted permissions to those features. For more information, see Stakeholder access quick reference.
You can add users who are associated with a project, organization, or collection to the Project Administrators group. This group has specific permissions at the organizations or collection level. To add a custom security group, first create the group as described in Add or remove users or groups, manage security groups.
Here we show how to add a user to the built-in Project Administrators group. The method is similar to adding a Microsoft Entra ID or Active Directory group.
::: moniker range="azure-devops"
Note
To enable the Project Permissions Settings Page preview page, see Enable preview features.
-
Sign in to your organization (
https://dev.azure.com/{yourorganization}). -
Select Project settings > Permissions.
-
Select Project Administrators group > Members > Add.
[!div class="mx-imgBorder"]
-
Enter the name of the user account or custom security group into the text box. You can enter several identities recognized by the system into the Add users and/or groups box. The system automatically searches for matches. Choose one or more matches.
[!div class="mx-imgBorder"]
-
Select Save.
-
Sign in to your organization (
https://dev.azure.com/{yourorganization}). -
Select Project settings > Security.
-
Select Project Administrators group > Members > Add.
[!div class="mx-imgBorder"]
-
Enter the name of the user account into the text box. You can enter several identities into the text box, separated by commas. The system automatically searches for matches. Choose one or more matches.
[!div class="mx-imgBorder"]
-
Select Save changes > :::image type="icon" source="../../media/icons/refresh.png" border="false"::: refresh icon, and then view the additions.
::: moniker-end
::: moniker range=">= azure-devops-2019 < azure-devops"
-
Sign in to your organization (
https://dev.azure.com/{yourorganization}). -
Select Project settings > Security.
-
Select Project Administrators group > Members > Add.
[!div class="mx-imgBorder"]
-
Enter the name of the user account into the text box. You can enter several identities into the text box, separated by commas. The system automatically searches for matches. Choose one or more matches.
[!div class="mx-imgBorder"]
[!NOTE]
Users with limited access, such as Stakeholders, can't access select features even if granted permissions to those features. For more information, see Permissions and access. -
Select Save changes. Choose the :::image type="icon" source="../../media/icons/refresh.png" border="false"::: refresh icon, and then view the additions.
::: moniker-end
You can modify project-level permissions for any group associated with a project, except for the Project Administrators group. Also, each team that is added to a project is automatically included as a project-level group. To add security groups to a project, see Add or remove users or groups, manage security groups. To understand permission assignments and inheritance, see About permissions, Permission states.
::: moniker range="azure-devops"
Note
To enable the Project Permissions Settings Page preview page, see Enable preview features.
-
Open the Permissions page as described in the previous section, Add a user or group to the Project Administrators group.
[!NOTE]
You can't change the permission settings for the Project Administrators group. This is by design. -
From the Permissions page, choose the group whose permissions you want to change.
For example, we choose the Contributors group and change their permissions for Delete and restore work items to Allow.
[!div class="mx-imgBorder"]
Your changes are automatically saved.
[!TIP]
If you add a user to the Contributors group, they can add and modify work items. You can restrict permissions of users or user groups to add and modify work items based on the Area Path. For more information, see Modify work items under an area path.
-
Open the Security page as described in the previous section, Add a user or group to the Project Administrators group.
-
From the Security page, choose the group whose permissions you want to change.
For example, we grant permission to the Contributors group to Delete and restore work items.
[!div class="mx-imgBorder"]
-
Select Save changes.
::: moniker-end
::: moniker range="< azure-devops"
-
From the Security page, choose the group whose permissions you want to change.
For example, we grant permission to the Contributors group to delete and restore work items.
[!div class="mx-imgBorder"]
[!TIP]
If you add a user to the Contributors group, they can add and modify work items. You can restrict permissions of users or user groups to add and modify work items based on the area path. For more information, see Modify work items under an area path.For a description of each permission, see Permissions and groups reference, project-level permissions.
[!NOTE]
You can't change the permission settings for the Project Administrators group. This is by design. -
Select Save changes.
::: moniker-end
You can change the project-level permissions for a specific user. To understand permission assignments and inheritance, see About permissions, Permission states.
::: moniker range="azure-devops"
Note
To enable the Project Permissions Settings Page preview page, see Enable preview features.
-
Open the Permissions page as described in the previous section, Add a user or group to the Project Administrators group.
-
From the Permissions page, select Users, and then choose the user whose permissions you want to change.
:::image type="content" source="media/change-project-level/choose-users-select-user.png" alt-text="Screenshot of Users tab, choose a user.":::
-
From the Permissions page, change the assignment for one or more permissions.
For example, we change the Edit project-level information for Christie Church.
:::image type="content" source="media/change-project-level/change-project-level-permission-for-user.png" alt-text="Screenshot of selected users, Permissions.":::
Dismiss the dialog when you're done. Your changes are automatically saved.
-
Open the Security page as described in the previous section, Add a user or group to the Project Administrators group.
-
From the Security page, in the Filter users and groups text box, enter the name of the user whose permissions you want to change.
-
Change change the assignment for one or more permissions.
For example, we change the Edit project-level information for Christie Church.
:::image type="content" source="media/change-project-level/change-project-level-permission-for-user-current-page.png" alt-text="Screenshot of selected user, change Edit project-level information permission level.":::
-
Select Save changes.
::: moniker-end
::: moniker range="< azure-devops"
-
Open the Security page as described in the previous section, Add a user or group to the Project Administrators group.
-
From the Security page, in the Filter users and groups text box, enter the name of the user whose permissions you want to change.
-
Change change the assignment for one or more permissions.
For example, we change the Edit project-level information for Christie Church.
:::image type="content" source="media/change-project-level/change-project-level-permission-for-user-current-page.png" alt-text="Screenshot of selected user, change Edit project-level information permission level.":::
-
Select Save changes.
::: moniker-end
[!div class="nextstepaction"] Manage projects