| title | About pipeline security roles |
|---|---|
| titleSuffix | Azure DevOps |
| description | Understand how security roles manage specific pipeline permissions in Azure DevOps. |
| ms.subservice | azure-devops-security |
| ms.author | chcomley |
| author | chcomley |
| ms.topic | overview |
| monikerRange | <= azure-devops |
| ai-usage | ai-assisted |
| ms.date | 02/19/2026 |
[!INCLUDE version-lt-eq-azure-devops]
Azure DevOps manages security for build and release pipelines, and task groups by using task-based permissions. Several pipeline resources use role-based permissions, which you assign to users or groups. Each role defines the operations a user can perform within the context of specific pipeline resources.
Role-based permissions apply to all resources of a specific type within a project, organization, or collection. Individual resources inherit permissions from project-level settings, but you can disable inheritance for specific artifacts when you need more granular control.
By default, all project contributors become members of the User role for each hosted queue. This role grants them the ability to author and run build and release pipelines that use hosted queues.
Add users to security roles from the project-level admin context on the Agent Pools page. For information on adding and managing agent pools, see Agent pools.
[!INCLUDE temp]
Add users to the following security roles from the Organization settings > Agent Pools page. For information on adding and managing agent pools, see Agent pools.
[!INCLUDE temp]
Add users to the following roles from the Pipelines or Build and Release page. For information on adding and managing deployment groups, see Deployment groups.
[!INCLUDE temp]
Add users to the following roles from the Deployment Pools page. For information on creating and managing deployment pools, see Deployment groups.
[!INCLUDE temp]
Add users to a library role from Pipelines or Build and Release. For more information about using these library assets, see Variable groups and Secure files.
[!INCLUDE temp]
Add users to the following roles from the Services page. For information about creating and managing these resources, see Service connections for build and release.
[!INCLUDE temp]