I need to review all source code permissions on a particular folder structure. I have gone through the apis and can't find what I need or haven't figured out how to use them correctly yet.
I have also tried the tfssecurity command but, can't figure out how to make it look at just a specific team project.
I am using Azure DevOps Server 2020 and the source is in TFVC.
This is part of a source control audit and I need to produce a report of what permissions users have on a folder in source.
I have tried the following apis: https://learn.microsoft.com/en-us/rest/api/azure/devops/security/?view=azure-devops-server-rest-6.0
Along with the tfssecurity command.
None are producing the results I need.
Found the APIs needed to do this.
Use this one to get all of the namespaces and find the ones that you want to get the security data for.
https://{instance}/{collection}/_apis/securitynamespaces
After that call this API to get the ACLs for that namespace.
https://{instance}/{collection}/_apis/accesscontrollists/{securityNamespaceId}?alwaysAllowAdministrators=True
Once you get all of the ACLs for the namespace, you can then look at each ACE to find out the permissions.
https://{instance}/{collection}/_apis/identities?descriptors={descriptors}&queryMembership=expandedDown
Related
I am creating a JIRA plugin to fetch the issue-level permissions. Currently, the project-level permissions are working extremely fine but the issue-level permissions are not working. I tried finding a REST API to handle these permissions but, didn’t find anything so I decided to make a custom JIRA plugin to fetch the issue-level permissions of a project and handle them via exposing the plugin through an API.
My question is that what JIRA JAVA APIs do I have to use in order to handle these permissions? Or, is there any other workaround to handle issue-level permissions?
Maybe you are referring to the "Issue level security" term (??)
If so, you can get the issue security level name from the "security level" field attached to the issues (Use a Jira account that has an active "Set Issue Security" permission, in order to work with this system issue field). This can be done by REST API that queries issue fields.
Also, the JAVA API Interface is called: 'IssueSecuritySchemes' (at package: com.atlassian.jira.functest.framework.admin, for Jira Server/Data Center).
We've published our Wiki pages in VSTS using 'code as Wiki' (see explanation here). In general we only want to use the master branch for displaying these Wiki pages, but sometimes we want to add a new version using the Publish new version menu option (see screenshot).
However for some of my team members it isn't possible to publish a new version, because that menu option is not visible. I've searched to see if there are certain permissions controlling this menu option, or any preview feature that should be enabled, but couldn't find any clues on this.
Does anyone know how to get this Publish new version available to everyone? Thanks!
Edit 1
It was suggested by Rodrigo Werlang to check out Wiki security, however this option is not available for 'code as Wiki', see screenshot:
Just see the Prerequisites to publish a Git repository to a wiki:
You must have the permission Create repository to publish code as
wiki. By default, this permissions is set for members of the Project
Administrators group.
Anyone who has permissions to contribute to the Git repository can add
or edit wiki pages. Anyone with access to the team project, including
stakeholders, can view the wiki.
And the description about Stakeholder wiki access:
Stakeholders in a project can read wiki pages and view revisions,
however they can't perform any edit operations. For example,
stakeholders can't create, edit, reorder, or revert changes to pages.
Note: Users with Stakeholder access have read-only permissions to
wiki pages. These permissions can't be changed.
So, in your scenario you can follow below steps to see the Publish new version option:
Change the user access level to Basic if it was Stakeholder
before.
Add the user to Project Administrators group or have
Manage permissions set to Allow for Git repositories.
In your wiki, go to Wiki Security
Take a look at the security page and set contribute, contribute pull request, create branch, create tag, manage notes, read.
I use jenkins project-based matrix security.
I have this folder structure (jenkins folders):
folder1/subfolder1A/jobA1
folder1/subfolder1A/jobA2
folder1/subfolder1B/jobB
folder2/subfolder2C/jobC
I can't seem to find a way to give access to a particular user only to subfolder1A or to jobA2 etc.
I tried almost every combination of permissions, the only one that works requires me to add the job readpermission to the user for the root folder1. The permission is inherited and they can now see everything in subfolder1A and subfolder1B etc.
If i don't do that, they see nothing. But If I do that, they have access to all subfolders of folder1 and all their jobs (with read permissions).
Do you know any configuration that would allow a user to access only subfolderA or jobA1 ?
I use the latest jenkins 2.x (2.13 at the time of writing, I'll update to 2.14 possibly today)
I know its too late to answer your question however this might be helpful for others.
You can give access up to one level deep to sub folders using Role Based Access Control plugin. In your case, assume if you want to grant an access to subfolder1A and restrict all other sub-folders then you can create Project Role and use following pattern:
folder1(/subfolder1A.*)?
Suppose, you want to provide access to both subfolder1A and subfolder1B and restrict other sub-folders, then use following pattern:
folder1(/subfolder1A.*|/subfolder1B.*)?
This will allow you to control nested folders up to one level.
Hope this will be useful.
I am using Folder plugin and AD groups to control access to folder. This morning a team can't access their project anymore and later I found the AD group assignment in Assign Roles has been changed to wrong groups. Is there a way to find out which id did it? We only have a few admin ids.
Jenkins does not appear to keep an audit trail by default, as stated in this post on cloudbees.com, the folks that develop Jenkins.
The relevant lines:
Many Jenkins users look for a recommend a strategy for keeping an audit trail. This article is supposed to be a gap filler until more comprehensive compliance capabilities in JE/JOC are developed.
There are two open source plugins that enable you to track “WHO did WHAT?” in Jenkins:
...
The first plugin listed is Audit Trail Plugin which looks to provide exactly what you are seeking.
The description from the plugins page:
Keep a log of who performed particular Jenkins operations, such as configuring jobs.
This plugin adds an Audit Trail section in the main Jenkins configuration page. Here you can configure log location and settings (file size and number of rotating log files), and a URI pattern for requests to be logged. The default options select most actions with significant effect such as creating/configuring/deleting jobs and views or delete/save-forever/start a build. The log is written to disk as configured and recent entries can also be viewed in the Manage / System Log section.
I spent a few minutes looking through Jenkins various xml and log files, but could not find a log that contained something useful (username and/or timestamp). In this case it seems user auditing isn't built into Jenkins as of yet. Unfortunately it appears that you might not be able to determine who made those changes after the fact.
Now that TFS 2015 comes with the same new Rest API of VS Team Services, I've taken a look at the API doc:
https://www.visualstudio.com/en-us/integrate/api/git/overview
One question naturally raised is that most queries do not expose an parameter for git branch or tag (e.g. download /path/to/my/file with tag 'release_v1.0'), which looks like a show stopper. As in my case, I need programatically pull out some source file under a certain branch/tag.
Is it not supported yet?
Yes you can. As or the link that you have above you can use the provided so to retrieve both branches and yes. In git they are really all the same thing, pointers. This use the "refs" api.
https://www.visualstudio.com/integrate/api/git/refs