Security

Last Update: 3/21/2017

api-version = 1.0

Data stored in security namespaces are used to determine whether an user has permissions to perform a specific action on a specific resource.

Typically, each family of resources (work items, Git repositories, etc.) is secured using a different namespace. Each security namespace contains zero or more access control lists. Each access control list contains a token, an inherit flag and a set of zero or more access control entries. Each access control entry contains an identity descriptor, an allowed permissions bitmask and an denied permissions bitmask.

Common tasks

Get security namespaces

Get a list of security namespaces.

Change the inherit flag for a token

Set the inherit flag for an access control list.

Get, add, and remove access control lists

  1. Get a list of access control lists in a security namespace.
  2. Add a list of access control lists to a security namespace.
  3. Remove a list of access control lists from a security namespace.

Add and remove access control entries

  1. Add a list of access control entries to an access control list.
  2. Remove a list of access control entries from an access control list.

Evaluate effective permissions

Determine if an identity has the requested permissions on a token or a list of tokens.

Selectively remove permissions

Remove permissions from an access control entry.