azuredevops.SecurityPermissions

Azure DevOps v3.14.0, Mar 24 26

Viewing docs for Azure DevOps v3.14.0
published on Tuesday, Mar 24, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-azuredevops

Viewing docs for Azure DevOps v3.14.0
published on Tuesday, Mar 24, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-azuredevops

Example Usage

Collection-level Permissions

import * as pulumi from "@pulumi/pulumi";
import * as azuredevops from "@pulumi/azuredevops";

const collection = azuredevops.getSecurityNamespace({
    name: "Collection",
});
const collectionGetSecurityNamespaceToken = azuredevops.getSecurityNamespaceToken({
    namespaceName: "Collection",
});
const example = azuredevops.getGroup({
    name: "Project Collection Administrators",
});
const collectionPerms = new azuredevops.SecurityPermissions("collection_perms", {
    namespaceId: collection.then(collection => collection.id),
    token: collectionGetSecurityNamespaceToken.then(collectionGetSecurityNamespaceToken => collectionGetSecurityNamespaceToken.token),
    principal: example.then(example => example.descriptor),
    permissions: {
        GENERIC_READ: "allow",
        GENERIC_WRITE: "allow",
    },
});

import pulumi
import pulumi_azuredevops as azuredevops

collection = azuredevops.get_security_namespace(name="Collection")
collection_get_security_namespace_token = azuredevops.get_security_namespace_token(namespace_name="Collection")
example = azuredevops.get_group(name="Project Collection Administrators")
collection_perms = azuredevops.SecurityPermissions("collection_perms",
    namespace_id=collection.id,
    token=collection_get_security_namespace_token.token,
    principal=example.descriptor,
    permissions={
        "GENERIC_READ": "allow",
        "GENERIC_WRITE": "allow",
    })

package main

import (
	"github.com/pulumi/pulumi-azuredevops/sdk/v3/go/azuredevops"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		collection, err := azuredevops.GetSecurityNamespace(ctx, &azuredevops.GetSecurityNamespaceArgs{
			Name: pulumi.StringRef("Collection"),
		}, nil)
		if err != nil {
			return err
		}
		collectionGetSecurityNamespaceToken, err := azuredevops.GetSecurityNamespaceToken(ctx, &azuredevops.GetSecurityNamespaceTokenArgs{
			NamespaceName: pulumi.StringRef("Collection"),
		}, nil)
		if err != nil {
			return err
		}
		example, err := azuredevops.LookupGroup(ctx, &azuredevops.LookupGroupArgs{
			Name: "Project Collection Administrators",
		}, nil)
		if err != nil {
			return err
		}
		_, err = azuredevops.NewSecurityPermissions(ctx, "collection_perms", &azuredevops.SecurityPermissionsArgs{
			NamespaceId: pulumi.String(collection.Id),
			Token:       pulumi.String(collectionGetSecurityNamespaceToken.Token),
			Principal:   pulumi.String(example.Descriptor),
			Permissions: pulumi.StringMap{
				"GENERIC_READ":  pulumi.String("allow"),
				"GENERIC_WRITE": pulumi.String("allow"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureDevOps = Pulumi.AzureDevOps;

return await Deployment.RunAsync(() => 
{
    var collection = AzureDevOps.GetSecurityNamespace.Invoke(new()
    {
        Name = "Collection",
    });

    var collectionGetSecurityNamespaceToken = AzureDevOps.GetSecurityNamespaceToken.Invoke(new()
    {
        NamespaceName = "Collection",
    });

    var example = AzureDevOps.GetGroup.Invoke(new()
    {
        Name = "Project Collection Administrators",
    });

    var collectionPerms = new AzureDevOps.SecurityPermissions("collection_perms", new()
    {
        NamespaceId = collection.Apply(getSecurityNamespaceResult => getSecurityNamespaceResult.Id),
        Token = collectionGetSecurityNamespaceToken.Apply(getSecurityNamespaceTokenResult => getSecurityNamespaceTokenResult.Token),
        Principal = example.Apply(getGroupResult => getGroupResult.Descriptor),
        Permissions = 
        {
            { "GENERIC_READ", "allow" },
            { "GENERIC_WRITE", "allow" },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuredevops.AzuredevopsFunctions;
import com.pulumi.azuredevops.inputs.GetSecurityNamespaceArgs;
import com.pulumi.azuredevops.inputs.GetSecurityNamespaceTokenArgs;
import com.pulumi.azuredevops.inputs.GetGroupArgs;
import com.pulumi.azuredevops.SecurityPermissions;
import com.pulumi.azuredevops.SecurityPermissionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var collection = AzuredevopsFunctions.getSecurityNamespace(GetSecurityNamespaceArgs.builder()
            .name("Collection")
            .build());

        final var collectionGetSecurityNamespaceToken = AzuredevopsFunctions.getSecurityNamespaceToken(GetSecurityNamespaceTokenArgs.builder()
            .namespaceName("Collection")
            .build());

        final var example = AzuredevopsFunctions.getGroup(GetGroupArgs.builder()
            .name("Project Collection Administrators")
            .build());

        var collectionPerms = new SecurityPermissions("collectionPerms", SecurityPermissionsArgs.builder()
            .namespaceId(collection.id())
            .token(collectionGetSecurityNamespaceToken.token())
            .principal(example.descriptor())
            .permissions(Map.ofEntries(
                Map.entry("GENERIC_READ", "allow"),
                Map.entry("GENERIC_WRITE", "allow")
            ))
            .build());

    }
}

resources:
  collectionPerms:
    type: azuredevops:SecurityPermissions
    name: collection_perms
    properties:
      namespaceId: ${collection.id}
      token: ${collectionGetSecurityNamespaceToken.token}
      principal: ${example.descriptor}
      permissions:
        GENERIC_READ: allow
        GENERIC_WRITE: allow
variables:
  collection:
    fn::invoke:
      function: azuredevops:getSecurityNamespace
      arguments:
        name: Collection
  collectionGetSecurityNamespaceToken:
    fn::invoke:
      function: azuredevops:getSecurityNamespaceToken
      arguments:
        namespaceName: Collection
  example:
    fn::invoke:
      function: azuredevops:getGroup
      arguments:
        name: Project Collection Administrators

Git Repository Permissions

import * as pulumi from "@pulumi/pulumi";
import * as azuredevops from "@pulumi/azuredevops";

const example = azuredevops.getProject({
    name: "Example Project",
});
const exampleGetGitRepository = example.then(example => azuredevops.getGitRepository({
    projectId: example.id,
    name: "Example Repository",
}));
const gitRepos = azuredevops.getSecurityNamespace({
    name: "Git Repositories",
});
const gitRepo = Promise.all([example, exampleGetGitRepository]).then(([example, exampleGetGitRepository]) => azuredevops.getSecurityNamespaceToken({
    namespaceName: "Git Repositories",
    identifiers: {
        project_id: example.id,
        repository_id: exampleGetGitRepository.id,
    },
}));
const exampleContributors = example.then(example => azuredevops.getGroup({
    projectId: example.id,
    name: "Contributors",
}));
const gitPerms = new azuredevops.SecurityPermissions("git_perms", {
    namespaceId: gitRepos.then(gitRepos => gitRepos.id),
    token: gitRepo.then(gitRepo => gitRepo.token),
    principal: exampleContributors.then(exampleContributors => exampleContributors.descriptor),
    permissions: {
        GenericRead: "allow",
        GenericContribute: "allow",
        ForcePush: "deny",
        ManagePermissions: "deny",
    },
    replace: false,
});

import pulumi
import pulumi_azuredevops as azuredevops

example = azuredevops.get_project(name="Example Project")
example_get_git_repository = azuredevops.get_git_repository(project_id=example.id,
    name="Example Repository")
git_repos = azuredevops.get_security_namespace(name="Git Repositories")
git_repo = azuredevops.get_security_namespace_token(namespace_name="Git Repositories",
    identifiers={
        "project_id": example.id,
        "repository_id": example_get_git_repository.id,
    })
example_contributors = azuredevops.get_group(project_id=example.id,
    name="Contributors")
git_perms = azuredevops.SecurityPermissions("git_perms",
    namespace_id=git_repos.id,
    token=git_repo.token,
    principal=example_contributors.descriptor,
    permissions={
        "GenericRead": "allow",
        "GenericContribute": "allow",
        "ForcePush": "deny",
        "ManagePermissions": "deny",
    },
    replace=False)

package main

import (
	"github.com/pulumi/pulumi-azuredevops/sdk/v3/go/azuredevops"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := azuredevops.LookupProject(ctx, &azuredevops.LookupProjectArgs{
			Name: pulumi.StringRef("Example Project"),
		}, nil)
		if err != nil {
			return err
		}
		exampleGetGitRepository, err := azuredevops.GetGitRepository(ctx, &azuredevops.GetGitRepositoryArgs{
			ProjectId: example.Id,
			Name:      "Example Repository",
		}, nil)
		if err != nil {
			return err
		}
		gitRepos, err := azuredevops.GetSecurityNamespace(ctx, &azuredevops.GetSecurityNamespaceArgs{
			Name: pulumi.StringRef("Git Repositories"),
		}, nil)
		if err != nil {
			return err
		}
		gitRepo, err := azuredevops.GetSecurityNamespaceToken(ctx, &azuredevops.GetSecurityNamespaceTokenArgs{
			NamespaceName: pulumi.StringRef("Git Repositories"),
			Identifiers: pulumi.StringMap{
				"project_id":    example.Id,
				"repository_id": exampleGetGitRepository.Id,
			},
		}, nil)
		if err != nil {
			return err
		}
		exampleContributors, err := azuredevops.LookupGroup(ctx, &azuredevops.LookupGroupArgs{
			ProjectId: pulumi.StringRef(example.Id),
			Name:      "Contributors",
		}, nil)
		if err != nil {
			return err
		}
		_, err = azuredevops.NewSecurityPermissions(ctx, "git_perms", &azuredevops.SecurityPermissionsArgs{
			NamespaceId: pulumi.String(gitRepos.Id),
			Token:       pulumi.String(gitRepo.Token),
			Principal:   pulumi.String(exampleContributors.Descriptor),
			Permissions: pulumi.StringMap{
				"GenericRead":       pulumi.String("allow"),
				"GenericContribute": pulumi.String("allow"),
				"ForcePush":         pulumi.String("deny"),
				"ManagePermissions": pulumi.String("deny"),
			},
			Replace: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureDevOps = Pulumi.AzureDevOps;

return await Deployment.RunAsync(() => 
{
    var example = AzureDevOps.GetProject.Invoke(new()
    {
        Name = "Example Project",
    });

    var exampleGetGitRepository = AzureDevOps.GetGitRepository.Invoke(new()
    {
        ProjectId = example.Apply(getProjectResult => getProjectResult.Id),
        Name = "Example Repository",
    });

    var gitRepos = AzureDevOps.GetSecurityNamespace.Invoke(new()
    {
        Name = "Git Repositories",
    });

    var gitRepo = AzureDevOps.GetSecurityNamespaceToken.Invoke(new()
    {
        NamespaceName = "Git Repositories",
        Identifiers = 
        {
            { "project_id", example.Apply(getProjectResult => getProjectResult.Id) },
            { "repository_id", exampleGetGitRepository.Apply(getGitRepositoryResult => getGitRepositoryResult.Id) },
        },
    });

    var exampleContributors = AzureDevOps.GetGroup.Invoke(new()
    {
        ProjectId = example.Apply(getProjectResult => getProjectResult.Id),
        Name = "Contributors",
    });

    var gitPerms = new AzureDevOps.SecurityPermissions("git_perms", new()
    {
        NamespaceId = gitRepos.Apply(getSecurityNamespaceResult => getSecurityNamespaceResult.Id),
        Token = gitRepo.Apply(getSecurityNamespaceTokenResult => getSecurityNamespaceTokenResult.Token),
        Principal = exampleContributors.Apply(getGroupResult => getGroupResult.Descriptor),
        Permissions = 
        {
            { "GenericRead", "allow" },
            { "GenericContribute", "allow" },
            { "ForcePush", "deny" },
            { "ManagePermissions", "deny" },
        },
        Replace = false,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuredevops.AzuredevopsFunctions;
import com.pulumi.azuredevops.inputs.GetProjectArgs;
import com.pulumi.azuredevops.inputs.GetGitRepositoryArgs;
import com.pulumi.azuredevops.inputs.GetSecurityNamespaceArgs;
import com.pulumi.azuredevops.inputs.GetSecurityNamespaceTokenArgs;
import com.pulumi.azuredevops.inputs.GetGroupArgs;
import com.pulumi.azuredevops.SecurityPermissions;
import com.pulumi.azuredevops.SecurityPermissionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var example = AzuredevopsFunctions.getProject(GetProjectArgs.builder()
            .name("Example Project")
            .build());

        final var exampleGetGitRepository = AzuredevopsFunctions.getGitRepository(GetGitRepositoryArgs.builder()
            .projectId(example.id())
            .name("Example Repository")
            .build());

        final var gitRepos = AzuredevopsFunctions.getSecurityNamespace(GetSecurityNamespaceArgs.builder()
            .name("Git Repositories")
            .build());

        final var gitRepo = AzuredevopsFunctions.getSecurityNamespaceToken(GetSecurityNamespaceTokenArgs.builder()
            .namespaceName("Git Repositories")
            .identifiers(Map.ofEntries(
                Map.entry("project_id", example.id()),
                Map.entry("repository_id", exampleGetGitRepository.id())
            ))
            .build());

        final var exampleContributors = AzuredevopsFunctions.getGroup(GetGroupArgs.builder()
            .projectId(example.id())
            .name("Contributors")
            .build());

        var gitPerms = new SecurityPermissions("gitPerms", SecurityPermissionsArgs.builder()
            .namespaceId(gitRepos.id())
            .token(gitRepo.token())
            .principal(exampleContributors.descriptor())
            .permissions(Map.ofEntries(
                Map.entry("GenericRead", "allow"),
                Map.entry("GenericContribute", "allow"),
                Map.entry("ForcePush", "deny"),
                Map.entry("ManagePermissions", "deny")
            ))
            .replace(false)
            .build());

    }
}

resources:
  gitPerms:
    type: azuredevops:SecurityPermissions
    name: git_perms
    properties:
      namespaceId: ${gitRepos.id}
      token: ${gitRepo.token}
      principal: ${exampleContributors.descriptor}
      permissions:
        GenericRead: allow
        GenericContribute: allow
        ForcePush: deny
        ManagePermissions: deny
      replace: false
variables:
  example:
    fn::invoke:
      function: azuredevops:getProject
      arguments:
        name: Example Project
  exampleGetGitRepository:
    fn::invoke:
      function: azuredevops:getGitRepository
      arguments:
        projectId: ${example.id}
        name: Example Repository
  gitRepos:
    fn::invoke:
      function: azuredevops:getSecurityNamespace
      arguments:
        name: Git Repositories
  gitRepo:
    fn::invoke:
      function: azuredevops:getSecurityNamespaceToken
      arguments:
        namespaceName: Git Repositories
        identifiers:
          project_id: ${example.id}
          repository_id: ${exampleGetGitRepository.id}
  exampleContributors:
    fn::invoke:
      function: azuredevops:getGroup
      arguments:
        projectId: ${example.id}
        name: Contributors

Git Branch Permissions

import * as pulumi from "@pulumi/pulumi";
import * as azuredevops from "@pulumi/azuredevops";

const example = azuredevops.getProject({
    name: "Example Project",
});
const exampleGetGitRepository = example.then(example => azuredevops.getGitRepository({
    projectId: example.id,
    name: "Example Repository",
}));
const gitRepos = azuredevops.getSecurityNamespace({
    name: "Git Repositories",
});
const mainBranch = Promise.all([example, exampleGetGitRepository]).then(([example, exampleGetGitRepository]) => azuredevops.getSecurityNamespaceToken({
    namespaceName: "Git Repositories",
    identifiers: {
        project_id: example.id,
        repository_id: exampleGetGitRepository.id,
        ref_name: "refs/heads/main",
    },
}));
const exampleContributors = example.then(example => azuredevops.getGroup({
    projectId: example.id,
    name: "Contributors",
}));
const mainBranchPerms = new azuredevops.SecurityPermissions("main_branch_perms", {
    namespaceId: "2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87",
    token: mainBranch.then(mainBranch => mainBranch.token),
    principal: exampleContributors.then(exampleContributors => exampleContributors.descriptor),
    permissions: {
        ForcePush: "Deny",
        RemoveOthersLocks: "Deny",
    },
    replace: false,
});

import pulumi
import pulumi_azuredevops as azuredevops

example = azuredevops.get_project(name="Example Project")
example_get_git_repository = azuredevops.get_git_repository(project_id=example.id,
    name="Example Repository")
git_repos = azuredevops.get_security_namespace(name="Git Repositories")
main_branch = azuredevops.get_security_namespace_token(namespace_name="Git Repositories",
    identifiers={
        "project_id": example.id,
        "repository_id": example_get_git_repository.id,
        "ref_name": "refs/heads/main",
    })
example_contributors = azuredevops.get_group(project_id=example.id,
    name="Contributors")
main_branch_perms = azuredevops.SecurityPermissions("main_branch_perms",
    namespace_id="2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87",
    token=main_branch.token,
    principal=example_contributors.descriptor,
    permissions={
        "ForcePush": "Deny",
        "RemoveOthersLocks": "Deny",
    },
    replace=False)

package main

import (
	"github.com/pulumi/pulumi-azuredevops/sdk/v3/go/azuredevops"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := azuredevops.LookupProject(ctx, &azuredevops.LookupProjectArgs{
			Name: pulumi.StringRef("Example Project"),
		}, nil)
		if err != nil {
			return err
		}
		exampleGetGitRepository, err := azuredevops.GetGitRepository(ctx, &azuredevops.GetGitRepositoryArgs{
			ProjectId: example.Id,
			Name:      "Example Repository",
		}, nil)
		if err != nil {
			return err
		}
		_, err = azuredevops.GetSecurityNamespace(ctx, &azuredevops.GetSecurityNamespaceArgs{
			Name: pulumi.StringRef("Git Repositories"),
		}, nil)
		if err != nil {
			return err
		}
		mainBranch, err := azuredevops.GetSecurityNamespaceToken(ctx, &azuredevops.GetSecurityNamespaceTokenArgs{
			NamespaceName: pulumi.StringRef("Git Repositories"),
			Identifiers: pulumi.StringMap{
				"project_id":    example.Id,
				"repository_id": exampleGetGitRepository.Id,
				"ref_name":      "refs/heads/main",
			},
		}, nil)
		if err != nil {
			return err
		}
		exampleContributors, err := azuredevops.LookupGroup(ctx, &azuredevops.LookupGroupArgs{
			ProjectId: pulumi.StringRef(example.Id),
			Name:      "Contributors",
		}, nil)
		if err != nil {
			return err
		}
		_, err = azuredevops.NewSecurityPermissions(ctx, "main_branch_perms", &azuredevops.SecurityPermissionsArgs{
			NamespaceId: pulumi.String("2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87"),
			Token:       pulumi.String(mainBranch.Token),
			Principal:   pulumi.String(exampleContributors.Descriptor),
			Permissions: pulumi.StringMap{
				"ForcePush":         pulumi.String("Deny"),
				"RemoveOthersLocks": pulumi.String("Deny"),
			},
			Replace: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureDevOps = Pulumi.AzureDevOps;

return await Deployment.RunAsync(() => 
{
    var example = AzureDevOps.GetProject.Invoke(new()
    {
        Name = "Example Project",
    });

    var exampleGetGitRepository = AzureDevOps.GetGitRepository.Invoke(new()
    {
        ProjectId = example.Apply(getProjectResult => getProjectResult.Id),
        Name = "Example Repository",
    });

    var gitRepos = AzureDevOps.GetSecurityNamespace.Invoke(new()
    {
        Name = "Git Repositories",
    });

    var mainBranch = AzureDevOps.GetSecurityNamespaceToken.Invoke(new()
    {
        NamespaceName = "Git Repositories",
        Identifiers = 
        {
            { "project_id", example.Apply(getProjectResult => getProjectResult.Id) },
            { "repository_id", exampleGetGitRepository.Apply(getGitRepositoryResult => getGitRepositoryResult.Id) },
            { "ref_name", "refs/heads/main" },
        },
    });

    var exampleContributors = AzureDevOps.GetGroup.Invoke(new()
    {
        ProjectId = example.Apply(getProjectResult => getProjectResult.Id),
        Name = "Contributors",
    });

    var mainBranchPerms = new AzureDevOps.SecurityPermissions("main_branch_perms", new()
    {
        NamespaceId = "2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87",
        Token = mainBranch.Apply(getSecurityNamespaceTokenResult => getSecurityNamespaceTokenResult.Token),
        Principal = exampleContributors.Apply(getGroupResult => getGroupResult.Descriptor),
        Permissions = 
        {
            { "ForcePush", "Deny" },
            { "RemoveOthersLocks", "Deny" },
        },
        Replace = false,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuredevops.AzuredevopsFunctions;
import com.pulumi.azuredevops.inputs.GetProjectArgs;
import com.pulumi.azuredevops.inputs.GetGitRepositoryArgs;
import com.pulumi.azuredevops.inputs.GetSecurityNamespaceArgs;
import com.pulumi.azuredevops.inputs.GetSecurityNamespaceTokenArgs;
import com.pulumi.azuredevops.inputs.GetGroupArgs;
import com.pulumi.azuredevops.SecurityPermissions;
import com.pulumi.azuredevops.SecurityPermissionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var example = AzuredevopsFunctions.getProject(GetProjectArgs.builder()
            .name("Example Project")
            .build());

        final var exampleGetGitRepository = AzuredevopsFunctions.getGitRepository(GetGitRepositoryArgs.builder()
            .projectId(example.id())
            .name("Example Repository")
            .build());

        final var gitRepos = AzuredevopsFunctions.getSecurityNamespace(GetSecurityNamespaceArgs.builder()
            .name("Git Repositories")
            .build());

        final var mainBranch = AzuredevopsFunctions.getSecurityNamespaceToken(GetSecurityNamespaceTokenArgs.builder()
            .namespaceName("Git Repositories")
            .identifiers(Map.ofEntries(
                Map.entry("project_id", example.id()),
                Map.entry("repository_id", exampleGetGitRepository.id()),
                Map.entry("ref_name", "refs/heads/main")
            ))
            .build());

        final var exampleContributors = AzuredevopsFunctions.getGroup(GetGroupArgs.builder()
            .projectId(example.id())
            .name("Contributors")
            .build());

        var mainBranchPerms = new SecurityPermissions("mainBranchPerms", SecurityPermissionsArgs.builder()
            .namespaceId("2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87")
            .token(mainBranch.token())
            .principal(exampleContributors.descriptor())
            .permissions(Map.ofEntries(
                Map.entry("ForcePush", "Deny"),
                Map.entry("RemoveOthersLocks", "Deny")
            ))
            .replace(false)
            .build());

    }
}

resources:
  mainBranchPerms:
    type: azuredevops:SecurityPermissions
    name: main_branch_perms
    properties:
      namespaceId: 2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87
      token: ${mainBranch.token}
      principal: ${exampleContributors.descriptor}
      permissions:
        ForcePush: Deny
        RemoveOthersLocks: Deny
      replace: false
variables:
  example:
    fn::invoke:
      function: azuredevops:getProject
      arguments:
        name: Example Project
  exampleGetGitRepository:
    fn::invoke:
      function: azuredevops:getGitRepository
      arguments:
        projectId: ${example.id}
        name: Example Repository
  gitRepos:
    fn::invoke:
      function: azuredevops:getSecurityNamespace
      arguments:
        name: Git Repositories
  mainBranch:
    fn::invoke:
      function: azuredevops:getSecurityNamespaceToken
      arguments:
        namespaceName: Git Repositories
        identifiers:
          project_id: ${example.id}
          repository_id: ${exampleGetGitRepository.id}
          ref_name: refs/heads/main
  exampleContributors:
    fn::invoke:
      function: azuredevops:getGroup
      arguments:
        projectId: ${example.id}
        name: Contributors

Relevant Links

PAT Permissions Required

Project & Team: vso.security_manage - Grants the ability to read, write, and manage security permissions.

Notes

This is a generic low-level resource for managing permissions across any Azure DevOps security namespace
For better user experience and type safety, consider using dedicated permission resources when available (e.g., azuredevops.ProjectPermissions, azuredevops.GitPermissions)
Permission names are namespace-specific and case-sensitive. All permission names in the permissions map are validated against the namespace - if any permission name is invalid, an error will be returned
When replace = true, all existing permissions for the principal will be removed and replaced with the specified permissions
When replace = false, the specified permissions will be merged with existing permissions, allowing you to manage only a subset of permissions
when replace = false, deletion of the resource only removes the permissions specified in the permissions map, rather than all permissions for the principal
The principal must be a group descriptor or identity ID. Individual user principals are not supported
Use the azuredevops.getSecurityNamespaceToken data source to generate correct tokens for different resource types
Permissions are propagated asynchronously and may take a few moments to take effect

Create SecurityPermissions Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SecurityPermissions(name: string, args: SecurityPermissionsArgs, opts?: CustomResourceOptions);

@overload
def SecurityPermissions(resource_name: str,
                        args: SecurityPermissionsArgs,
                        opts: Optional[ResourceOptions] = None)

@overload
def SecurityPermissions(resource_name: str,
                        opts: Optional[ResourceOptions] = None,
                        namespace_id: Optional[str] = None,
                        permissions: Optional[Mapping[str, str]] = None,
                        principal: Optional[str] = None,
                        token: Optional[str] = None,
                        replace: Optional[bool] = None)

func NewSecurityPermissions(ctx *Context, name string, args SecurityPermissionsArgs, opts ...ResourceOption) (*SecurityPermissions, error)

public SecurityPermissions(string name, SecurityPermissionsArgs args, CustomResourceOptions? opts = null)

public SecurityPermissions(String name, SecurityPermissionsArgs args)
public SecurityPermissions(String name, SecurityPermissionsArgs args, CustomResourceOptions options)

type: azuredevops:SecurityPermissions
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SecurityPermissionsArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SecurityPermissionsArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecurityPermissionsArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecurityPermissionsArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SecurityPermissionsArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var securityPermissionsResource = new AzureDevOps.SecurityPermissions("securityPermissionsResource", new()
{
    NamespaceId = "string",
    Permissions = 
    {
        { "string", "string" },
    },
    Principal = "string",
    Token = "string",
    Replace = false,
});

example, err := azuredevops.NewSecurityPermissions(ctx, "securityPermissionsResource", &azuredevops.SecurityPermissionsArgs{
	NamespaceId: pulumi.String("string"),
	Permissions: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	Principal: pulumi.String("string"),
	Token:     pulumi.String("string"),
	Replace:   pulumi.Bool(false),
})

var securityPermissionsResource = new SecurityPermissions("securityPermissionsResource", SecurityPermissionsArgs.builder()
    .namespaceId("string")
    .permissions(Map.of("string", "string"))
    .principal("string")
    .token("string")
    .replace(false)
    .build());

security_permissions_resource = azuredevops.SecurityPermissions("securityPermissionsResource",
    namespace_id="string",
    permissions={
        "string": "string",
    },
    principal="string",
    token="string",
    replace=False)

const securityPermissionsResource = new azuredevops.SecurityPermissions("securityPermissionsResource", {
    namespaceId: "string",
    permissions: {
        string: "string",
    },
    principal: "string",
    token: "string",
    replace: false,
});

type: azuredevops:SecurityPermissions
properties:
    namespaceId: string
    permissions:
        string: string
    principal: string
    replace: false
    token: string

SecurityPermissions Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The SecurityPermissions resource accepts the following input properties:

NamespaceId string

The ID of the security namespace. Use the azuredevops.getSecurityNamespaces data source to discover available namespaces. Changing this forces a new resource to be created.

Permissions Dictionary<string, string>

A map of permission names to permission values. All permission names specified must be valid for the given namespace, or an error will be returned. Permission values must be one of:

Allow (or allow, ALLOW) - Grant the permission
Deny (or deny, DENY) - Explicitly deny the permission
NotSet (or notset, NOTSET) - Remove the permission (inherit from parent)

Principal string

The descriptor or identity ID of the principal (user or group). Changing this forces a new resource to be created.

Token string

The security token for the resource. Use the azuredevops.getSecurityNamespaceToken data source to generate tokens for specific resources. Changing this forces a new resource to be created.

Replace bool

Replace (true) or merge (false) the permissions with existing permissions. When true, all existing permissions for the principal on this token will be replaced with the specified permissions. When false, the specified permissions will be merged with existing permissions. Default: true.

NamespaceId string

The ID of the security namespace. Use the azuredevops.getSecurityNamespaces data source to discover available namespaces. Changing this forces a new resource to be created.

Permissions map[string]string

A map of permission names to permission values. All permission names specified must be valid for the given namespace, or an error will be returned. Permission values must be one of:

Allow (or allow, ALLOW) - Grant the permission
Deny (or deny, DENY) - Explicitly deny the permission
NotSet (or notset, NOTSET) - Remove the permission (inherit from parent)

Principal string

The descriptor or identity ID of the principal (user or group). Changing this forces a new resource to be created.

Token string

The security token for the resource. Use the azuredevops.getSecurityNamespaceToken data source to generate tokens for specific resources. Changing this forces a new resource to be created.

Replace bool

namespaceId String

The ID of the security namespace. Use the azuredevops.getSecurityNamespaces data source to discover available namespaces. Changing this forces a new resource to be created.

permissions Map<String,String>

A map of permission names to permission values. All permission names specified must be valid for the given namespace, or an error will be returned. Permission values must be one of:

Allow (or allow, ALLOW) - Grant the permission
Deny (or deny, DENY) - Explicitly deny the permission
NotSet (or notset, NOTSET) - Remove the permission (inherit from parent)

principal String

The descriptor or identity ID of the principal (user or group). Changing this forces a new resource to be created.

token String

The security token for the resource. Use the azuredevops.getSecurityNamespaceToken data source to generate tokens for specific resources. Changing this forces a new resource to be created.

replace Boolean

namespaceId string

The ID of the security namespace. Use the azuredevops.getSecurityNamespaces data source to discover available namespaces. Changing this forces a new resource to be created.

permissions {[key: string]: string}

A map of permission names to permission values. All permission names specified must be valid for the given namespace, or an error will be returned. Permission values must be one of:

Allow (or allow, ALLOW) - Grant the permission
Deny (or deny, DENY) - Explicitly deny the permission
NotSet (or notset, NOTSET) - Remove the permission (inherit from parent)

principal string

The descriptor or identity ID of the principal (user or group). Changing this forces a new resource to be created.

token string

The security token for the resource. Use the azuredevops.getSecurityNamespaceToken data source to generate tokens for specific resources. Changing this forces a new resource to be created.

replace boolean

namespace_id str

The ID of the security namespace. Use the azuredevops.getSecurityNamespaces data source to discover available namespaces. Changing this forces a new resource to be created.

permissions Mapping[str, str]

A map of permission names to permission values. All permission names specified must be valid for the given namespace, or an error will be returned. Permission values must be one of:

Allow (or allow, ALLOW) - Grant the permission
Deny (or deny, DENY) - Explicitly deny the permission
NotSet (or notset, NOTSET) - Remove the permission (inherit from parent)

principal str

The descriptor or identity ID of the principal (user or group). Changing this forces a new resource to be created.

token str

The security token for the resource. Use the azuredevops.getSecurityNamespaceToken data source to generate tokens for specific resources. Changing this forces a new resource to be created.

replace bool

namespaceId String

The ID of the security namespace. Use the azuredevops.getSecurityNamespaces data source to discover available namespaces. Changing this forces a new resource to be created.

permissions Map<String>

A map of permission names to permission values. All permission names specified must be valid for the given namespace, or an error will be returned. Permission values must be one of:

Allow (or allow, ALLOW) - Grant the permission
Deny (or deny, DENY) - Explicitly deny the permission
NotSet (or notset, NOTSET) - Remove the permission (inherit from parent)

principal String

The descriptor or identity ID of the principal (user or group). Changing this forces a new resource to be created.

token String

The security token for the resource. Use the azuredevops.getSecurityNamespaceToken data source to generate tokens for specific resources. Changing this forces a new resource to be created.

replace Boolean

Outputs

All input properties are implicitly available as output properties. Additionally, the SecurityPermissions resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing SecurityPermissions Resource

Get an existing SecurityPermissions resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecurityPermissionsState, opts?: CustomResourceOptions): SecurityPermissions

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        namespace_id: Optional[str] = None,
        permissions: Optional[Mapping[str, str]] = None,
        principal: Optional[str] = None,
        replace: Optional[bool] = None,
        token: Optional[str] = None) -> SecurityPermissions

func GetSecurityPermissions(ctx *Context, name string, id IDInput, state *SecurityPermissionsState, opts ...ResourceOption) (*SecurityPermissions, error)

public static SecurityPermissions Get(string name, Input<string> id, SecurityPermissionsState? state, CustomResourceOptions? opts = null)

public static SecurityPermissions get(String name, Output<String> id, SecurityPermissionsState state, CustomResourceOptions options)

resources:  _:    type: azuredevops:SecurityPermissions    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

NamespaceId string

The ID of the security namespace. Use the azuredevops.getSecurityNamespaces data source to discover available namespaces. Changing this forces a new resource to be created.

Permissions Dictionary<string, string>

A map of permission names to permission values. All permission names specified must be valid for the given namespace, or an error will be returned. Permission values must be one of:

Allow (or allow, ALLOW) - Grant the permission
Deny (or deny, DENY) - Explicitly deny the permission
NotSet (or notset, NOTSET) - Remove the permission (inherit from parent)

Principal string

The descriptor or identity ID of the principal (user or group). Changing this forces a new resource to be created.

Replace bool

Token string

The security token for the resource. Use the azuredevops.getSecurityNamespaceToken data source to generate tokens for specific resources. Changing this forces a new resource to be created.

NamespaceId string

The ID of the security namespace. Use the azuredevops.getSecurityNamespaces data source to discover available namespaces. Changing this forces a new resource to be created.

Permissions map[string]string

A map of permission names to permission values. All permission names specified must be valid for the given namespace, or an error will be returned. Permission values must be one of:

Allow (or allow, ALLOW) - Grant the permission
Deny (or deny, DENY) - Explicitly deny the permission
NotSet (or notset, NOTSET) - Remove the permission (inherit from parent)

Principal string

The descriptor or identity ID of the principal (user or group). Changing this forces a new resource to be created.

Replace bool

Token string

The security token for the resource. Use the azuredevops.getSecurityNamespaceToken data source to generate tokens for specific resources. Changing this forces a new resource to be created.

namespaceId String

The ID of the security namespace. Use the azuredevops.getSecurityNamespaces data source to discover available namespaces. Changing this forces a new resource to be created.

permissions Map<String,String>

A map of permission names to permission values. All permission names specified must be valid for the given namespace, or an error will be returned. Permission values must be one of:

Allow (or allow, ALLOW) - Grant the permission
Deny (or deny, DENY) - Explicitly deny the permission
NotSet (or notset, NOTSET) - Remove the permission (inherit from parent)

principal String

The descriptor or identity ID of the principal (user or group). Changing this forces a new resource to be created.

replace Boolean

token String

The security token for the resource. Use the azuredevops.getSecurityNamespaceToken data source to generate tokens for specific resources. Changing this forces a new resource to be created.

namespaceId string

The ID of the security namespace. Use the azuredevops.getSecurityNamespaces data source to discover available namespaces. Changing this forces a new resource to be created.

permissions {[key: string]: string}

A map of permission names to permission values. All permission names specified must be valid for the given namespace, or an error will be returned. Permission values must be one of:

Allow (or allow, ALLOW) - Grant the permission
Deny (or deny, DENY) - Explicitly deny the permission
NotSet (or notset, NOTSET) - Remove the permission (inherit from parent)

principal string

The descriptor or identity ID of the principal (user or group). Changing this forces a new resource to be created.

replace boolean

token string

The security token for the resource. Use the azuredevops.getSecurityNamespaceToken data source to generate tokens for specific resources. Changing this forces a new resource to be created.

namespace_id str

The ID of the security namespace. Use the azuredevops.getSecurityNamespaces data source to discover available namespaces. Changing this forces a new resource to be created.

permissions Mapping[str, str]

A map of permission names to permission values. All permission names specified must be valid for the given namespace, or an error will be returned. Permission values must be one of:

Allow (or allow, ALLOW) - Grant the permission
Deny (or deny, DENY) - Explicitly deny the permission
NotSet (or notset, NOTSET) - Remove the permission (inherit from parent)

principal str

The descriptor or identity ID of the principal (user or group). Changing this forces a new resource to be created.

replace bool

token str

The security token for the resource. Use the azuredevops.getSecurityNamespaceToken data source to generate tokens for specific resources. Changing this forces a new resource to be created.

namespaceId String

The ID of the security namespace. Use the azuredevops.getSecurityNamespaces data source to discover available namespaces. Changing this forces a new resource to be created.

permissions Map<String>

A map of permission names to permission values. All permission names specified must be valid for the given namespace, or an error will be returned. Permission values must be one of:

Allow (or allow, ALLOW) - Grant the permission
Deny (or deny, DENY) - Explicitly deny the permission
NotSet (or notset, NOTSET) - Remove the permission (inherit from parent)

principal String

The descriptor or identity ID of the principal (user or group). Changing this forces a new resource to be created.

replace Boolean

token String

The security token for the resource. Use the azuredevops.getSecurityNamespaceToken data source to generate tokens for specific resources. Changing this forces a new resource to be created.

Import

The resource does not support import.

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Azure DevOps pulumi/pulumi-azuredevops
License: Apache-2.0
Notes: This Pulumi package is based on the azuredevops Terraform Provider.

Viewing docs for Azure DevOps v3.14.0
published on Tuesday, Mar 24, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-azuredevops

azuredevops.SecurityPermissions

On this page

On this page

Example Usage

Collection-level Permissions

Git Repository Permissions

Git Branch Permissions

Relevant Links

PAT Permissions Required

Notes

Create SecurityPermissions Resource

Constructor syntax

Parameters

Constructor example

SecurityPermissions Resource Properties

Inputs

Outputs

Look up Existing SecurityPermissions Resource

Import

Package Details

On this page

On this page