Roleassignments - Set Role Assignments

Set role assignments on a resource

PUT https://dev.azure.com/{organization}/_apis/securityroles/scopes/{scopeId}/roleassignments/resources/{resourceId}?api-version=7.1-preview.1
PUT https://dev.azure.com/{organization}/_apis/securityroles/scopes/{scopeId}/roleassignments/resources/{resourceId}?limitToCallerIdentityDomain={limitToCallerIdentityDomain}&api-version=7.1-preview.1

URI Parameters

Name In Required Type Description
resourceId
path True

string

Id of the resource on which the role is to be assigned

scopeId
path True

string

Id of the assigned scope

organization
path

string

The name of the Azure DevOps organization.

api-version
query True

string

Version of the API to use. This should be set to '7.1-preview.1' to use this version of the api.

limitToCallerIdentityDomain
query

boolean

Request Body

Name Type Description
body

UserRoleAssignmentRef[]

Roles to be assigned

Responses

Name Type Description
200 OK

RoleAssignment[]

successful operation

Security

oauth2

Type: oauth2
Flow: accessCode
Authorization URL: https://app.vssps.visualstudio.com/oauth2/authorize&response_type=Assertion
Token URL: https://app.vssps.visualstudio.com/oauth2/token?client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

Scopes

Name Description
vso.security_manage Grants the ability to read, write, and manage security permissions.

Examples

Set Role assignments

Sample request

PUT https://dev.azure.com/_apis/securityroles/scopes/{scopeId}/roleassignments/resources/{resourceId}?api-version=7.1-preview.1

[
  {
    "roleName": "Administrator",
    "userId": "4189bd2b-de9c-45de-a886-4e3d9c03f1f9"
  }
]

Sample response

{
  "count": 1,
  "value": [
    {
      "identity": {
        "displayName": "Your Identity Name",
        "id": "cbb1d8ac-cee5-47c1-878a-e75c0e94ac89",
        "uniqueName": "Your Identity Unique Name"
      },
      "role": {
        "displayName": "Administrator",
        "name": "Administrator",
        "allowPermissions": 3,
        "denyPermissions": 0,
        "identifier": "distributedtask.serviceendpointrole.Administrator",
        "description": "Administrator can use and manage the service connection.",
        "scope": "distributedtask.serviceendpointrole"
      },
      "access": "assigned",
      "accessDisplayName": "Assigned"
    }
  ]
}

Definitions

Name Description
IdentityRef
ReferenceLinks

The class to represent a collection of REST reference links.

RoleAccess

Designates the role as explicitly assigned or inherited.

RoleAssignment
SecurityRole
UserRoleAssignmentRef

IdentityRef

Name Type Description
_links

ReferenceLinks

This field contains zero or more interesting links about the graph subject. These links may be invoked to obtain additional relationships or more detailed information about this graph subject.

descriptor

string

The descriptor is the primary way to reference the graph subject while the system is running. This field will uniquely identify the same graph subject across both Accounts and Organizations.

directoryAlias

string

Deprecated - Can be retrieved by querying the Graph user referenced in the "self" entry of the IdentityRef "_links" dictionary

displayName

string

This is the non-unique display name of the graph subject. To change this field, you must alter its value in the source provider.

id

string

imageUrl

string

Deprecated - Available in the "avatar" entry of the IdentityRef "_links" dictionary

inactive

boolean

Deprecated - Can be retrieved by querying the Graph membership state referenced in the "membershipState" entry of the GraphUser "_links" dictionary

isAadIdentity

boolean

Deprecated - Can be inferred from the subject type of the descriptor (Descriptor.IsAadUserType/Descriptor.IsAadGroupType)

isContainer

boolean

Deprecated - Can be inferred from the subject type of the descriptor (Descriptor.IsGroupType)

isDeletedInOrigin

boolean

profileUrl

string

Deprecated - not in use in most preexisting implementations of ToIdentityRef

uniqueName

string

Deprecated - use Domain+PrincipalName instead

url

string

This url is the full route to the source resource of this graph subject.

The class to represent a collection of REST reference links.

Name Type Description
links

object

The readonly view of the links. Because Reference links are readonly, we only want to expose them as read only.

RoleAccess

Designates the role as explicitly assigned or inherited.

Name Type Description
assigned

string

Access has been explicitly set.

inherited

string

Access has been inherited from a higher scope.

RoleAssignment

Name Type Description
access

RoleAccess

Designates the role as explicitly assigned or inherited.

accessDisplayName

string

User friendly description of access assignment.

identity

IdentityRef

The user to whom the role is assigned.

role

SecurityRole

The role assigned to the user.

SecurityRole

Name Type Description
allowPermissions

integer

Permissions the role is allowed.

denyPermissions

integer

Permissions the role is denied.

description

string

Description of user access defined by the role

displayName

string

User friendly name of the role.

identifier

string

Globally unique identifier for the role.

name

string

Unique name of the role in the scope.

scope

string

Returns the id of the ParentScope.

UserRoleAssignmentRef

Name Type Description
roleName

string

The name of the role assigned.

uniqueName

string

Identifier of the user given the role assignment.

userId

string

Unique id of the user given the role assignment.