Update permissions for Azure DevOps group for EventSubscription through Azure CLI?

问题

I've been adding permissions to a custom Azure DevOps Services group through the Azure CLI (az devops version 0.11.0) and I've usually been able to do the following:

1. az devops security permission namespace list, find namespaceId of specific namespace (like EventSubscription)
2. Get the Project Admin's descriptor
3. az devops security permission list --id $namespaceId --subject $projectAdmin.descriptor...
4. Find an allow bit in the ACES dictionary, find the respective token
5. az devops security permission update... with the new token

But when I run security permission list for the EventSubscription namespace, it returns with empty JSON for the project admins group so I can't find the token. I've tried "$SUBSCRIPTION" as it looked like what a TFS 2010 user used, but that doesn't work.

Questions:

1. How can I list tokens on the project admins group for the EventSubscription namespace? I tried to see if tfssecurity would pull anything up, but didn't work. Also tried using Fiddler to see if it would find a token but also nothing. Can't use Fiddler with the UI.

2. Or what token do I use for Azure DevOps to update the EventSubscription permission for a group?

回答1:

I tested with EventSubscription namespace id and project admins group descriptor as subject parameters and got the same result as you.

$env:AZURE_DEVOPS_EXT_PAT = 'ckdhd6wuma5uw2h35dv37pgdum5eyjviqneineixxxxx'

$output = az devops security permission namespace list | ConvertTo-Json -Depth 100

#get descriptor
$output2 = az devops security group list --scope project | ConvertTo-Json -Depth 100

#eventSubscription namespaceId: 58b176e7-3411-457a-89d0-c6xxx/ Project namespaceId:52d39943-cb85-4d7f-8fa8-c6xxx
$output3 = az devops security permission list --namespace-id 58b176e7-3411-457a-89d0-c6xxxx --subject vssgp.Uy0xLTktMTU1MTM3NDI0NS00MjQ3MDQ2OTMyLTI2ODA1Nzg2MjktMjkxMzgyMjE4MC0yNDQ0MjYxxxxx | ConvertTo-Json -Depth 100

Write-Host $output3

But when I tested with Project namespace id and project admins group descriptor, I can get the token normally.

So I think this could be a problem with the association between the EventSubscription namespace and the project admins group descriptor. Can you share the corresponding operation in the UI? This will help me investigate further.

来源：https://stackoverflow.com/questions/60783663/update-permissions-for-azure-devops-group-for-eventsubscription-through-azure-cl