DOS2400: Security Roles - Restrict global group access permissions on service connection | Security KB - DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps.

This website stores cookies on your computer.These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, please review our Privacy Policy.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.
By clicking “Accept All”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.

AzureDevOps project Severityhigh builtIn

Description

The global groups (Administrators, Service Accounts, Contributors, Creators, Readers, Valid Users) should not have elavated permissions (Admin/User). User permissions for certain groups must be restricted to read-only access. https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions-lookup-guide https://learn.microsoft.com/en-us/azure/devops/pipelines/security/resources?#user-permissions https://learn.microsoft.com/en-us/azure/devops/pipelines/policies/permissions#set-service-connection-permissions

Learn More

https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices#scoped-permissions

Recommendation

1. Navigate to Project Settings. 
2. Open the Service connections link under Pipelines. 
3. Select a service connection. 
4. Click on the three dots button. 
5. Click Security. 
6. Under 'User permissions' section, review security roles and ensure common groups have only read-only access.

Policy Rule

{
  "target": "ADOSecurityRoleAssignment",
  "if": {
    "allOf": [
      {
        "resource": "ADOSecurityRoleAssignment",
        "property": "ScopeResource.ResourceType",
        "operator": "equals",
        "value": "Endpoint"
      },
      {
        "resource": "ADOSecurityRoleAssignment",
        "property": "ScopeResource.ScopeId",
        "operator": "equals",
        "value": "distributedtask.serviceendpointrole"
      },
      {
        "resource": "ADOSecurityRoleAssignment",
        "property": "Identity.DisplayName",
        "operator": "contains",
        "value": "$(POLICY_VAR_PROJECT_SECURITY_ROLES_GLOBAL_GROUPS)"
      },
      {
        "resource": "ADOSecurityRoleAssignment",
        "property": "Role.Name",
        "operator": "equals",
        "value": "Reader"
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}

« DOS2390 DOS2410 »

Rule Details

Rule ID: DOS2400
Code: ADO_Project_SecurityRoles_ServiceConnection_Restrict_Common_Group_Access
Platform: AzureDevOps
Category: project
Severity: Severityhigh
Type: builtIn

DOS2400

Security Roles - Restrict global group access permissions on service connection

DOS2400

Description

Recommendation

Policy Rule

View evaluation logic (JSON)

Rule Details

Related Rules