DOS1030: Extensions - Security Roles - Restrict extension manager role to only administrators | Security KB - DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps.

This website stores cookies on your computer.These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, please review our Privacy Policy.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.
By clicking “Accept All”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.

AzureDevOps organization high builtIn

Description

Allow only administrators to manage extensions in your organization. Review the users who have permission to manage extensions. Users with extension manager role can install/uninstall extensions and approve/decline extension requests. Learn more: https://learn.microsoft.com/en-us/azure/devops/marketplace/grant-permissions

Recommendation

1. Go to Organization Settings. 
2. Select Extensions. 
3. Click on the Security button. 
4. Review all 'Manager' role assignments.

Policy Rule

{
  "target": "ADOSecurityRoleAssignment",
  "if": {
    "allOf": [
      {
        "resource": "ADOSecurityRoleAssignment",
        "property": "ScopeResource.ResourceType",
        "operator": "equals",
        "value": "OrganizationExtension"
      },
      {
        "resource": "ADOSecurityRoleAssignment",
        "property": "ScopeResource.ScopeId",
        "operator": "equals",
        "value": "ems.manage.ui"
      },
      {
        "resource": "ADOSecurityRoleAssignment",
        "property": "Role.DisplayName",
        "operator": "equals",
        "value": "Manager"
      },
      {
        "resource": "ADOSecurityRoleAssignment",
        "property": "Identity.DisplayName",
        "operator": "match",
        "value": "(Project Collection Administrators)"
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}

« DOS1020 DOS1040 »

Rule Details

Rule ID: DOS1030
Code: ADO_Organization_Extensions_SecurityRoles_Restrict_Extension_Manager_Role_To_Admins
Platform: AzureDevOps
Category: organization
Severity: high
Type: builtIn

DOS1030

Extensions - Security Roles - Restrict extension manager role to only administrators

DOS1030

Description

Recommendation

Policy Rule

View evaluation logic (JSON)

Rule Details

Related Rules