Do not allow agent pools to inherit elavated permissions from project level user permissions. The groups (Contributors, Readers, Project Collection Valid Users, Project Valid Users) should not have elavated permissions (Admin/User). User permissions for certain groups must be restricted to read-only access. Learn more: https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices#scoped-permissions https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions-lookup-guide https://learn.microsoft.com/en-us/azure/devops/pipelines/security/resources?#user-permissions https://learn.microsoft.com/en-us/azure/devops/pipelines/policies/permissions#set-agent-pool-permissions
1. Navigate to Project Settings. 2. Open the Agent pools link under Pipelines. 3. On 'Agent pools' page, click on Security button (top right). 4. On 'User permissions' panel, review security roles and ensure common groups have only read-only access.
{
"target": "ADOSecurityRoleAssignment",
"if": {
"allOf": [
{
"resource": "ADOSecurityRoleAssignment",
"property": "ScopeResource.ResourceType",
"operator": "equals",
"value": "Project"
},
{
"resource": "ADOSecurityRoleAssignment",
"property": "ScopeResource.ScopeId",
"operator": "equals",
"value": "distributedtask.globalagentqueuerole"
},
{
"resource": "ADOSecurityRoleAssignment",
"property": "Identity.DisplayName",
"operator": "contains",
"value": "$(POLICY_VAR_PROJECT_SECURITY_ROLES_COMMON_GROUPS)"
},
{
"anyOf": [
{
"resource": "ADOSecurityRoleAssignment",
"property": "Role.Name",
"operator": "equals",
"value": "Reader"
},
{
"resource": "ADOSecurityRoleAssignment",
"property": "Role.Name",
"operator": "equals",
"value": "Creator"
}
]
}
]
},
"then": {
"effect": "Audit"
}
}Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions