The global groups (Administrators, Service Accounts, Contributors, Creators, Readers, Valid Users) should not have elavated permissions (Admin/User). User permissions for certain groups must be restricted to read-only access. Learn more: https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices#scoped-permissions https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions-lookup-guide https://learn.microsoft.com/en-us/azure/devops/pipelines/security/resources?#user-permissions https://learn.microsoft.com/en-us/azure/devops/pipelines/policies/permissions#set-service-connection-permissions
1. Navigate to Project Settings. 2. Open the Service connections link under Pipelines. 3. Select a service connection. 4. Click on the three dots button. 5. Click Security. 6. Under 'User permissions' section, review security roles and ensure common groups have only read-only access.
{
"target": "ADOSecurityRoleAssignment",
"if": {
"allOf": [
{
"resource": "ADOSecurityRoleAssignment",
"property": "ScopeResource.ResourceType",
"operator": "equals",
"value": "Endpoint"
},
{
"resource": "ADOSecurityRoleAssignment",
"property": "ScopeResource.ScopeId",
"operator": "equals",
"value": "distributedtask.serviceendpointrole"
},
{
"resource": "ADOSecurityRoleAssignment",
"property": "Identity.DisplayName",
"operator": "contains",
"value": "$(POLICY_VAR_PROJECT_SECURITY_ROLES_GLOBAL_GROUPS)"
},
{
"resource": "ADOSecurityRoleAssignment",
"property": "Role.Name",
"operator": "equals",
"value": "Reader"
}
]
},
"then": {
"effect": "Audit"
}
}Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions