The groups (Contributors, Readers, Project Collection Valid Users, Project Valid Users) should not have elavated permissions (Admin/User). User permissions for certain groups must be restricted to read-only access. Learn more: https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices#scoped-permissions https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions-lookup-guide https://learn.microsoft.com/en-us/azure/devops/pipelines/security/resources?#user-permissions https://learn.microsoft.com/en-us/azure/devops/pipelines/policies/permissions#set-library-permissions
1. Navigate to Project -> Pipelines -> Library 2. On 'Library' page, click on 'Variable groups' tab. 3. Select a variable group from the list. 4. Click on Security button. 5. Review security roles and ensure common groups have only read-only access.
{
"target": "ADOSecurityRoleAssignment",
"if": {
"allOf": [
{
"resource": "ADOSecurityRoleAssignment",
"property": "ScopeResource.ResourceType",
"operator": "equals",
"value": "VariableGroup"
},
{
"resource": "ADOSecurityRoleAssignment",
"property": "ScopeResource.ScopeId",
"operator": "equals",
"value": "distributedtask.variablegroup"
},
{
"resource": "ADOSecurityRoleAssignment",
"property": "Identity.DisplayName",
"operator": "contains",
"value": "$(POLICY_VAR_PROJECT_SECURITY_ROLES_COMMON_GROUPS)"
},
{
"resource": "ADOSecurityRoleAssignment",
"property": "Role.Name",
"operator": "equals",
"value": "Reader"
}
]
},
"then": {
"effect": "Audit"
}
}Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions