Azure DevOps Services | Azure DevOps Server | Azure DevOps Server 2022 | Azure DevOps Server 2020
Manage access to repositories to lock down who can contribute to your source code and manage other features. You can set permissions across all Git repositories by making changes to the top-level Git repositories entry. Individual repositories inherit permissions from the top-level Git Repositories entry.
Note
Branches inherit a subset of permissions from assignments made at the repository level. For branch permissions and policies, see Set branch permissions and Improve code quality with branch policies.
For guidance on who to provide greater permission levels, see Manage access using permissions.
Prerequisites
Default repository permissions
By default, members of the project Contributors group have permissions to contribute to a repository. This includes the ability to create branches, create tags, and manage notes. For a description of each security group and permission level, see Permissions and group reference.
Permission
Readers
Contributors
Build Admins
Project Admins
Read (clone, fetch, and explore the contents of a repository); also, can create, comment on, vote, and Contribute to pull requests
✔️
✔️
✔️
✔️
Contribute, Create branches, Create tags, and Manage notes
✔️
✔️
✔️
Create repository, Delete repository, and Rename repository
✔️
Edit policies, Manage permissions, Remove others' locks
✔️
Exempt from policy enforcement and bypass policy permissions
There are many scenarios where you have the occasional need to bypass a branch policy. For example, when reverting a change that caused a build break or applying a hotfix in the middle of the night. Previously, the Exempt from policy enforcement permission helped teams manage which users were granted the ability to bypass branch policies when completing a pull request. However, that permission also granted the ability to push directly to the branch, bypassing the PR process entirely.
To improve this experience, we split the Exempt from policy enforcement permission to offer more control to teams that are granting bypass permissions. The following two permissions replace the former permission:
- Bypass policies when completing pull requests. Users with this permission will be able to use the "Override" experience for pull requests.
- Bypass policies when pushing. Users with this permission will be able to push directly to branches that have required policies configured.
By granting the first permission and denying the second, a user can use the bypass option when necessary, but will still have the protection from accidentally pushing to a branch with policies.
Note
This change does not introduce any behavior changes. Users that were formerly granted Allow for Exempt from policy enforcement are granted Allow for both new permissions, so they'll be able to both override completion on PRs and push directly to branches with policies.