| title | titleSuffix | description | ms.subservice | ms.assetid | ms.topic | ms.reviewer | ms.author | author | monikerRange | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|
Add users or groups to an access level |
Azure DevOps |
Learn how to set the access level for a user or group based on their license |
azure-devops-security |
84B0D454-09A7-414B-A9E0-FE9A9ACD7E99 |
quickstart |
chcomley |
chcomley |
<= azure-devops |
04/04/2022 |
[!INCLUDE version-lt-eq-azure-devops]
Users must be added to a group with the appropriate permissions, to connect and use the functions and features that Azure DevOps Server provides. To use select web portal features, they must also belong to the access level that enables access to that feature. For an overview of each access level, see About access levels.
This article applies to managing access levels for project collections defined on an on-premises Azure DevOps. To manage access levels for the Azure DevOps Services (the cloud service), see Add users to your organization or project.
Important
Make sure that you select the correct version of this article for Azure DevOps Services or Azure DevOps Server, renamed from Team Foundation Server (TFS). The version selector is located above the table of contents.
For a simplified overview of the permissions that are assigned to the most common groups—Readers, Contributors, and Project Administrators—and the Stakeholder access group, see Permissions and access.
::: moniker range="< azure-devops"
Note
Even if you set a user or group's access level, you must add them to a project for them to connect to a project and access features available through a supported client or the web portal.
Make sure to set each user's access level based on what you've purchased for that user. Basic access includes all Stakeholder features - Basic + Test Plans, Advanced and Visual Studio Enterprise subscriber access levels include all Basic features. In the images provided below, the circled features indicate the features made available from the previous access level.
- You must be a member of the Administrators group. If you aren't a member, get added now.
- If you're managing access for a large group of users, it's a best practice to first create either a Windows group, a group in Active Directory, or Azure DevOps security group, and then add individuals to those groups.
::: moniker-end
::: moniker range="< azure-devops"
You manage access levels for the collections defined on the application tier. The default access level you set applies to all projects defined for all collections. Users or groups that you add to teams, projects, or collections are granted the access level that you set as the default. To change the access level for a specific group or user, add them specifically to a non-default access level.
::: moniker-end
::: moniker range=">= azure-devops-2019 < azure-devops"
-
From the web portal home page for a project collection (for example,
http://MyServer:8080/tfs/DefaultCollection/), open Access levels. If you are at a project level, choose the :::image type="icon" source="../../media/icons/project-icon.png" border="false"::: Azure DevOps logo and then choose Access levels.[!div class="mx-imgBorder"]
If you don't see Access levels, you aren't an administrator and don't have permission. Here's how to get permissions.
::: moniker-end
::: moniker range="tfs-2018"
From a user context, open Server Settings by choosing the :::image type="icon" source="../../boards/media/icons/gear_icon.png" border="false"::: gear icon. The tabs and pages available differ depending on which settings level you access.
-
From the web portal home page for a project (for example,
http://MyServer:8080/tfs/DefaultCollection/MyProject/), open Server settings.
::: moniker-end
::: moniker range="< azure-devops"
Changes you make to the access level settings take affect immediately. You can add or change the access level for a user or group through this interface.
::: moniker-end
::: moniker range=">= azure-devops-2019 < azure-devops"
-
Select the access level you want to manage.
For example, here we choose Basic, and then Add to add a group to Basic access.
[!div class="mx-imgBorder"]
-
Enter the name of the user or group into the text box. You can enter several identities into the text box, separated by commas. The system automatically searches for matches. Choose the matches that meet your choice.
[!div class="mx-imgBorder"]
-
Choose Save changes.
::: moniker-end
::: moniker range="tfs-2018"
-
From Access levels, select the access level you want to manage. For example, here we choose Stakeholder, and then Add to add a group to Stakeholder access.
If you don't see Access levels, you aren't a TFS administrator and don't have permission. Here's how to get permissions.
-
Enter the name of the user or group into the text box. You can enter several identities into the text box, separated by commas. The system automatically searches for matches. Choose the matches that meet your choice.
[!div class="mx-imgBorder"]
-
Choose Save changes.
::: moniker-end
::: moniker range="< azure-devops"
To change the access level for a user or group, first remove them from their existing access level, and then add them to the access level you want them to have.
-
Choose the user or group and then select Remove.
[!div class="mx-imgBorder"]
-
Add the user or group to the other access level following the steps provided in the previous section.
::: moniker-end
::: moniker range="< azure-devops"
Change the default access level to match the access you have licenses for. If you change the default access level to Stakeholder, all users not explicitly added to the Basic or an advanced level are limited to the features provided through Stakeholder access.
You set an access level from its page. Choose Set as default access level as shown.
::: moniker-end
::: moniker range=">= azure-devops-2019 < azure-devops"
[!div class="mx-imgBorder"]
::: moniker-end
::: moniker range="tfs-2018"
::: moniker-end
::: moniker range="< azure-devops"
Important
Service accounts are added to the default access level. If you set Stakeholder as the default access level, you must add the Azure DevOps service accounts to the Basic or an advanced access level group. ::: moniker-end
For details on the features available to each access level, see About access levels.