Provide non-admin users with read-only access to Service Endpoints in VSTS

Published on
Reading time
Authors

I am currently transitioning some work to another team in our business. Part of this transition has been to pre-configure various Service Endpoints in Visual Studio Team Services (VSTS) to provide a way for the new team to deploy into target Azure environments without the team necessarily having direct or privileged access into those Azure environments.

In this post I am going to look at how you can grant users access to these Service Endpoints without them being able to modify them. This post will also be useful if you've configured Service Endpoints (as an admin) and then others on the team (who are non-admins) are unable to see them.

Note that this advice applies to any Service Endpoint - not just Azure!

By default only users who are members of the following groups can see Service Endpoints:

  • Project Admins
  • Endpoint Admins
  • Endpoint Creators

It's unlikely that you want all your team members to hold these roles, so let's see how we can grant rights to use Service Endpoints without being an admin!

We're going to complete this task with an existing Service Endpoint, but you should hopefully see how you can do this at the same time you setup a new Endpoint in future.

Open up your Team Project and in the top navigation mouse over the settings (cog) icon and from the context menu click "Services".

Service Endpoints

Once the Endpoints page has loaded, select the Endpoint you wish to allow non-admin users to see.

Selected Endpoint

Now click on 'Roles' to display the currently assigned users and groups and their permissions (the current list will only contain users or groups at an 'Administrators' level).

Roles Screen

Now we're in the right place to add our additional read-only users or groups!

Click on the '+ Add' button and the Add user dialog is displayed. Ensure that the 'Role' is set to 'User' and then find the User or Group you want to assign this right to. In our demo below we are allowing the current project's Contributors group to use Endpoints.

Add user dialog

Once you click the 'Add' button the user or group will be granted read-only rights to the Endpoint. This will allow them to find or use the Endpoint in Build or Release Management Definitions (like below).

Release Definition

Happy (secured) days! 😎