Security namespace and permission reference for Azure DevOps
Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019
This article describes the valid security namespaces, lists the associated permissions, and provides links to more information. Security namespaces store access control lists (ACLs) on tokens, determining the level of access various entities have to perform specific actions on specific resources. These entities include:
- Azure DevOps users
- Azure DevOps organization owners
- Members of Azure DevOps security groups
- Azure DevOps service accounts
- Azure DevOps service principals
Each family of resources, such as work items or Git repositories, is secured through a unique namespace. Each security namespace contains zero or more ACLs. An ACL includes a token, an inherit flag, and a set of zero or more access control entries (ACEs). Each ACE consists of an identity descriptor, an allowed permissions bitmask, and a denied permissions bitmask. Tokens are arbitrary strings representing resources in Azure DevOps.
Note
Namespaces and tokens are valid for all versions of Azure DevOps. Those listed here are valid for Azure DevOps 2019 and later versions. Namespaces are subject to change over time. To get the latest list of namespaces, exercise one of the command line tools or REST API. Some namespaces have been deprecated as listed in the Deprecated and read-only namespaces section later in this article. For more information, see Security namespaces query
Permission management tools
The recommended method for managing permissions is through the web portal. However, to set permissions that are unavailable through the portal or to manage granular permissions, use command line tools or the REST API:
- For Azure DevOps Services, use the
az devops security permission
commands. - For Azure DevOps Server, use the TFSSecurity commands.
- For Azure DevOps Git repositories, use the tf git permission command-line tool.
- For Team Foundation Version Control (TFVC) repositories, use the TFVC permission command-line tool.
For all Azure DevOps instances, you can also use the Security REST API.
Security namespaces and their IDs
Many security namespaces correspond to permissions you set through a Security or Permissions web portal page. Other namespaces or specific permissions aren't visible through the web portal and grant access by default to members of security groups or Azure DevOps service principals. These namespaces are grouped into the following categories based on how they're managed through the web portal:
- Object-level
- Project-level
- Organization or collection-level
- Server-level (on-premises only)
- Role-based
- Internal only
Hierarchy and tokens
A security namespace can be either hierarchical or flat. In a hierarchical namespace, tokens exist in a hierarchy where effective permissions are inherited from parent tokens to child tokens. In contrast, tokens in a flat namespace have no concept of a parent-child relationship between any two tokens.
Tokens in a hierarchical namespace either have a fixed length for each path part, or variable length. If the tokens have variable-length path parts, then a separator character is used to distinguish where one path part ends and another begins.
Security tokens are case-insensitive. Example of tokens for different namespaces are provided in the following sections.
Object-level namespaces and permissions
The following table describes the namespaces that manage object-level permissions. Most of these permissions are managed through the web portal page for each object. Permissions are set at the project level and inherited at the object level unless explicitly changed.
Namespace
Permissions
Description
Read
Edit
Delete
Execute
ManagePermissions
Manages Analytics views permissions at the project-level and object-level to read, edit, delete, and generate reports. You can manage these permissions for each analytics view from the user interface.
Token format for project level permissions: $/Shared/PROJECT_ID
Example: $/Shared/xxxxxxxx-a1de-4bc8-b751-188eea17c3ba
ID: d34d3680-dfe5-4cc6-a949-7d9c68f73cba
Build
ViewBuilds
EditBuildQuality
RetainIndefinitely
DeleteBuilds
ManageBuildQualities
DestroyBuilds
UpdateBuildInformation
QueueBuilds
ManageBuildQueue
StopBuilds
ViewBuildDefinition
EditBuildDefinition
DeleteBuildDefinition
OverrideBuildCheckInValidation
AdministerBuildPermissions
Manages build permissions at the project-level and object-level.
Token format for project-level build permissions: PROJECT_ID
If you need to update permissions for a particular build definition ID, for example, 12, security token for that build definition looks like the following example:
Token format for project-level, specific build permissions: PROJECT_ID/12
Example: xxxxxxxx-a1de-4bc8-b751-188eea17c3ba/12
ID: 33344d9c-fc72-4d6f-aba5-fa317101a7e9
CSS
GENERIC_READ
GENERIC_WRITE
CREATE_CHILDREN
DELETE
WORK_ITEM_READ
WORK_ITEM_WRITE
MANAGE_TEST_PLANS
MANAGE_TEST_SUITES
Manages area path object-level permissions to create, edit, and delete child nodes and set permissions to view or edit work items in a node. For more information, see Set permissions and access for work tracking, Create child nodes, modify work items under an area path.
Token format example: POST https://dev.azure.com/{organization}/_apis/securitynamespaces/{namespaceId}/permissions?api-version=6.0 { "token": "vstfs:///Classification/Node/{area_node_id}", "permissions": { "allow": 1, "deny": 0 } }
ID: 83e28ad4-2d72-4ceb-97b0-c7726d5502c3
Read
Create
Edit
Delete
ManagePermissions
MaterializeDashboards
Manages dashboard object-level permissions to edit and delete dashboards and manage permissions for a project dashboard. You can manage these permissions through the dashboards user interface.
ID: 8adf73b7-389a-4276-b638-fe1653f7efc7
Administer
GenericRead
GenericContribute
ForcePush
CreateBranch
CreateTag
ManageNote
PolicyExempt
CreateRepository
DeleteRepository
RenameRepository
EditPolicies
RemoveOthersLocks
ManagePermissions
PullRequestContribute
PullRequestBypassPolicy
Manages Git repository permissions at the project-level and object-level. You can manage these permissions through the Project settings, Repositories administrative interface.
The Administer
permission was divided into several more granular permissions in 2017, and shouldn't be used.
Token format for project-level permissions: repoV2/PROJECT_ID
You need to append RepositoryID
to update repository-level permissions.
Token format for repository-specific permissions: repoV2/PROJECT_ID/REPO_ID
Token format for branch-level permissions is described in Git repo tokens for the security service.
ID: 2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87
Iteration
GENERIC_READ
GENERIC_WRITE
CREATE_CHILDREN
DELETE
Manages iteration path object-level permissions to create, edit, and delete child nodes and view child node permissions. To manage through the web portal, see Set permissions and access for work tracking, Create child nodes.
Token format: 'vstfs:///Classification/Node/Iteration_Identifier/'
Suppose, you have the following iterations configured for your team.
– ProjectIteration1
TeamIteration1
– TeamIteration1ChildIteration1
– TeamIteration1ChildIteration2
– TeamIteration1ChildIteration3
TeamIteration2
– TeamIteration2ChildIteration1
– TeamIteration2ChildIteration2
To update permissions for ProjectIteration1\TeamIteration1\TeamIteration1ChildIteration1
, the security token looks like the following example:
vstfs:///Classification/Node/ProjectIteration1_Identifier:vstfs:///Classification/Node/TeamIteration1_Identifier:vstfs:///Classification/Node/TeamIteration1ChildIteration1_Identifier
ID: bf7bfa03-b2b7-47db-8113-fa2e002cc5b1
MetaTask
Administer
Edit
Delete
Manages task group permissions to edit and delete task groups, and administer task group permissions. To manage through the web portal, see Pipeline permissions and security roles, Task group permissions.
Token format for project-level permissions: PROJECT_ID
Token format for metaTask-level permissions: PROJECT_ID/METATASK_ID
If MetaTask has parentTaskId, then the Security token looks like the following example:
Token Format: PROJECT_ID/PARENT_TASK_ID/METATASK_ID
ID: f6a4de49-dbe2-4704-86dc-f8ec1a294436
Plan
View
Edit
Delete
Manage
Manages permissions for Delivery Plans to view, edit, delete, and manage delivery plans. You can manage these permissions through the web portal for each plan.
ID: bed337f8-e5f3-4fb9-80da-81e17d06e7a8
ReleaseManagement
ViewReleaseDefinition
EditReleaseDefinition
DeleteReleaseDefinition
ManageReleaseApprovers
ManageReleases
ViewReleases
CreateReleases
EditReleaseEnvironment
DeleteReleaseEnvironment
AdministerReleasePermissions
DeleteReleases
ManageDeployments
ManageReleaseSettings
ManageTaskHubExtension
Manages release definition permissions at the project and object-level.
Token format for project-level permissions: PROJECT_ID
Example: xxxxxxxx-a1de-4bc8-b751-188eea17c3ba
If you need to update permissions for a particular release definition ID, for example, 12, security token for that release definition looks as follows:
Token format for specific release definition permissions: PROJECT_ID/12
Example: xxxxxxxx-a1de-4bc8-b751-188eea17c3ba/12
If the release definition ID lives in a folder, then the security tokens look as follows:
Token format: PROJECT_ID/{folderName}/12
For stages, tokens look like: PROJECT_ID/{folderName}/{DefinitionId}/Environment/{EnvironmentId}
.
ID: c788c23e-1b46-4162-8f5e-d7585343b5de
WorkItemQueryFolders
Read
Contribute
Delete
ManagePermissions
FullControl
RecordQueryExecutionInfo
Manages permissions for work item queries and query folders. To manage these permissions through the web portal, see Set permissions on queries or query folders.
Token format example: POST https://dev.azure.com/{organization}/_apis/securitynamespaces/{namespaceId}/permissions?api-version=6.0 { "token": "/{project_id}/{shared_queries_id}", "permissions": { "allow": 1, "deny": 0 } }
.
ID: 71356614-aad7-4757-8f2c-0fb3bff6f680
Project-level namespaces and permissions
The following table describes the namespaces that manage project-level permissions. Most of the listed permissions are managed through the web portal admin context. Project Administrators are granted all project-level permissions, while other project-level groups have specific permission assignments.
Namespace
Permissions
Description
Project
GENERIC_READ
GENERIC_WRITE
DELETE
PUBLISH_TEST_RESULTS
ADMINISTER_BUILD
START_BUILD
EDIT_BUILD_STATUS
UPDATE_BUILD
DELETE_TEST_RESULTS
VIEW_TEST_RESULTS
MANAGE_TEST_ENVIRONMENTS
MANAGE_TEST_CONFIGURATIONS
WORK_ITEM_DELETE
WORK_ITEM_MOVE
WORK_ITEM_PERMANENTLY_DELETE
RENAME
MANAGE_PROPERTIES
MANAGE_SYSTEM_PROPERTIES
BYPASS_PROPERTY_CACHE
BYPASS_RULES
SUPPRESS_NOTIFICATIONS
UPDATE_VISIBILITY
CHANGE_PROCESS
AGILETOOLS_BACKLOG
AGILETOOLS_PLANS
Manages Project-level permissions.
The AGILETOOLS_BACKLOG
permission manages access to Azure Boards backlogs. This setting is an internal permission setting and shouldn't be changed.
Root token format: $PROJECT
Token to secure permissions for each project in your organization.
$PROJECT:vstfs:///Classification/TeamProject/PROJECT_ID
.
Assume you have a project named Test Project 1
.
You can get the project ID for this project by using the az devops project show
command.
az devops project show --project "Test Project 1"
The command returns a project-id, for example, xxxxxxxx-a1de-4bc8-b751-188eea17c3ba
.
Therefore, the token to secure project-related permissions for Test Project 1
is:
'$PROJECT:vstfs:///Classification/TeamProject/xxxxxxxx-a1de-4bc8-b751-188eea17c3ba'
ID: 52d39943-cb85-4d7f-8fa8-c6baac873819
Enumerate
Create
Update
Delete
Manages permissions to create, delete, enumerate, and use work item tags. You can manage the Create tag definition permission through the permissions administrative interface.
Token format for project-level permissions: /PROJECT_ID
Example: /xxxxxxxx-a1de-4bc8-b751-188eea17c3ba
ID: bb50f182-8e5e-40b8-bc21-e8752a1e7ae2
VersionControlItems
Read
PendChange
Checkin
Label
Lock
ReviseOther
UnlockOther
UndoOther
LabelOther
AdminProjectRights
CheckinOther
Merge
ManageBranch
Manages permissions for a Team Foundation Version Control (TFVC) repository. There's only one TFVC repository for a project. You can manage these permissions through the repositories administrative interface.
ID: a39371cf-0841-4c16-bbd3-276e341bc052
Organization-level namespaces and permissions
The following table describes the namespaces that manage organization-level permissions. Most of the listed permissions are managed through the web portal Organization settings context. The Organization owner and members of the Project Collection Administrators group are granted most of these permissions. For more information, see Change project collection-level permissions.
Collection-level namespaces and permissions
The following table describes the namespaces that manage organization-level permissions. Most of the listed permissions are managed through the web portal Collection settings context. Members of the Project Collection Administrators group are granted most of these permissions. For more information, see Change project collection-level permissions.
Namespace
Permissions
Description
AuditLog
Read
Write
Manage_Streams
Delete_Streams
Manages auditing permissions to read or write to the audit log and manage or delete audit streams.
Token format: /AllPermissions
ID: a6cc6381-a1ca-4b36-b3c1-4e65211e82b6
BuildAdministration
ViewBuildResources
ManageBuildResources
UseBuildResources
AdministerBuildResourcePermissions
ManagePipelinePolicies
Manages access to view, manage, use, or administer permissions for build resources.
ID: 302acaca-b667-436d-a946-87133492041c
Collection
GENERIC_READ
GENERIC_WRITE
CREATE_PROJECTS
TRIGGER_EVENT
MANAGE_TEMPLATE
DIAGNOSTIC_TRACE
SYNCHRONIZE_READ
MANAGE_TEST_CONTROLLERS
DELETE_FIELD
MANAGE_ENTERPRISE_POLICIES
Manages permissions at the organization or collection-level.
ID: 3e65f728-f8bc-4ecd-8764-7e378b19bfa7
Process
Edit
Delete
Create
AdministerProcessPermissions
ReadProcessPermissions
Manages permissions to create, delete, and administer processes.
ID: 2dab47f9-bd70-49ed-9bd5-8eb051e59c02
Workspaces
Read
Use
Checkin
Administer
Manages permissions for administering shelved changes, workspaces, and the ability to create a workspace at the organization or collection level. The Workspaces namespace applies to the TFVC repository.
Root token format: /
Token format for a specific workspace: /{workspace_name};{owner_id}
ID: 93bafc04-9075-403a-9367-b7164eac6b5c
VersionControlPrivileges
CreateWorkspace
AdminWorkspaces
AdminShelvesets
AdminConnections
AdminConfiguration
Manages permissions for Team Foundation Version Control (TFVC) repository.
The
AdminConfiguration
permission grants users the ability to edit server-level permissions for users and groups. TheAdminConnections
permission grants users the ability to read the contents of a file or folder of an on-premises, server-level repository.
ID: 66312704-deb5-43f9-b51c-ab4ff5e351c3
Server-level namespaces and permissions
The following table describes those security namespaces and permissions defined for on-premises instances of Azure DevOps Server. You can manage these permissions, which are granted to members of the Team Foundation Administrators group, through the Azure DevOps Server administration console. For descriptions of these permissions, see Permissions and groups, Server-level permissions.
Namespace
Permissions
Description
CollectionManagement
CreateCollection
DeleteCollection
Manages permissions set at the server-level to create and delete project collections.
ID: 52d39943-cb85-4d7f-8fa8-c6baac873819
Server
GenericRead
GenericWrite
Impersonate
TriggerEvent
Manages permissions set at the server-level. Includes permissions to edit instance-level information, make requests on behalf of others, and trigger events.
ID: 1f4179b3-6bac-4d01-b421-71ea09171400
Warehouse
Administer
Grants permission to process or change settings for the data warehouse or SQL Server Analysis cube by using the Warehouse Control Web Service.
ID: b8fbab8b-69c8-4cd9-98b5-873656788efb
Role-based namespaces and permissions
The following table describes the security namespaces and permissions used to manage role-based security. You can manage role assignments through the web portal for pipeline resources as described Pipeline permissions and security roles.
Namespace
Permissions
Description
DistributedTask
View
Manage
Listen
AdministerPermissions
Use
Create
Manages permissions to access agent pool resources. By default, the following roles and permissions are assigned at the project level and inherited for each agent pool that is created:
- Reader role (
View
permissions only) to all members of the Project Valid Users group - Administrator role (all permissions) to members of the Build Administrators, Project Administrators, and Release Administrators groups.
- User role (
View
,Use
, andCreate
permissions) to all members of the Contributor group - Creator role (
View
,Use
, andCreate
permissions) to all members of the Contributor group
ID:101eae8c-1709-47f9-b228-0e476c35b3ba
Environment
View
Manage
ManageHistory
Administer
Use
Create
Manages permissions to create and manage Environments. By default, the following permissions are assigned:
- Reader role (
View
permissions only) to all members of the Project Valid Users group - Creator role (
View
,Use
, andCreate
permissions) to all members of the Contributor group - Creator role (
View
,Use
, andCreate
permissions) to all members of the Project Administrators group - Administrator role (all permissions) to the user who created a specific Environment.
ID:83d4c2e6-e57d-4d6e-892b-b87222b7ad20
ExtensionManagement
ViewExtensions
ManageExtensions
ManageSecurity
The Manager role is the only role used to manage the security of Marketplace extensions. Members of the Manager role can install extensions and respond to requests for extensions to be installed. The other permissions are assigned automatically to members of default security groups and service principals. To add users to the Manager role, see Manage extension permissions.
ID: 5d6d7b80-3c63-4ab0-b699-b6a5910f8029
Library
View
Administer
Create
ViewSecrets
Use
Owner
Manages permissions to create and manage library items, which include secure files and variable groups. Role memberships for individual items are automatically inherited from the Library. By default, the following permissions are assigned:
- Reader role (
View
permissions only) to all members of the Project Valid Users group and the Project Collection Build Service account - Creator role (
View
,Use
, andCreate
permissions) to all members of the Contributors group - Creator role (
View
,Use
,Create
, andOwner
permissions) to the member who created the library item - Administrator role (all permissions) to members of the Build Administrators, Project Administrators, and Release Administrators groups.
For more information, see Library asset security roles.
ID:b7e84409-6553-448a-bbb2-af228e07cbeb
ServiceEndpoints
Use
Administer
Create
ViewAuthorization
ViewEndpoint
Manages permissions to create and manage service connections. Role memberships for individual items are automatically inherited from the project-level roles. By default, the following roles are assigned:
- Reader role (
View
permissions only) to all members of the Project Valid Users group and the Project Collection Build Service account - Creator role (
View
,Use
, andCreate
permissions) to members of the Endpoint Creators service security group. - Administrator role (all permissions) to members of the Endpoint Administrators service security group.
Roles are assigned through Service connection security roles.
ID:49b48001-ca20-4adc-8111-5b60c903a50c
Internal namespaces and permissions
The following table describes the security namespaces and permissions that aren't surfaced through the web portal. They're primarily used to grant access to members of default security groups or to internal resources. We strongly recommend that you don't alter these permission settings in any way.
Namespace
Permissions
Description
AccountAdminSecurity
Read
Create
Modify
Manages permissions to read or modify the organization account owner. These permissions are assigned to the organization owner and members of the Project Collection Administrator group.
ID: 11238e09-49f2-40c7-94d0-8f0307204ce4
Analytics
Read
Administer
Stage
ExecuteUnrestrictedQuery
ReadEuii
Manages permissions to read, administer permissions, and execute queries against the Analytics service.
Token format for project-level permissions: $/PROJECT_ID
Example: $/xxxxxxxx-a1de-4bc8-b751-188eea17c3ba
ID: 58450c49-b02d-465a-ab12-59ae512d6531
BlobStoreBlobPrivileges
Read
Delete
Create
SecurityAdmin
Sets permissions to read, delete, create, and manage the security of the data store. These permissions are assigned to several Azure DevOps service principals.
ID: 19F9F97D-7CB7-45F7-8160-DD308A6BD48E
Boards
View
Create
ChangeMetadata
MoveCard
Delete
Manage
Manages permissions and access to boards.
ID: 251e12d9-bea3-43a8-bfdb-901b98c0125e
BoardsExternalIntegration
Read
Write
Manages read/write permissions of external integrations with Azure Boards.
ID: 5ab15bc8-4ea1-d0f3-8344-cab8fe976877
Chat
ReadChatRoomMetadata
UpdateChatRoomMetadata
CreateChatRoom
CloseChatRoom
DeleteChatRoom
AddRemoveChatRoomMember
ReadChatRoomMessage
WriteChatRoomMessage
UpdateChatRoomMessage
DeleteChatRoomMessage
ReadChatRoomTranscript
ManageChatPermissions
Manages permissions for chat services integrated with Azure DevOps, such as Slack and Microsoft Teams. For more information, see Azure Boards with Slack, Azure Boards with Microsoft Teams, Azure Pipelines with Slack, Azure Pipelines with Microsoft Teams, Azure Repos with Slack, and Azure Repos with Microsoft Teams.
ID: bc295513-b1a2-4663-8d1a-7017fd760d18
Discussion Threads
Administer
GenericRead
GenericContribute
Moderate
Manages permissions to view, manage, moderate, and contribute to code review discussions setup for Azure Pipelines.
ID: 0d140cae-8ac1-4f48-b6d1-c93ce0301a12
EventPublish
Read
Write
Grants read and write access for notification handler.
ID: 7cd317f2-adc6-4b6c-8d99-6074faeaf173
EventSubscriber
GENERIC_READ
GENERIC_WRITE
Grants read and write access for notification subscribers.
ID: 2bf24a2b-70ba-43d3-ad97-3d9e1f75622f
EventSubscription
GENERIC_READ
GENERIC_WRITE
UNSUBSCRIBE
CREATE_SOAP_SUBSCRIPTION
Manages member permissions to view, edit, and unsubscribe from notifications or create a SOAP subscription.
ID: 58b176e7-3411-457a-89d0-c6d0ccb3c52b
Identity
Read
Write
Delete
ManageMembership
CreateScope
RestoreScope
Manages permissions to read, write, and delete user account identity information; manage group membership and create and restore identity scopes. The ManageMembership
permission is automatically granted to members of the Project Administrators and Project Collection Administrators groups.
Token format for project-level permissions: PROJECT_ID
Example: xxxxxxxx-a1de-4bc8-b751-188eea17c3ba
To modify group level permissions for Group Origin ID [2b087996-2e64-4cc1-a1dc-1ccd5e7eb95b]:
Token: xxxxxxxx-a1de-4bc8-b751-188eea17c3ba\2b087996-2e64-4cc1-a1dc-1ccd5e7eb95b
ID: 5a27515b-ccd7-42c9-84f1-54c998f03866
Licensing
Read
Create
Modify
Delete
Assign
Revoke
Manages the ability to view, add, modify, and remove license levels. These permissions are automatically granted to members of the Project Collection Administrators groups.
ID: 453e2db3-2e81-474f-874d-3bf51027f2ee
PermissionLevel
Read
Create
Update
Delete
Manages the ability to create and download permission reports.
ID: 25fb0ed7-eb8f-42b8-9a5e-836a25f67e37
OrganizationLevelData
Project-Scoped Users
Applies a system-level deny permission on the namespace, which supports the Project-Scoped User Group. Members of the group receive limited visibility to organization-level data. For more information, see Manage your organization, Limit user visibility for projects and more.
ID: F0003BCE-5F45-4F93-A25D-90FC33FE3AA9
PipelineCachePrivileges
Read
Write
Manages permissions to read and write pipeline cache entries. These permissions are only assigned to internal Azure DevOps service principles.
ID: 62a7ad6b-8b8d-426b-ba10-76a7090e94d5
ReleaseManagement
ViewTaskEditor
ViewCDWorkflowEditor
ExportReleaseDefinition
ViewLegacyUI
DeploymentSummaryAcrossProjects
ViewExternalArtifactCommitsAndWorkItems
Manages access to Release Management user interface elements.
ID: 7c7d32f7-0e86-4cd6-892e-b35dbba870bd
SearchSecurity
ReadMembers
ReadAnonymous
This security namespace is used to know if a user is valid or anonymous/public.
ID: ca535e7e-67ce-457f-93fe-6e53aa4e4160
ServiceHooks
ViewSubscriptions
EditSubscriptions
DeleteSubscriptions
PublishEvents
Manages permissions to view, edit, and delete service hook subscriptions and publish service hook events. These permissions are automatically assigned to members of the Project Collection Administrators group. DeleteSubscriptions
is no longer used; EditSubscriptions
can delete service hooks.
ID: cb594ebe-87dd-4fc9-ac2c-6a10a4c92046
UtilizationPermissions
QueryUsageSummary
Manages permissions to query usage. By default, all members of the Project Collection Administrators groups and users granted Stakeholder access are granted permission to query usage summary for everyone. For more information, see Rate limits.
Token format: /
ID: 83abde3a-4593-424e-b45f-9898af99034d
WorkItemTrackingAdministration
ManagePermissions
DestroyAttachments
Manages permissions for administrating work tracking and destroying attachments.
ID: 445d2788-c5fb-4132-bbef-09c4045ad93f
WorkItemTrackingProvision
Administer
ManageLinkTypes
Manages permissions for changing work tracking processes and managing link types. The WorkItemTrackingProvision namespace is an older security namespace that is mostly used for earlier on-premises versions. The Process namespace replaces this namespace for managing processes in Azure DevOps Server 2019 and later versions.
Root token format: /$
Token format for a specific project: $/PROJECT_ID
ID: 5a6cd233-6615-414d-9393-48dbb252bd23
Deprecated and read-only namespaces
The following namespaces are either deprecated or read-only. You shouldn't use them.
CrossProjectWidgetView
DataProvider
Favorites
Graph
Identity2
IdentityPicker
Job
Location
ProjectAnalysisLanguageMetrics
Proxy
Publish
Registry
Security
ServicingOrchestration
SettingEntries
Social
StrongBox
TeamLabSecurity
TestManagement
VersionControlItems2
ViewActivityPaneSecurity
WebPlatform
WorkItemsHub
WorkItemTracking
WorkItemTrackingConfiguration