如何在 Azure Devops 中解决此特定场景的权限？

Question

We want to manage vendors(external users) within ADO. What we want is that the vendors should have customised permissions and have only access to the projects they are added to. SO I believe we cannot use AAD groups as there is no point in making AAD group for each project.

The structure we have is that there is one Organisation and all the projects will be under that ORG. For internal users they should be able to see all the projects and view everything that is happening on all of those projects. The idea behind that is if someone wants to re-use that is already done in some other project, they can do it so that it saves time as they don't have to re-invent the wheel. To resolve this I have created AAD group and added all the internal users to it. Now this AAD group will be linked to ADO security group. That was easy but I am unable to resolve a problem where vendors should have restricted permissions to only projects they are working on.

Now, if I create an ADO security group for each project with customise permissions and add vendors to that group but it may be overwritten by a Project admin when he creates a team's group, add vendors to that teams group and add that teams to the member of Contributor group. They will inherit all the powers of the contributors group which eventually will give them more permissions that what we want to give them.

What is the best approach to resolve this scenario?

Answer 1

Provide Stakeholder access to the AAD group which you created for external users. Stakeholder doesn't give you full permissions. So you can limit the access to external users