Is there a way to use tf.exe to set git permissions on multiple repositories in Azure Repos?

Question

I have recently migrated to Azure DevOps from Teamcity, yesterday i migrated around 60 repositories.

I set some permissions on our core project repository using tf.exe and this command

tf git permission /deny:CreateBranch 
              /group:[FabrikamProject]\Contributors 
              /collection:https://dev.azure.com/fabrikam-fiber/ 
              /teamproject:FabrikamProject 
              /repository:FabrikamRepo

I ideally need to apply the same permissions to the other repositories.

I am wondering if there is a way to use tf.exe to accept wildcards for the repository param such as:

/repository:* - this does not work

I really do not want to go through them manually, but will have to otherwise.

Answer 1

I don't know if the wildcard work, but you can iterate the repositories and run the command with a small PowerShell script (using the Rest API):

$reposJson = Invoke-RestMethod -Method Get -Uri https://dev.azure.com/{organization}/{project}/_apis/git/repositories?api-version=5.0-preview.1 -ContentType application/json

$repos = $reposJson | ConvertFrom-Json

$tfExe = "path/to/exe"

$repos.value.ForEach({

& $txExe git permission /deny:CreateBranch /group:[FabrikamProject]\Contributors /collection:{collection} /teamproject:{project} /repository:$_.name

})

You just need to authenticate, you can use -Credential {email} (in the Invoke-RestMethod ) and a window will prompt to put a password or use PAT in this way:

$personalAccessToken = "your-personal-access-token-here"
$header = @{Authorization = 'Basic ' + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(":$($personalAccessToken)"))}

And add -Headers $header in the Invoke-RestMethod .

Answer 2

Instead of /repository:* you just remove this parameter to get desired behavior.

The documentation doesn't say so explicitly, but to set project-level permissions ( all existing and new repositories ), you should avoid specifying a particular repository. I have tried it and it works.

So tf code looks like this:

tf git permission /deny:CreateBranch 
              /group:[FabrikamProject]\Contributors 
              /collection:https://dev.azure.com/fabrikam-fiber/ 
              /teamproject:FabrikamProject 
              #You should remove this => /repository:FabrikamRepo

The documentation shows an example of how to get project-level permission information. Other examples refer to repository level permission settings and the relevant difference is that the /repository parameter is specified.

https://docs.microsoft.com/en-us/azure/devops/repos/tfvc/git-permission-command?view=azure-devops#view-project-level-permissions