Azure/devops-governance

Fix overlapping roles in AzureDevOps that leads to unexpected permissions

julie-ng opened this issue · 1 comments

Problem

There is a bug in the concept as it currently exists. As of today we rely on 2 AAD groups for actors, e.g. for the "Veggies" team, we have:

AAD Group name Membership
veggies All developers in team
veggies-admins A subset of users who have elevated permissions

Expected Result

The veggie admins have elevated privileges, e.g. Administrator Access even if they have overlapping role assignments (due to membership in multiple groups).

Actual Result

  • As expected: for Azure Resource Manager, veggie-admins will have Administrative permissions due to ARM's additive permissions model

  • Unexpectedly: in Azure DevOps, veggie-admins will only have Contributor access because Azure DevOps uses least permissions model, as this doc describes:

    User accounts that are assigned to more than one security group are restricted to those permissions granting the least access.

Solution

To get the behavior expect, we need to have three AAD groups per domain, for example:

  • veggies-all
  • veggies-dev
  • veggies-admin

In this way, we can avoid overlapping role assignments that result in unexpected behavior in Azure DevOps.

Tasks

  • Terraform: create 3 AAD groups per domain
  • Terraform: update assignments, paying extra attention to "supermarket" collaboration scenario
  • Concept: update text

Closed by PR #13