# Required permissions

#### Required permissions for Azure DevOps and Azure DevOps Server specify the access levels GitProtect needs to securely back up and restore your data.

***

## Permissions for Azure DevOps

### <mark style="background-color:blue;">User access levels</mark>

The account used for integration must have an appropriate access level assigned within **Azure DevOps**:

* **Basic**.
* **Visual Studio Subscriber** — professional or enterprise tier.
* **GitHub Enterprise** — similar to basic.
* **Stakeholder** (not recommended) — this level has limited access and cannot properly protect repositories.

{% hint style="warning" %}
**GitProtect** can only protect projects that the integrated user account has explicit access to.
{% endhint %}

### <mark style="background-color:blue;">OAuth integration</mark>

{% hint style="danger" %}
**GitProtect** supports only organizational accounts (**Microsoft Entra ID**) — **personal accounts are not supported**. For private accounts, use PAT instead.
{% endhint %}

To integrate **Azure DevOps** with **GitProtect** using **OAuth**, make sure the account has an administrator role. Otherwise, you may encounter permission errors or find that the approval button is inactive.

When integrating **Azure DevOps** via **OAuth**, the following scopes are required:

* [x] Build: <mark style="color:$success;">**read and execute**</mark> (vso.build\_execute)
* [x] Code: <mark style="color:$success;">**read, write and manage**</mark> (vso.code\_manage)
* [x] Environment: <mark style="color:$success;">**read and manage**</mark> (vso.environment\_manage)
* [x] Projects and Teams: <mark style="color:$success;">**read, write and manage**</mark> (vso.project\_manage)
* [x] Variable Groups: <mark style="color:$success;">**read and create**</mark> (vso.variablegroups\_write)
* [x] Wiki: <mark style="color:$success;">**read and write**</mark> (vso.wiki\_write)
* [x] Work Items: <mark style="color:$success;">**read and write**</mark> (vso.work\_write)
* [x] Packaging: <mark style="color:$success;">**read, write and manage**</mark> (vso.packaging\_manage)
* [x] Artifacts: user\_impersonation
* [x] Login and read the profile

### <mark style="background-color:blue;">Installation permissions for OAuth</mark>

The ability to authorize the **GitProtect** **OAuth** application depends on your organization's **User consent settings** within **Azure DevOps**. The following options are available:

<table><thead><tr><th width="242">Consent policy</th><th width="500">Authorization requirement</th></tr></thead><tbody><tr><td>Allow user consent for apps from verified publishers, for selected permissions</td><td>Any user can authorize the app, provided that all requested permissions are classified as low impact by your administrator.</td></tr><tr><td>Do not allow user consent</td><td>Only users with the <strong>Application Administrator</strong> or <strong>Global Administrator</strong> role can authorize the integration.</td></tr><tr><td>Let Microsoft manage your consent settings (Recommended)</td><td>Authorization is subject to <strong>Microsoft's</strong> current security guidelines. While this currently allows for <strong>GitProtect</strong> integration, availability may change based on <strong>Microsoft's</strong> evolving policies.</td></tr></tbody></table>

<figure><img src="https://696332517-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtsE6XtJyUIEKVdSxPlS3%2Fuploads%2FDxJ8nYbOl5twJVGVM3IH%2FADO%20OAuth%20consent.png?alt=media&#x26;token=e822e89e-2e62-4c19-be1a-97fe0647c322" alt=""><figcaption></figcaption></figure>

### <mark style="background-color:blue;">Personal Access Token (PAT) integration</mark>

#### Prerequisites:

* [x] **Organization** — when generating PAT, you **must enable** the **All accessible organizations** value in the **Organization** field.

#### Required scopes:&#x20;

* [x] Build: <mark style="color:$success;">**read and execute**</mark>&#x20;
* [x] Code: <mark style="color:$success;">**read, write and manage**</mark>
* [x] Environment: <mark style="color:$success;">**read and manage**</mark>
* [x] Project and Team: <mark style="color:$success;">**read, write and manage**</mark>
* [x] Variable Groups: <mark style="color:$success;">**read and create**</mark>
* [x] Wiki: <mark style="color:$success;">**read and write**</mark>
* [x] Work Items: <mark style="color:$success;">**read and write**</mark>
* [x] Packaging: <mark style="color:$success;">**read, write and manage**</mark>

{% hint style="danger" %}
When performing a backup with minimal permissions, some metadata might be excluded. To ensure complete protection, select the permissions based on your data protection needs. Note that with read-only permissions, backups can be made, **but restoring requires a new token or password with write access**.
{% endhint %}

### <mark style="background-color:blue;">Granular permission settings</mark>

To ensure both backup and restore operations succeed, the following permissions are required:

1. **Organization level:**
   1. **General:**
      1. Create new projects (restore)
   2. **Boards:**
      1. Create process (restore)
      2. Edit process (restore)
2. **Project level:**
   1. **General:**
      1. View project-level information (backup)
3. **Repositories level:**
   1. Create branch (restore)
   2. Create repository (restore)
   3. Read (backup)

***

## Permissions for Azure DevOps Server

### <mark style="background-color:blue;">Personal Access Token (PAT) integration</mark>

For on-premise installations, use the personal access token (PAT) method.

#### Prerequisites:

* [x] **Organization** — when generating PAT, you **must enable** the **All accessible organizations** value in the **Organization** field.

#### Required scopes:&#x20;

* [x] Build: <mark style="color:$success;">**read and execute**</mark>&#x20;
* [x] Code: <mark style="color:$success;">**read, write and manage**</mark>
* [x] Environment: <mark style="color:$success;">**read and manage**</mark>
* [x] Project and Team: <mark style="color:$success;">**read, write and manage**</mark>
* [x] Variable Groups: <mark style="color:$success;">**read and create**</mark>
* [x] Wiki: <mark style="color:$success;">**read and write**</mark>
* [x] Work Items: <mark style="color:$success;">**read and write**</mark>
* [x] Packaging: <mark style="color:$success;">**read, write and manage**</mark>

{% hint style="danger" %}
When performing a backup with minimal permissions, some metadata might be excluded. To ensure complete protection, select the permissions based on your data protection needs. Note that with read-only permissions, backups can be made, but **restoring requires a new token or password with write access**.
{% endhint %}