Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure DevOps Services | Azure DevOps Server 2022 | Azure DevOps Server 2020
Azure Artifacts enables developers to efficiently manage dependencies by hosting various types of packages in a single feed. With flexible permission settings, you can fine-tune access to your packages, control who can create or administer feeds, and manage how packages are accessed from Azure Pipelines.
Azure Artifacts settings
With Azure Artifacts settings, you can control who can create and administrer feeds.
Note
you must be a feed owner or a project collection administrator to configure Azure Artifacts settings.
Sign in to your Azure DevOps organization, and navigate to your project.
Select Artifacts, then select your feed from the dropdown menu.
Select the Azure Artifacts settings icon on the right.
Select Who can create feeds and Who can administer feeds, then select Save when you're done.
Feed settings
From the Azure Artifacts feed settings, you can manage various aspects of your feed, such as enabling package sharing, configuring retention policies, adding new users or groups, managing view permissions, and setting up or modifying upstream sources. Here's how to add a new user or group to your feed:
Sign in to your Azure DevOps organization, then navigate to your project.
Select Artifacts, then select your feed from the dropdown menu.
Select the gear icon on the right to navigate to your Feed Settings.
Select Permissions, then select Add users/groups.
Add the new user(s) or group(s), and assign the appropriate Role:
- Feed Owner: Can delete packages, allow external package versions, edit feed settings, and manage upstream sources, in addition to contributor permissions.
- Feed Publisher (Contributor): Can publish, promote, or deprecate packages along with collaborator permissions.
- Feed and Upstream Reader (Collaborator): Can save packages from upstream source in addition to reader permissions.
- Feed Reader: Can view and download packages from the feed.
Select Save when you're done.
Note
By default, the Project Collection Build Service (organization-scoped) and the project-level Build Service (project-scoped) are assigned the Feed and Upstream Reader (Collaborator) role.
Note
By default, the Project Collection Build Service is automatically assigned the Feed and Upstream Reader (Collaborator) role for newly created collection-scoped feeds.
Feed roles and permissions
Azure Artifacts provides a flexible permission model to manage access within feeds. Each role comes with specific privileges that determine what actions a user or group can perform. The table below outlines the key permissions associated with each role:
| Permission | Feed Reader | Feed and Upstream Reader (Collaborator) | Feed Publisher (Contributor) | Feed Owner |
|---|---|---|---|---|
| List packages in the feed | ✓ | ✓ | ✓ | ✓ |
| Download/install/restore packages | ✓ | ✓ | ✓ | ✓ |
| Save packages from upstream sources | ✓ | ✓ | ✓ | |
| Publish packages | ✓ | ✓ | ||
| Promote packages to a view | ✓ | ✓ | ||
| Deprecate/unlist/yank packages | ✓ | ✓ | ||
| Delete/unpublish packages | ✓ | |||
| Add/remove upstream sources | ✓ | |||
| Allow external package versions | ✓ | |||
| Edit feed settings | ✓ | |||
| Delete a feed | ✓ |
Note
Project Collection Administrators and Azure Artifacts Administrators are automatically granted the Feed Owner role for all feeds in the project.
Feed views settings
Feed views in Azure Artifacts enable users to share specific packages while keeping others private. A common use case is sharing a package version that has been tested and validated, while keeping packages still under development restricted.
By default, each feed includes three views: @Local, @Prerelease, and @Release. The latter two are suggested views that can be renamed or deleted as needed. The @Local view is the default and includes all packages published directly to the feed, as well as packages saved from upstream sources.
Important
Users who have access to a specific view are able to access and download packages from the feed through that view even if they don't have direct access to that feed. If you want to completely hide your packages, you must restrict access to both the feed and its views.
Sign in to your Azure DevOps organization, then navigate to your project.
Select Artifacts, then select your feed from the dropdown menu.
Select the gear icon to navigate to your Feed Settings.
Select Views, select the ellipsis button next to your view, then select Edit to modify its permission.
To restrict access to your view, change the visibility setting to specific people.
Important
Views inherit permissions from the parent feed. If you set a view's visibility to Specific people without specifying any users or groups, the view's permissions will default back to the permissions of the parent feed.
Select Save when you're done. The access permissions column will update to reflect your changes.
Note
To add a feed from a different organization as an upstream source, the target feed owner must share the target view with All feeds and people in organizations associated with my Microsoft Entra tenant. This can be done by navigating to Feed Settings > Views, selecting the ellipsis next to the specified view, selecting Edit, and adjusting the permissions.
Pipelines permissions
To access your feed from your pipeline, the corresponding build identity must have the necessary permissions.
The project-level build identity is named [Project name] Build Service ([Organization name]), for example FabrikamFiber Build Service (codesharing-demo) while the organization-level build identity is named Project Collection Build Service ([Organization name]), for example Project Collection Build Service (codesharing-demo). Here's how to add the build identity to your feed's permissions:
Sign in to your Azure DevOps organization, then navigate to your project.
Select Artifacts, then select your feed from the dropdown menu.
Select the gear icon
to navigate to Feed settings.Select Permissions, then select Add users/groups. Add your build identity and assign it the Feed and Upstream Reader (Collaborator) role. If your pipeline needs to publish packages to the feed, make sure that both the Project Collection Build Service and your project's Build Service identities have the Feed Publisher (Contributor) role.
Examples
See the examples below to learn how to authenticate and publish packages to your feed with Azure Pipelines.
| Package Type | Article |
|---|---|
| NuGet | Publish NuGet packages with Azure Pipelines |
| Npm | Publish npm packages with Azure Pipelines |
| Maven | Publish Maven artifacts with Azure Pipelines |
| Python | Publish Python packages with Azure Pipelines |
| Cargo | Publish Cargo packages with Azure Pipelines |
| Universal Packages | Publish Universal Packages with Azure Pipelines |
| Package Type | Article |
|---|---|
| NuGet | Publish NuGet packages with Azure Pipelines |
| Npm | Publish npm packages with Azure Pipelines |
| Maven | Publish Maven artifacts with Azure Pipelines |
| Python | Publish Python packages with Azure Pipelines |
| Cargo | Publish Cargo packages with Azure Pipelines |
| Package Type | Article |
|---|---|
| NuGet | Publish NuGet packages with Azure Pipelines |
| Npm | Publish npm packages with Azure Pipelines |
| Maven | Publish Maven artifacts with Azure Pipelines |
| Python | Publish Python packages with Azure Pipelines |
Note
If your pipeline uses the project-level build identity and needs to access a feed in a different project, you must configure that other project to grant the build identity at least the Edit project-level information permission.