Azure DevOps - Decode ACE permission bits

Question

When getting Access Control Lists via the Azure DevOps API it returns a list of Access Control Entities which have fields "Allow" and "Deny".

As far as i understood from the docs, these fields contain some kind of permission bits. They look something like that: "allow": 32630, "deny": 0. Is it possible to somehow decode these values into a human readable format?

Answer 1

I am afraid that there is no out-of-box method can automatically decode the value into a human readable format.

In order to obtain information related to the permission bit, I suggest that you can use the Azure DevOps CLI to list all Permission bit in the namespace. Refer to this doc: Manage permissions with command line tool

For example:

az devops security permission namespace show --namespace-id 58450c49-b02d-465a-ab12-59ae512d6531 --output table 

Then it will return all related information in the namespace:

Name                      Permission Description                                    Permission Bit
------------------------  --------------------------------------------------------  ----------------
Read                      View analytics                                            1
Administer                Manage analytics permissions                              2
Stage                     Push the data to staging area                             4
ExecuteUnrestrictedQuery  Execute query without any restrictions on the query form  8
ReadEuii                  Read EUII data                                            16

If you want to allow/deny multiple permissions at the same time, you can add up the permission bit values.

For example: Allow Read and ReadEuii permission.

The value 1 + 16= 17 -> "allow": 17, "deny": 0

In this case, you can determine the permission bit value associated with 32630