问题
Using VSTS APIs, I'm trying to get a list of who has what access to each of our git repositories in VSTS.
I have the security namespaceId for Git and I pass this namespaceId to the Security -> Access Control List API described here: https://www.visualstudio.com/en-us/docs/integrate/api/security/acls
GET https://xxxxxxxx.visualstudio.com/DefaultCollection/_apis/accesscontrollists/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/?api-version=1.0&recurse=true&includeExtendedInfo=false
Drilling into the response, I can see it is listing the permissions for each repo, along with ref and tags.
Each object contains "acesDictionary", which itself is an object with keys that look like this:
Microsoft.IdentityModel.Claims.ClaimsIdentity;xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\\emailaddress@example.com
How do I decipher a ClaimsIdentity? My first thought was that the UUID in the ClaimsIdentity is the UUID of the user in my VSTS project, but it is not. I know the email address is there so I suppose I could use that, but now I'm curious what the UUID in ClaimsIdentity represent. The VSTS API docs dont mention this.
Is Security -> Access Control Lists even the right place where I should be looking? My main goal is trying to get a list of who has what access to VSTS git repositories.
回答1:
Through tech support, I was able to reach a Microsoft representative who shared with me that the documentation for mapping identity descriptors isn't available yet but will hopefully be released soon. In the meantime, there is an endpoint to crosswalk identity descriptors which looks something like this:
GET {account}.vssps.visualstudio.com/_apis/identities?descriptors={commaSeparatedDescriptorsList}&api-version={apiVersion}
Note that this call is made through SPS {account}.vssps.visualstudio.com and not through your account instance {account}.visualstudio.com
Using my example, it would look something like this (uuid obfuscated):
https://xxxxx.vssps.visualstudio.com/_apis/identities?descriptors=Microsoft.TeamFoundation.ServiceIdentity;ffead5b1-5121-4e0e-a439-bbecb4999eba:Build:c4bfb762-a246-46c9-ba9a-7e6c53386b11&api-version=4.0
Also, if the descriptor is of type Microsoft.IdentityModel.Claims.ClaimsIdentity, then you'll likely have escaped backslashes in your descriptor which you'll need to un-escape. For example, if you have:
"Microsoft.IdentityModel.Claims.ClaimsIdentity;xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\\someone@example.com"
You'll need to un-escape this descriptor so that it looks like this:
"Microsoft.IdentityModel.Claims.ClaimsIdentity;xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\someone@example.com"
来源:https://stackoverflow.com/questions/46411920/get-a-list-of-who-has-what-access-to-git-repositories