The situation is as follows:
- DevOps
Org A
maintains a private NuGet feed - DevOps
Org B
needs to use packages from the above feed within its Pipelines
Current solution involves:
- adding a user
U
fromOrg B
as a guest inOrg A
DevOps with Stakeholder role - creating PAT for user
U
inOrg A
with justPackaging -> Read
scope - using the PAT to register a service connection for the feed in
Org B
- using
NuGetAuthenticate
task inOrg B
Pipeline before theNuGetCommand
restore task
The issue is that user U
can log in to Org A
's DevOps and view boards, work items, members, etc
The question is how to restrict access so that the only thing that anyone from Org B
can do is restore packages from Org A
's feed and nothing else?
I have set every permission to Deny
on user U
's Permissions screen in Org A
's DevOps.
As soon as I set View project-level information
to Deny
, the pipeline in Org B
fails with a 404 (Not Found - VS800075: The project with id 'vstfs:///Classification/TeamProject/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' does not exist, or you do not have permission to access it.
error.