Is there a clear separation between read/write access to repos?

Copper Contributor



I have some questions about how to configure access rights for repos in Azure DevOps.

Looking at this page:

I still don't fully understand read/write permissions. I would expect a clear split between:

  • the right to clone/read
  • the right to submit a PR
  • the right to approve PRs into a given branch, e.g. main (in my view the definition of the owner/maintainer role)

But it seems not so clear-cut. For instance, confusingly, the documentation doesn't mention anything about the right to approve a PR.


My question is: Can I set up permissions in such a way that

  1. One group can clone/read the code. (It's fine if they can also create branches and PRs (but not approve them).)
  2. Another group (and ONLY members of this group) can approve PRs.

(If the answer is to use the "required reviewers" feature, I have some specific questions about this feature, please see )


Thankful for answers,


0 Replies