dosubot[bot] commented on issue #8691: URL: https://github.com/apache/incubator-devlake/issues/8691#issuecomment-3801136718
<!-- Answer --> DevLake needs more than just repository read access because it collects a wide range of data from Azure DevOps—not just code, but also builds, pipelines, pull requests, releases, and user/account info. This means the Personal Access Token (PAT) must have read access to multiple scopes: Build, Code, Graph (for user/account info), and Release. Without these, DevLake can't fetch all the data needed for metrics and dashboards, and you'll see authentication errors during collection—even if repo listing works fine. See the required scopes in the plugin docs ["Read access to the following Azure DevOps Scopes is required: Build, Code, Graph, Release"](https://github.com/apache/incubator-devlake/blob/main/backend/plugins/azuredevops_go/README.md). You do not need to grant "full access" or use a global PAT—DevLake supports organization-scoped PATs, so you can limit the token to just the organization you want to connect (by specifying the org in the connection settings). The "all accessible organizations" requirement in some docs is outdated and not a technical limitation ["You can use an organization-scoped PAT by specifying the organization in the connection settings"](https://github.com/apache/incubator-devlake/issues/8673). For security, best practice is to use an org-scoped PAT, restrict it to only the required scopes (Build, Code, Graph, Release), set a short expiration, and rotate it regularly. This limits exposure while still allowing DevLake to collect the data it needs. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/0e335b54-baac-47b7-82d8-e24753d0e261?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/0e335b54-baac-47b7-82d8-e24753d0e261?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/0e335b54-baac-47b7-82d8-e24753d0e261?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/0e335b54-baac-47b7-82d8-e24753d0e261?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/0e335b54-baac-47b7-82d8-e24753d0e261?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/0e335b54-baac-47b7-82d8-e24753d0e261?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/0e335b54-baac-47b7-82d8-e24753d0e261?feedback_type=other)</sup> [](https://app.dosu.dev/b4e8e847-d479-4541-83a8-d88d83fea5c9/ask?utm_source=github) [](https://cursor.com/link/prompt?text=DevLake%20needs%20more%20than%20just%20repository%20read%20access%20because%20it%20collects%20a%20wide%20range%20of%20data%20from%20Azure%20DevOps%E2%80%94not%20just%20code%2C%20but%20also%20builds%2C%20pipelines%2C%20pull%20requests%2C%20releases%2C%20and%20user/account%20info.%20This%20means%20the%20Personal%20Access%20Token%20%28PAT%29%20must%20have%20read%20access%20to%20multiple%20scopes%3A%20Build%2C%20Code%2C%20Graph%20%28for%20user/account%20info%29%2C%20and%20Release.%20Without%20these%2C%20DevLake%20can%27t%20fetch%20all%20the%20data%20needed%20for%20metrics%20and%20dashboards%2C%20and%20you%27ll%20see%20authentication%20errors%20during%20collection%E2%80%94even%20if%20repo%20listing%20works%20fine.%20See%20the%20required%20scopes%20in%20 the%20plugin%20docs%20%5B%22Read%20access%20to%20the%20following%20Azure%20DevOps%20Scopes%20is%20required%3A%20Build%2C%20Code%2C%20Graph%2C%20Release%22%5D%28https%3A//github.com/apache/incubator-devlake/blob/main/backend/plugins/azuredevops_go/README.md%29.%0A%0AYou%20do%20not%20need%20to%20grant%20%22full%20access%22%20or%20use%20a%20global%20PAT%E2%80%94DevLake%20supports%20organization-scoped%20PATs%2C%20so%20you%20can%20limit%20the%20token%20to%20just%20the%20organization%20you%20want%20to%20connect%20%28by%20specifying%20the%20org%20in%20the%20connection%20settings%29.%20The%20%22all%20accessible%20organizations%22%20requirement%20in%20some%20docs%20is%20outdated%20and%20not%20a%20technical%20limitation%20%5B%22You%20can%20use%20an%20organization-scoped%20PAT%20by%20specifying%20the%20organization%20in%20the%20connection%20settings%22%5D%28https%3A//github.com/apache/incubator-devlake/issues/8673%29.%0A%0AFor%20security%2C%20best%20practice%20is%20to%20use%20an%20org-scoped% 20PAT%2C%20restrict%20it%20to%20only%20the%20required%20scopes%20%28Build%2C%20Code%2C%20Graph%2C%20Release%29%2C%20set%20a%20short%20expiration%2C%20and%20rotate%20it%20regularly.%20This%20limits%20exposure%20while%20still%20allowing%20DevLake%20to%20collect%20the%20data%20it%20needs.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/incubator-devlake/issues/8691) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
