Azure DevOps permissions primer

I often join Azure DevOps projects some time after they were started and can almost guarantee I'll find... questionable... permissions have been applied.

If you search for e.g. "azure devops permissions" you'll get pages like this which only tell half the story, so here's a quick primer...

There are a multitude of places where permissions can be set in Azure DevOps which can be roughly categorised into 4 places:

The difference between adding users to Project Collection groups & Project groups is reasonably straight forward but I often see users added as Project Administrators without much thought and this is a terrbile idea. Remember that Project Administrators will be granted access to everything...

While it's access to managing work items or adding new users that I often see people (e.g. Project Managers) added as Project Administrators for, it is often not understood or realised that doing so grants full access to pipelines.

Are you happy with your Project Manager being able to trigger a release to production?