You can protect MASTER in VSTS pretty easily as TFS provides enterprise Git capabilities. There are two ways to achieve this.

由于 TFS 提供企业 Git 功能，因此您可以非常轻松地保护 VSTS 中的 MASTER。有两种方法可以实现这一点。

1) Git Branch Permissions

1) Git 分支权限

In the administration pages under the Version Control tab you can change permission for each published branch. You need to maintain access at the repo level, however on MASTER you can change "Contributor" commit permission to "not configured". You can then add only Rob...

在版本控制选项卡下的管理页面中，您可以更改每个已发布分支的权限。您需要在 repo 级别保持访问权限，但是在 MASTER 上，您可以将“贡献者”提交权限更改为“未配置”。然后你可以只添加 Rob ...

Oh... Always use "not set" rather than "deny" as deny always overrides.

哦...总是使用“未设置”而不是“拒绝”，因为拒绝总是覆盖。

2) Git Branch Policies

2) Git 分支策略

VSTS has introduces the idea of Branch Policies. These Branch Policies can be applied to any branch but are traditionally applied to MASTER.

VSTS 引入了分支策略的思想。这些分支策略可以应用于任何分支，但传统上应用于 MASTER。

Here you can apply multiple policies to reflect you needs... I always set

在这里你可以应用多个策略来反映你的需求......我总是设置

I found I had to go through slightly more steps to get this done

我发现我必须通过更多的步骤来完成这项工作

There are 2 places to define groups in visual studio online - at the collection level and at the project level.

有 2 个地方可以在 Visual Studio Online 中定义组 - 在集合级别和项目级别。

At the collection level I created an admin group and created a developers group. I only wanted people in the admin group to have write access to master branch in my repository.

在集合级别，我创建了一个管理员组并创建了一个开发人员组。我只希望 admin 组中的人对我的存储库中的 master 分支有写访问权限。

At the project level, I added developers and admins group to the project team. In the project contributors group I removed the project team and added only the developer group

在项目级别，我向项目团队添加了开发人员和管理员组。在项目贡献者组中，我删除了项目组，只添加了开发者组

In the project administrators group I added the collection level admin group.

在项目管理员组中，我添加了集合级别的管理员组。

Then on version control tab on the master branch I set contribute=deny for the contributors group

然后在主分支的版本控制选项卡上，我为贡献者组设置了contribute=deny

As administrators are not members of the contributors group the deny permission is not applied to them and they can still push changes to master - either directly or through approving pull requests

由于管理员不是贡献者组的成员，拒绝权限不适用于他们，他们仍然可以将更改推送到 master - 直接或通过批准拉取请求

I successfully created the (2) types of groups based off of @anthonybrown. I wanted to, however, give some screenshots to further help the explanation of resolving the ability to restrict users from deleting, pushing, and contributing to the masterbranch (or other branch(es) of your choosing) on a repository level base, not a global level.

我成功地创建了基于@anthonybrown 的 (2) 种类型的组。但是，我想提供一些屏幕截图，以进一步帮助解释在存储库级别基础上解决限制用户删除、推送和贡献master分支（或您选择的其他分支）的能力，而不是全球层面。

Note that based on our VSTS, we already had users added to the "global" team. I did not remove these users, but instead added them to (2) separate groups.

请注意，基于我们的 VSTS，我们已经将用户添加到“全球”团队中。我没有删除这些用户，而是将它们添加到 (2) 个单独的组中。

• Developers
• Administrators

• 开发商
• 管理员

1) Go to your base VSTS screen (this will default to /_projectsin the URL.

1) 转到您的基本 VSTS 屏幕（这将默认/_projects在 URL 中。

2) Click on the cog and select "Security"

2）点击齿轮并选择“安全”

3) On the far left side, select "Create Group", and name it "Developers". Once the group is created, select the group, and in the middle section, select "Members". Add all users that you DO NOTwant to have contribute rights to the "master" branch to this group. (note - your users must already be added to VSTS prior to this step).

3) 在最左侧，选择“创建组”，并将其命名为“开发人员”。创建组后，选择该组，然后在中间部分选择“成员”。所有用户添加，你不要想有利于权利的“主人”分支到该组。（注意 - 在此步骤之前，您的用户必须已添加到 VSTS）。

4) Create the "Administrators" group and add the users that you DO WANTto have access. (note - if your users in the "Administrators" group are already added to VSTS at either the global or project level you can skip this step. I did it regardless).

4）创建的“Administrators”组以及您添加的用户确实希望能够访问。（注意 - 如果“管理员”组中的用户已在全局或项目级别添加到 VSTS，则可以跳过此步骤。无论如何我都这样做了）。

5) Go back to the VSTS home page (/_projects) and select your repository that you want to restrict access to the master branch. Select "Version Control". On the left side, select the "master" branch. In the middle section, select "Security". Add the "Developers group. Select the "Developers" group (once added) and set the access to "Deny" for:

5）返回VSTS主页（/_projects）并选择您要限制访问master分支的存储库。选择“版本控制”。在左侧，选择“master”分支。在中间部分，选择“安全”。添加“开发人员”组。选择“开发人员”组（添加后）并将访问权限设置为“拒绝”：

• Contribute (this will be pushing
• Edit policies
• Force push
• Manage permissions

• 贡献（这将推动
• 编辑政策
• 强制推送
• 管理权限

I usually create a special VSO group like "Devs" and then place the developers in it. Then, I use the group as a member group of project Contributors and then specifically on the branch I want to protect, I use the "Devs" group and set Contribute to Deny, thus only members of the "Devs" group have the contribution denied, but e.g. Project Admins can still push in it.

我通常会创建一个像“Devs”这样的特殊 VSO 组，然后将开发人员放入其中。然后，我使用该组作为项目贡献者的成员组，然后专门在我要保护的分支上，我使用“Devs”组并将贡献设置为拒绝，因此只有“Devs”组的成员才能拒绝贡献，但例如项目管理员仍然可以推动它。

If you set Contribute to Deny directly on the Contributors group then nobody can push in the branch, not even Administrators and not even if you specifically set Allow on their Contribute, simply because Deny is stronger than Allow - unless you do some vaster changes to the original groups.

如果您直接在贡献者组上将贡献设置为拒绝，那么没有人可以推送分支，即使是管理员也不行，即使您在他们的贡献上专门设置了允许，仅仅因为拒绝比允许强 - 除非您对分支进行更大的更改原始组。