I have an Azure DevOps project with a single team called "Software". Looking in Project Settings -> Team Configuration -> "Areas" tab, I can see that this team owns a single area - the "top-most" item in the project's area hierarchy, let's call this area "ProjectX". This has numerous child areas, which we use to categorise work items.
I have just created a new team called "Stakeholders", and a new area has been automatically created as part of this process, which this team now owns ("ProjectX\Stakeholders"). Am I right in saying that members of the new team will still be able to view and edit work items anywhere in the "ProjectX" area hierarchy? If so, what's the point of creating different teams?
What I'm trying to achieve is to allow members of the "Stakeholders" team to create new WIs and subsequently view/edit/delete those WIs. WIs created by members of the "Software" team should be completely hidden from the Stakeholders. Note also that the Software team needs to be able to edit/delete WIs created by the Stakeholders. Is any of this possible?
Am I right in saying that members of the new team will still be able
to view and edit work items anywhere in the "ProjectX" area hierarchy?
Yes.
If so, what's the point of creating different teams?
Each team will use each own product, sprint backlogs, and etc. As example: Configure Azure Boards to support SAFe.
What I'm trying to achieve is to allow members of the "Stakeholders"
team to create new WIs and subsequently view/edit/delete those WIs.
WIs created by members of the "Software" team should be completely
hidden from the Stakeholders. Note also that the Software team needs
to be able to edit/delete WIs created by the Stakeholders. Is any of
this possible?
Yes. You can use the Area Path Security to manage access to work items under different paths: Set permissions and access for work tracking
Related
For Azure DevOps projects that have multiple teams (where each team has their own board), is it possible to allow team members to edit (move work items, create work items,... etc) their own team's board, but not other teams' boards, while giving them read access to other teams' boards?
If it is possible, how can I do this?
For your requirement, you could create a customized team in "Area" path, in this customized team you can make some users only have "View" permission for the specified work items(in this customized team Area like pic c.) by editing in "Security".
(Here is the doc:Define area paths and assign to a team and steps for reference.)
a.
b.
c.In "Permissions", you should set 'Allow' to "View work items in this node" only, and all the other options should be set 'Deny'.
d.
I'm trying to create a team that can only see a subset of the boards (e.g. their own area), which is to act as a communication channel between the development teams and other users; meaning, the developers can see/interact with all boards, but the external team can only see/interact with one specific board. But it seems that any team created gets access to the main board no matter what.
Has anyone attempted this before?
You need to configure the area security setting for the team.
Go to Project settings-->Project configuration under Boards-->Areas-->Select the Area which you donot want the team to view-->Click the 3dots-->Security See below screenshot.
In the security setting page-->Search the Team in the search box-->Deny the view and edit permission of this node for this team. See below screenshot.
Repeat above steps to deny the view and edit permissions for other team areas which the newly created team should not gets access to. Then the newly created team should only be able to access to the Team board which he have the view permission.
Within Azure DevOps Server, is there a way to limit the work items that can be tied to a given pull request to only those in the current project? Currently, when submitting a pull request Azure DevOps Server suggests and allows all work items within the project collection to be selected.
Yes there is a way to limit the work items from another project to be selected in current project. You can change the View, create, or modify work items Permissions within an area path. Check Restrict access to view or modify objects
So Let's say there are Project A and B. And Restrict work items in Project B to be selected from Project A. In order to achieve this, you need to set the permissions from Project B. Please refer to below steps:
1,Go the Project setting for Project B --> Click Project configuration under Boards --> Click Areas -->Click the 3dots of the root Areas of Project B --> Click Security
2, In the Search Box search for Project A team(or any team that includes all the users in Project A, if there isnot one, you can create a team in project A to include all the users.). Then set the permission to View work items in this node to Deny.
Then any user in Project A team willnot be able to add the workitems from Project B in a pull request.
Above steps will cause some problem if a user is also in other project team. But you can override the inherited permission for this user by following step 1 to allow the the view permission for this user.
If there are many projects in your collection, you have to set repeat setting above permission for each one of them.
However you can submit a feature request(click suggest a feature and choose Azure devops) that restricting view workitems permission in a Project Level to Microsoft Development team. Hope they will consider implementing this feature.
Azure DevOps Services:
I need to hide all WIs belonging to one of the teams (= their Iteration Path) from the rest of the project.
Yet the team will need to see everyone else's WIs in this project
What is a proper way to achieve that?
set 'Deny' on 'View work items in this node' for all 'Contributors' and 'Readers'? But if my team is in 'Contributors' (so they can see all the other WIs) their access will also be denied (by inheritance), even if i add them explicitly.
Area Path 'Security' settings
I hoped to google a ready solution for such a common request, but have not found one yet, unfortunately.
But if my team is in 'Contributors' (so they can see all the other WIs) their access will also be denied (by inheritance), even if i add them explicitly.
This is actually an expected behavior which you can refer to Permission settings, it says For most groups and almost all permissions, Deny overrides Allow., this means when one of the team members is denied from View work items in this node in one group(such as his team) and allowed in another group(such as Contributors), he can't see the specific team's work items since the Deny overrides Allow.
It's also simple to understand logically, user A will be allowed to see another team's work items when his team is denied from?
My opinion is that you should move the user A to another team which could see the work items in the specific team.
Is it possible to add members in bluemix track&plan with read-only access?
I want to limit the number of people who can add/modify work items into my project.
I understand your question that you want a more fine-grained access control for project members.
Can you not allow project members to edit work items? A short answer is no.
Check official website: https://hub.jazz.net/docs/projectadmin/
Project members have the fewest privileges and responsibilities. They can do these tasks:
- Add and edit work items
- Create Git branches for Git projects
- Create tags for Git projects
- Push and pull source code from the repository
- View and edit pipelines
- Add, edit, delete, and run pipeline stages or jobs
I think project members should have the access right to edit work items.
Bluemix track&plan is based on RTC(Rational Team Concert). I've been using RTC for team's project development for several years. It can be disturbing when someone removes a tag used in a query or changes work item to an incorrect status.
But the essence of track&plan is for team collaboration. Work item is critical to provide transparency and real-time status. Everybody on the team should have the right to add comments to the work item. My best practice is to use daily scrum meeting to review team dashboard and validate the work item status.
In real life, I seldom see team members deliberately update work items that don't belong to them. Instead, scrum master needs to motivate team to provide more update to the work items.
If you want to share the status to a stakeholder who's not in the project team, one doable option is to set your project as "public".
Try to access the link I created: https://hub.jazz.net/ccm51/quickplanner/jazzhub.html#items:projectId=_9b859SQ7EeesKZSRjqyxIQ&serverId=hub.jazz.net&planType=allwork&allIterations=true
Steps to set up your project as public:
1. Navigate to the Track&Plan dashboard. Click "Settings" icon
2. De-select "private" project checkbox & save