Azure DevOps group rule to add everyone as readers - azure-devops

I would like to allow all members of the organization in Azure DevOps to view all projects (become Readers).
I tried to set up a group rule on the organization settings page.
Group: "Project Collection Valid Users"
Access level: Stakeholder
Projects: Selected them all, and picked Readers for each one.
After that I clicked on Add.
Now, when I try to view the rule I just made with "Manage rule", the project settings have been cleared.
If I select the projects again, and pick Readers, then save, the same thing happens.
Why do the settings disappear?
Also, if I do "Re-evaluate Rules", it runs for a bit. But none of the existing users regardless of their Access level have gotten Reader access to any project.
However, using "Manage user" -> Group rules, the group rule is listed.
So the group rule is applied but the project settings are not working for some reason? How do I fix this?

I chose a different group from AD instead of "Project Collection Valid Users" and now it seems to work as expected.
Using "Project Collection Valid Users" in this context seems to bring some bugs or unexpected behaviour.

Related

Azure Devops permissions - can one area be visible to one team and invisible to another

In my Azure boards, I have a hierarchical structure of the areas. In the team settings, all teams have areas being set, just like described here: https://learn.microsoft.com/en-us/azure/devops/boards/plans/safe-configure-boards?view=azure-devops#configure-area-paths
Is there a way for one team to see only the area it is set to, but no other areas? Currently, in Boards>Work items any member of any team can see everything, even User stories that do not belong to his area. How can I restrict this?
Edit: it might be from Security options of an area, add a group to it and make work items invisible, see this screenshot from Azure documentation.
But, even as an admin, I don't have such option to add! Why is that?
The UI has changed. There is no add option in the security settings page now.
You can directly search for the Team Group in the Search box and change its permission settings. See below screenshot.
Okay, in addition to Levi's answer:
First, every new user added to a project is also added by default to one of this project's groups: Contributors, Readers, Admins. I'm not considering admins here.
If we want to make one area visible to only one team, we need to do the following:
Either modify Contributors or Readers rights so that the "View project-level information" is set to Deny, and then for each new user, add it to a team and for that team set this option to Allow for the area needed
or (better)
Create our own groups for which "View project-level information" is set to Deny (for ex. Developers, QAs, etc.), and then for each new user, remove it from Contributors or Readers and add it to the corresponding group. Then add the user to a team, and for that team set the "View project-level information" option to Allow for the area needed

Azure DevOps - One "aad user" type cannot delete DevOps work items

A new person in our company cannot delete work items in DevOps. Their "Type" is listed as "aad user" under Teams and they are included in all the right groups, just like everyone else in the company, but they do not have the Delete option on a work item. This is annoying. It doesn't matter which work type.
What can we check, double-check and check again to make sure they're set up correctly?
Since the new users couldn't see the delete option, you could check the following points:
You could check if the users have the Basic Access level in Organization Settings -> Users .
Note: The Stakeholder Access level will have no access to delete work items
You need to check if the users are in the Contributors Group in Project Settings -> Permissions
To delete work items, you need to check if the users have the Delete and restore work items project-level permission in Project Settings -> Permissions.
For more detailed information, you could refer to this doc: Remove, delete, or restore work items.

How to make project available to whole organization?

I have a Project with only a project Wiki.
The rest of the features I have disabled.
I would like to make this Project available as read-only to the entire organization.
I tried adding a member to the 'readers' team, but there is no 'all users' group or 'entire organization' or something like that.
For this issue, you can add a group rule . Go to the Users tab of Organization settings, and then select Group rules. This view shows you all of your created group rules. Select Add a group rule.
Then just add users to this group rule.

Azure Devops branch security not saving

I am trying to edit my branch security policies, but nothing ever seems to save. I've tried editing permissions, adding groups, removing groups and nothing seems to happen.
Is there supposed to be save button? This interface is new and appears not to be working.
I am an admin on this Azure account.
To the above question you posted in comment, here is the answer for that:
The groups listed below are inbuilt groups. You will not be able to delete those inbuilt groups.
And if you would like to add any groups, you would need to first create that group in Project Settings and then come back to Branch Security and Add that group here :
Go to Project Settings --> Security --> Create Group
Once you Create the group, go back to Repos --> Branches --> Branch Security --> Click on Add Group and search for the group you created earlier.
You should be able to delete the groups that you have created, But keep one thing in mind that if you delete a group that you created all the users in the group will loose permissions as well.
Yes this is a New UI and it is automatic save when you change the permissions.
Have you tried changing the selection in the dropdown and see if it works?
Once you change the selection in dropdown there will be an indication that the value is changed.
There is no Save Button in the new UI.
The Green tick indicates that the value is changed.
Please take a look at the screenshot below.

Permit a member to add more members to the team

I am an admin to a lot many projects. I have permissions to add members to any particular Project. But if I would like to promote a member as a Project Admin, I would like him to have permissions to add new members to the project.
I have added this person as a member of Project Administrator. Though he can now see the + symbol to add a member in Dashboard, it says he doesn't have permissions to add a member. What am I missing?
Seems you are talking about the team member dashboard to add member to the default team.
First double confirm you have promoted the member as a Project Admin
correctly, you could refer this question:
Manage user project permissions
Check the user is adding to VSTS for the first time or not. If it's,
need add account users for VSTS first. For this, the member will
need VSTS project collection administrator or account owner
permissions. However he is just a project admin, this maybe why he doesn't have permission.
Besides you could also add/manager members of other team, choose the gear cog
and Security from the menu. Then find the team on the left pane
of the security page and select it. In the right pane, choose the
Members view (next to Permissions), and then you will see a green plus symbol and the Add... button.
More details please refer this tutorial--Add team project members in VSTS