A new person in our company cannot delete work items in DevOps. Their "Type" is listed as "aad user" under Teams and they are included in all the right groups, just like everyone else in the company, but they do not have the Delete option on a work item. This is annoying. It doesn't matter which work type.
What can we check, double-check and check again to make sure they're set up correctly?
Since the new users couldn't see the delete option, you could check the following points:
You could check if the users have the Basic Access level in Organization Settings -> Users .
Note: The Stakeholder Access level will have no access to delete work items
You need to check if the users are in the Contributors Group in Project Settings -> Permissions
To delete work items, you need to check if the users have the Delete and restore work items project-level permission in Project Settings -> Permissions.
For more detailed information, you could refer to this doc: Remove, delete, or restore work items.
Related
I have an Administrator in an Administrative group with the Boards Permissions all set to "Allow (inherited)".
He cannot delete a User Story he created.
We both inherit the permissions from the same "Project Administrators" group.
I can delete stories as expected, but he doesn't even have the option in the drop-down.
Any idea why that would be?
UPDATE: I had a co-worker who is also an administrator with the same permissions as the affected Admin, and they were able to create and delete stories. So now we've verified that 2/3 of the Admins tested with this setting are able to delete, but the other is not. The affected admin doesn't even have delete as an option when selecting "…" for an item.
I found the solution.
Under Organization Settings > Users, the user in question was listed as a Stakeholder.
I had to promote him to Basic.
This solved the problem, and it might not be discoverable as the cause of the problem if a Project admin is not also an Org admin.
We use Azure DevOps for source control.
I would like some users to be able to create work items, but not be able to make changes to source code for a specific project. It is ok for these users to be able to view / read the code, I just don't want them to be able to change it.
I've looked at the permission settings for groups in Azure DevOps, and read the Microsoft definitions of the permissions here: https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions?view=azure-devops&tabs=preview-page#project-level-permissions.
Is it possible in an Azure DevOps project to set up a group that allows some users to create work items but not edit source code?
1.Create a new Group for these users, add this group to the Project scope "Readers" group
2.Make sure these users are not member or group member in "Contributors" group
3.Set the permission for this group to edit work items for Area Path in Project Settings -> Project configuration -> Security -> find the group. Check the doc.
I would like to allow all members of the organization in Azure DevOps to view all projects (become Readers).
I tried to set up a group rule on the organization settings page.
Group: "Project Collection Valid Users"
Access level: Stakeholder
Projects: Selected them all, and picked Readers for each one.
After that I clicked on Add.
Now, when I try to view the rule I just made with "Manage rule", the project settings have been cleared.
If I select the projects again, and pick Readers, then save, the same thing happens.
Why do the settings disappear?
Also, if I do "Re-evaluate Rules", it runs for a bit. But none of the existing users regardless of their Access level have gotten Reader access to any project.
However, using "Manage user" -> Group rules, the group rule is listed.
So the group rule is applied but the project settings are not working for some reason? How do I fix this?
I chose a different group from AD instead of "Project Collection Valid Users" and now it seems to work as expected.
Using "Project Collection Valid Users" in this context seems to bring some bugs or unexpected behaviour.
I am in the project administrator group, since we have a requirement to set the shared query to read-only to Contributors, I toggled the permission for Contributors to Deny except for "Read"
When I try to create new shared query, it says:
TF401256: You do not have Write permission for query Shared Queries.
I clicked on the three dots and bring up the "Permission for Shared Queries" menu, searched my name and a few other people in the Project Administrator Group or Project Collection Administrator Group, it shows all "Deny" permission except for the "Read" for all of us.
When I hover over, it says our permission is being inherited through the {project}\Contributors, but we are in the Administrator group.
Why is that and How can I fix it? I cannot even overwrite the permission. It is stuck at being inherited from the Contributor group.
enter image description here
It seems you are in a different group(project administrator group and Contributors), check this doc:
In the Azure DevOps, for most groups and almost all permissions, Deny overrides Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user is not able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
This is why you get the error message. You could open project settings->Permissions->Search the permission group {project}\Contributors->click the tab Members and remove your account. Then you could create new shared query
Update1
Steps:
Open project settings->Teams->select the team->click the tab Settings->add Administrator, then we could move our account.
link to MS forum for this issue (or similar posted by other people):
https://developercommunity2.visualstudio.com/t/Project-administrator-cannot-save-shared/1339863
It just doesn't sound right to me that in order to have admin permission you cannot be in any team. That maybe workable for a test account but for an organization this workaround or restriction could mess things up a lot.
I need to transfer a repository from a user account to an organization the user is a member of. Per GitHUb's docs, I need to make the user account an admin of the organization first.
GitHub's docs describe the different levels of access to an organization, but I can't find out how to actually change a user's level of access to an organisation.
How can I make the organization member an admin?
Access levels in GitHub are configured per Team inside the Organization.
Log into GitHub.
Switch your account context to the organization using the dropdown near the top-left of the screen:
Click on "View organization":
Click the Teams tab in the top navigation bar:
Decide whether you want to change the permissions of an existing team (and all of its members) or to create a new team for a single user.
If you are modifying an existing Team,
click on the Team name,
then click the gear icon at the top right,
then change the Team's access to Admin and
click Update.
If you are creating a new Team,
click the New Team button,
give the Team an appropriate name,
set its access to Admin and
click Create Team.
Team memberships have somewhat limited permissions scopes to individually named repositories.
If you want to set someone as an admin for the entire organization:
Navigate to the Organization > People
Identify the member you want to update and click on the settings cog
Set role to Owner
Update 2022: GitHub entitlements can help you define an IAM (Identity and Access Management) complete with audits.
2017: Note that since June 2017, you can apply an Admin access right to a sub-team (instead of one giant unique team as before)
See "Nested teams add depth to your team structure":
Child teams inherit their parent's access permissions, so repository permissions and #mentioning among nested teams work from top to bottom.
If your team structure is Employees > Engineering > Application Engineering > Identity, granting Engineering write access to a repository means Application Engineering and Identity also get that access.
So that is another way to assign a user admin right: make him/her part of a sub-sub team called "admins" within an organization.
Official GitHub Documentation: Nested Teams.