Setting Shared Query Permissions in Azure DevOps - azure-devops

My team is implementing Azure DevOps 2019 server on prem. There is a requirement to give all valid users permission to create shared queries in all projects. Is it possible to set permissions for shared queries at the collection level?

The permissions for shared queries are managed within the queries itself, and whilst the default permissions allow for the built in Project Administrators (and Project Collection Administrators) group to contribute shared queries, you probably don't want to move everyone into one of those groups.
Instead, you would have to go into each team project, go to the queries, and edit the security on the root:
]
You can then grant permissions by group (built in or custom):
(So above, I've changed the built in "contributors" group to allow them to Contribute to queries, which allows them to create new)
Depending on how many team projects you have or create, will depend how manageable the is as a workaround, but it is safer than making everyone an admin 😉

Query is a project-level function, so if you want to access Shared Queries in Peoject B from Peoject A, it may not be possible.
To access Shared Queries, you need to be a member of the team that has permission to access the query, but the team is limited to the project, so shared queries cannot cross projects.
If you really want to share queries between projects, you can make a feature request here:
Developer Community

Related

Limiting what a team can see and access in Azure DevOps

I am very new to managing Azure DevOps. I have two, what are for me related, questions.
When I create a team within a project - either the first default team or a later added team - what determines the users that are available for me to add to the team?
Within a single project, can I create a team that can see its own area path/board work items, but is not able to see the area paths/boards of other teams in the project? I have an outside firm working on the project and I want them to be able to see the work I assign to them, but not all the rest of the work assigned to internal members of the team. Can I do that within a single Azure DevOps project?
When creating a team, you specify the default level of access (I believe it's normally "Contributor").
Work item access can be limited based on area path.
Keep in mind that Azure DevOps permissions have an order of precedence:
"Allow" means "Allow unless explicitly denied"
"Not set" means "Deny unless explicitly allowed"
"Deny" means "Always deny"
So if you have a user in both Team A and Team B, and you set Team B to have a "Deny" permission for something, that means that the user who is a member of both teams will not be able to access it.

Keeping users out of specific MarkLogic databases

My question is kind of similar to this question, but not quite :
Hide a marklogic database to specific user (permissions)
Background - up until now, developers who use database X were all admins on the server ( this is a historic config that we have recently inherited ), but now we want to have new developers added to the server who definitely wont be admins, and who will have a new database Y added to the server.
What we want to do is have several groups of developers using the same MarkLogic 10 server, but have it so developer group X can only work in their database X, and Developer group Y can only work in database Y. We dont care if they can see all databases on the server.
Does this mean we have to apply permissions to every document in every database to do this, or can we control this via a roles that limit access to specific databases?
Can someone suggest the right way to achieve this please?
Thanks in advance.
You have two tools to work with:
Granular privileges which allow you limit the scope of a privilege to a specific resource (such as database or forest)
Document permissions unique to documents reflective of their respective set of intended users on each database as you already mentioned
However, in my experience, I've generally found this use case is better served by having many small dev clusters rather than one large one as resource contention (one app team pushing CPU to 100%) can become too much of an issue. It is pretty quick and painless to spin up and tear down dev clusters on AWS or Azure. Or, if you're self-hosting, you could look at running multiple MarkLogic Containers on a single host.

Ways to provide read only views of subsets of DevOps work items

I use Azure DevOps to track work items and bugs for a project. I'd like to grant certain people external to the project a read-only view of work items that are related to them (eg. tagged Person X), but without having to grant them access to DevOps. I have been toying with the idea of setting up a flow in Power Apps to continuously update a shared excel spreadsheet based on work items in DevOps, but I fear I might be missing easier/better options. How would you provide a limited read-only view of a backlog to externals?
I'd like to grant certain people external to the project a read-only
view of work items that are related to them (eg. tagged Person X), but
without having to grant them access to DevOps.
For this issue , I am afraid that this is unachievable in azure devops. At present, there is no such permission setting in azure devops to restrict external people can only read work items with specified tag.
You could add your request for this feature on our UserVoice site , which is our main forum for product suggestions.After suggest raised, you can vote and add your comments for this feedback. The product team would provide the updates if they view it. Thank you for helping us build a better Azure DevOps.

Is it possible to move project collection between two organizations?

We are currently having a project collection with backlogs, sprints, etc. in an Azure DevOps account. There is another organization with completely different credentials to log in that we'd like to transfer this project collection to the other organization. I could not find any features or approaches to complete this transfer. Is there a way to be able to achieve this goal?
There is no way to migrate a project between organisations. This may become possible in the future, but the feature suggestion is 8 years old and hasn't seen progress, yet.
However, depending on your requirements, you might be able to create your own tools/scripts to "re-create" your project in the new organisation using the REST API.

Is there a way to create an organization dashboard in Azure DevOps?

Our team is currently using DevOps and are very pleased with how everything is working. We've setup Dashboards in each project that tracks work items and sprints and would like to do the same at the Organization Level. Is there a way to create a master overview of multiple projects in an organization?
Unfortunately we cannot create an organization level dashboard, it's not supported.
We can only create the Team Project level dashboards for teams, please see Add and manage dashboards for details.
However there's already a user voice submitted here to suggest the feature and it's in planned, but based on the response seems no plans to store a dashboard on organization overview. So you can vote it up and add your comments on the existing user voice or submit a new one to suggest the feature...
In our VSTS Feature
Timeline(https://learn.microsoft.com/en-us/vsts/release-notes/), you
see a feature called “Dashboards – Create dashboard separate from a
team” under “Reporting”
This feature will allow you to create a Dashboard that has no
association with the team. This means you don’t need to create a team,
to make a Dashboard. You can create any number of these Dashboards and
share them with who you want.
However, Dashboards will still be stored with a Team Project. So to
address your scenario (cross-team-project Dashboard), you’ll just have
to pick a team project to store the dashboard.
We don’t have immediate plans to store a dashboard outside a team
project.
Our team was dealing with the same problem as yours, and we decided to develop our own dashboard solution at the end.
After using it as an internal tool for several months, we recently made it available as a SaaS.
You may check it out on meercode.io for more information.
Your feedback will be greatly appreciated.
Behind the dashboard widgets are queries, and it is possible to execute those queries across multiple projects.
When you open the query editor, there is a checkbox:
"Query across projects" checkbox (imgur)
This way we created a project in Devops that only contains a dashboard that shows all work items in any project, assigned to or followed by the current user.
That and some nifty colored tiles =)