I added approvals and checks to variable group in library
and I don't understand how is works...
I added Approvals team , and condition of : "All approvers must approve".
but when someone else are not in team of administrators and no in the team of the approvals ,
is give hem error of :
"you do not have permissions to perform this operation on the variable group. A variable group Administrator should add you to the Administrator role."
There is nothing related to the library and approval groups in this doc.
My goal is that if there is a change in Variable it will be like in pull request there will be an approval group that you will need to approve for the change to be made.
The situation you encountered is expected. If the user is not in the approvals Team, it should be unable to perform the operation to approve the use of the variables group.
Have a look of this:
https://learn.microsoft.com/en-us/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass
Another way to control if and when a stage should run is through
approvals and checks.
Pipelines rely on resources such as environments, service connections,
agent pools, variable groups, and secure files. Checks enable the
resource owner to control if and when a stage in any pipeline can
consume a resource. As an owner of a resource, you can define checks
that must be satisfied before a stage consuming that resource can
start. For example, a manual approval check on an environment would
ensure that deployment to that environment only happens after the
designated user(s) has reviewed the changes being deployed.
Before the execution of a stage can begin, all checks on all the
resources used in that stage must be satisfied.
I think you misunderstood this feature
Here I briefly explain how this feature works:
First, if you use variable group, the place to control permissions is here:
Second, 'Approvals and checks' refers to the control of the pipeline running process (this means that even the user without the above permissions, the user still can check and approve the use during the pipeline run):
If you are referring to something like this:
From your reply, do you mean the issue comes from this place?
If so, this is not how 'Approvals and checks' work.
If you need a feature, please post a feature request here:
https://developercommunity.visualstudio.com/report?space=21&entry=suggestion
Related
TF50309: The following account does not have sufficient permissions to
complete the operation: Hosted Stakeholder License Security Subject.
The following permissions are needed to perform this operation: Agile
plans..
I am both Project as well as release administrator
I have added the Project collection administrators group to the release administrators.
Yet I can't create a new delivery plan or view the already created one from another team member, because there's this error that prevents me to:
Failed to load data with following error: VS800075: The project with
id
'vstfs:///Classification/TeamProject/0ddc0e80-e58f-40f8-99f2-16c231bd2b45'
does not exist, or you do not have permission to access it.
Pls someone help me out here
In the documentation you can read that you need at least Basic Access Level. Stakeholder access level does not provide access to Delivery Plans. To change your Access Level you need to be member of the Project Collection Administrators group. To set it up:
Go to your Azure DevOps home (e.g. https://dev.azure.com/myorg)
Click Organization Settings in the lower left corner
Click Users in the menu at the left-hand side
Find your own user
Click the three vertical dots on the right-hand side and select Change Access Level
Choose Basic and click Save
You mention that you added the Project Collection Administrators group as a member to the Release Administrators group. First, the Project Collection Administrators group has permissions virtually everywhere, so there is no need. Second, the Release Administrators group has nothing to do with Delivery Plans, but rather with Pipelines. Read more here.
We've structured our environment such that the main approval in ADO exists at the master branch policy level, where a 2nd user must approve the pull request prior to merging to the master branch. From there it's mostly automated testing, and approvals in ServiceNow. To help address SOD concerns, we're wondering if you had insight into either of the following:
Is there any history for master branch policy changes? We've seen the pipeline approval history before, but I'm not sure if there's anything similar that tracks changes to the policy configurations.
Is there any reporting out of ADO that would show a population of merges and include the owner of the change and the approver? The thought being that this could be used to ensure no one merged their own code without independent approval.
Is there any history for master branch policy changes?
Yes, while there isn't something like a History tab available for Branch policies, there are Audit events you can access and consume from the Auditing tab in the Organization Settings page. Auditing for Azure Repos events was announced around the July 2019 timeframe.
The auditing page provides a simple view into the audit events recorded for your organization. This data is also available to export in a CSV or JSON format. The Policy area covers the changes made to branch policies. You can view events for policies when they are created, removed, modified, or bypassed.
Here is an example of what that looks like:
Clicking on the i button available for each event will also give you more details about the exact change that was made, for example, changing the minimum approver count from 2 to 3.
Is there any reporting out of ADO that would show a population of merges and include the owner of the change and the approver? The thought being that this could be used to ensure no one merged their own code without independent approval.
There's an even better option. :) If you intend to enforce this, you should do it with a branch policy rather than a report:
While configuring the Require a minimum number of reviewers branch policy, you can ensure this with the following options:
If Allow requestors to approve their own changes is selected, the creator of the pull request may vote on its approval. If not, they can still vote Approve on their pull request, but their vote won't count toward the Minimum number of reviewers.
By default, anyone with push permissions on the source branch may both add commits and vote on the pull request's approval. By enabling Prohibit the most recent pusher from approving their own changes, you can enforce segregation of duties - having the most recent push automatically makes the pusher's vote not count.
Hope this addresses your requirement.
References:
Access, export, and filter audit logs
Improve code quality with branch policies
Is it possible to build and deploy an agent available only for some users , like for example a company, or limiting access ?
It depends on exactly what your needs are.
While not exactly what you are looking for, you can deploy an Action to Alpha test status. This lets you make it available to up to 20 users without going through the review process.
Additionally, you can deploy it to up to 200 users if you deploy to Beta. However, this still will require a review by the Action review team.
If you need more than this (and probably a wise idea even in other use cases), you'll need to use Google Sign in for Assistant or other identity methods to get the identity of the user and then determine if this is an authorized user as part of your Action. This will require review by the Action review team.
I have a project in Identity management for which I am hoping someone can point me in the right direction. It's role-based provisioning, basically I need to know how to provision a specific application based on certain user attributes (e.g. job title, dept) and then to automatically raise a provisioning request for that application. The application is a disconnected application and will be provisioned manually.
What we are trying to achieve is that once a user has been created in OIM and if he or she meets those criteria, the OIM will generate the request for the application so they can be provisioned for them. Is there a way to implement this within OIM?
You can just use the scheme where a role in OIM has a membership rule to automatically grant a user the role if some of user's attribute match specific condition.
Then you can create an Access Policy to provision a disconnected resource and attach it to this created role. Usually disconnected resource provisioning will create a SOA workflow where there is a human task to complete the provisioning operation.
All you need is a Role with desired membership rule and an Access Policy attached to it. Role and membership rule can be created with OIM Role creation wizard. You can create a policy from admin console and associate your role and resource with it. Do provide default required parent form fields (at least IT Resource).
In case you want to add default entitlements edit the child form and add those.
I need to be able to make one user temporarily mirror another on demand. The mirroring user should get the same business unit, teams, and roles as the target user. Right now it is done manually, but it's a pain. I wrote a custom workflow activity to do it and it works if I run it as a system administrator and pick a mirroring user and target user.
But the end goal is to be able to allow certain users to run the dialog themselves. If I try to run it with myself as the mirroring user I get an error saying I don't have the privilege to assign roles, which makes sense since the workflow takes away my roles and then tries to assign me the target user's roles.
I'd like for the workflow activity to run as a privileged user but haven't had any luck so far. I've tried creating the IOrganizationService like this:
var context = executionContext.GetExtension<IWorkflowContext>();
var serviceFactory = executionContext.GetExtension<IOrganizationServiceFactory>();
var service = serviceFactory.CreateOrganizationService(null);
According to the documentation calling CreateOrganizationService with null as the parameter should force the user of the System user but it appears to still be running as the calling user.
I also tried calling CreateOrganizationService and passing the Guid of a different user with the System Administrator role, but got the same results.
Workflows has special conditions and is designed to ignore the guid you pass to the CreateOrganizationService.
I take the next paragraph from this article:
For the automatic workflow case, the owner of the workflow is also the
person who activates it and who selects the trigger mechanism and the
workflow steps so it is OK if the workflow executes under that user’s
context. For the on-demand case, a user is specifically requesting
some actions to be performed on his behalf by a workflow so the user
is fully aware of the workflow definition and that it will execute;
therefore it is safe to execute the workflow under that user’s context
instead of the workflow owner (who might not be aware that a user
requests an on-demand execution).
The custom workflow activity could be converted to a plug-in registered to run in the context of CRM Service or an Administrator
The workflow could be automatically, rather than manually triggered
If the end users are explicitly starting the workflow, it will be running in their user context
Dialogs are always run in the initiating users context
A workflow triggered by an event rather than being explicitly started by the user will run in the context of the user who started, and owns, the workflow - in this case an Administrator
A dialog or custom ribbon button could change something (a custom field) on the record that your custom workflow activity is registered to execute on-change