We've structured our environment such that the main approval in ADO exists at the master branch policy level, where a 2nd user must approve the pull request prior to merging to the master branch. From there it's mostly automated testing, and approvals in ServiceNow. To help address SOD concerns, we're wondering if you had insight into either of the following:
Is there any history for master branch policy changes? We've seen the pipeline approval history before, but I'm not sure if there's anything similar that tracks changes to the policy configurations.
Is there any reporting out of ADO that would show a population of merges and include the owner of the change and the approver? The thought being that this could be used to ensure no one merged their own code without independent approval.
Is there any history for master branch policy changes?
Yes, while there isn't something like a History tab available for Branch policies, there are Audit events you can access and consume from the Auditing tab in the Organization Settings page. Auditing for Azure Repos events was announced around the July 2019 timeframe.
The auditing page provides a simple view into the audit events recorded for your organization. This data is also available to export in a CSV or JSON format. The Policy area covers the changes made to branch policies. You can view events for policies when they are created, removed, modified, or bypassed.
Here is an example of what that looks like:
Clicking on the i button available for each event will also give you more details about the exact change that was made, for example, changing the minimum approver count from 2 to 3.
Is there any reporting out of ADO that would show a population of merges and include the owner of the change and the approver? The thought being that this could be used to ensure no one merged their own code without independent approval.
There's an even better option. :) If you intend to enforce this, you should do it with a branch policy rather than a report:
While configuring the Require a minimum number of reviewers branch policy, you can ensure this with the following options:
If Allow requestors to approve their own changes is selected, the creator of the pull request may vote on its approval. If not, they can still vote Approve on their pull request, but their vote won't count toward the Minimum number of reviewers.
By default, anyone with push permissions on the source branch may both add commits and vote on the pull request's approval. By enabling Prohibit the most recent pusher from approving their own changes, you can enforce segregation of duties - having the most recent push automatically makes the pusher's vote not count.
Hope this addresses your requirement.
References:
Access, export, and filter audit logs
Improve code quality with branch policies
Related
I am working on automating the approval process of a Pull request(in Azure DevOps) using Logic app.
I have already built the flow with few conditions to meet and then the flow has to approve the PR automatically if the conditions are met.
Need suggestion on which action/trigger will approve the Pull request automatically?
Maybe look at using the relevant REST API ...
https://learn.microsoft.com/en-us/rest/api/azure/devops/git/pull-requests/update
You can see there are a couple of fields in the payload you'll need to pay attention to, vote being one of them and status being the other.
You'll need to authenticate and to do that, it'll be a matter of picking one of the auth methods listed here ...
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/authentication-guidance?view=azure-devops
PAT is typically the easiest but be sure to restrict it's access in case the key is compromised.
Now having said that, there is a very specific section on auth which you'll need to make sure you adhere to.
https://learn.microsoft.com/en-us/rest/api/azure/devops/git/pull-requests/update?view=azure-devops-rest-7.0#security
I added approvals and checks to variable group in library
and I don't understand how is works...
I added Approvals team , and condition of : "All approvers must approve".
but when someone else are not in team of administrators and no in the team of the approvals ,
is give hem error of :
"you do not have permissions to perform this operation on the variable group. A variable group Administrator should add you to the Administrator role."
There is nothing related to the library and approval groups in this doc.
My goal is that if there is a change in Variable it will be like in pull request there will be an approval group that you will need to approve for the change to be made.
The situation you encountered is expected. If the user is not in the approvals Team, it should be unable to perform the operation to approve the use of the variables group.
Have a look of this:
https://learn.microsoft.com/en-us/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass
Another way to control if and when a stage should run is through
approvals and checks.
Pipelines rely on resources such as environments, service connections,
agent pools, variable groups, and secure files. Checks enable the
resource owner to control if and when a stage in any pipeline can
consume a resource. As an owner of a resource, you can define checks
that must be satisfied before a stage consuming that resource can
start. For example, a manual approval check on an environment would
ensure that deployment to that environment only happens after the
designated user(s) has reviewed the changes being deployed.
Before the execution of a stage can begin, all checks on all the
resources used in that stage must be satisfied.
I think you misunderstood this feature
Here I briefly explain how this feature works:
First, if you use variable group, the place to control permissions is here:
Second, 'Approvals and checks' refers to the control of the pipeline running process (this means that even the user without the above permissions, the user still can check and approve the use during the pipeline run):
If you are referring to something like this:
From your reply, do you mean the issue comes from this place?
If so, this is not how 'Approvals and checks' work.
If you need a feature, please post a feature request here:
https://developercommunity.visualstudio.com/report?space=21&entry=suggestion
The team I'm on at work is working at developing competence at branching strategies using Git. We've previously used TFVC but want to move to Git. At this point it's our intention to use Azure DevOps Services for both source control and the build/release using Azure Pipelines.
I've been reading up on branching strategies using Git. I came across the Adopt a Git Branching Strategy page and other related pages. Incredibly valuable information there! However, I do have one important question which is a consequence of our environment. All our licenses to things like Microsoft 365, Visual Studio, MSDN licensing, etc., is tied to an email address ending in nmhealth.org. However, for reasons which I'm not privy to, that's not actually our work email addresses. My work email address is on domain state.nm.us. In essence, although all our licensing is through nmhealth.org, there is no email inbox there. All email has to go through everyone's state.nm.us email. But if we set up things like who's going to review PRs, how do we do that in Azure DevOps Pipelines? Everyone's account in Azure Pipelines is associated with their nmhealth.org. At this point when we make up policies in Azure Pipelines concerning PRs, such as reviewers, no one will ever get an email informing them that they should review a new PR.
People can set an alternate email address in their profile.
If your account is linked to AAD, that email should automatically flow from Azure Active Directory, if the contact email is configured there.
You can also edit your notification subscription settings and set an alternate email address for a specific notification class:
This is only possible for non-default subscriptions. So you may need to disable a global notification and create a personal notification subscription in order to set the custom email address.
You can recognize the global subscriptions by the 🌐 icon.
Click on user settings in the top right of ADO next to you picture.
Click on Profile
Set your preferred contact email.
If you want more granularity or want to send email to a DL when a PR is created and assigned to a specific group or user for review you can go to notifications and create a new subscription.
This is briefly described in the MS doc:
https://learn.microsoft.com/en-us/azure/devops/notifications/about-notifications?view=azure-devops
Would it be possible to restrict developers not to create a branch in gitlab? Only Owner or Maintainer should create.
Any help would be appreciated.
You should be able to using protected branches.
Go to Settings -> Repository, and navigate to Protected Branches.
You can then create a wildcard to protect all branches, and only allow Maintainers or Owners to push/merge.
After a lot of internet searching, I don't think you can stop specific users from creating new branches. Although, most of the suggestions given to accomplish some sort of control is to use protected branches.
Most suggestions along this route tell you to restrict branch creation for individuals with the "Developer" role, while allowing those with "Maintainer" role to continue creating branches on GitLab.
But, my use case desires the ability to restrict only some of the users with "Developer" access. My team is quite large, and I only want to restrict a small percentage of them from creating branches. I don't want to have to make the majority of my developers into "Maintainers" just to accomplish this restriction. Thus, I believe that restricting branch creation by individual user is not possible with GitLab at this time.
I have a requirement from our company auditors to be able to prove who can alter code in our source repository. Is there a method of producing a report detailing permissions?
Ideally the report would show all permissions but at least it needs to show check-in permissions. Ideally the report would be standard functionality as this tends to lead to less questioning from the auditors, but if not possible then custom reports/queries would be manageable.
We're using Azure DevOps Services.
Thanks in advance
GS
Is there a method of producing a report detailing permissions?
I am afraid there is no such out of box method/REST API to report detailing permissions.
To get the who can alter code in our source repository, first, we need to check which groups or individuals have permission check in code one by one:
Project Settings->Repos->Repositories:
Then go to Project Settings->Permissions->Repositories and Organization Settings->Permissions, to check members for each group:
Hope this helps.