So I've got both Project Admin and Project Collection Admin rights within ADO, but I'm unable to change any of the Cards settings for my project's sprint board. In the imgur link, you can see the error I'm still getting, and the permissions that have been setup for both groups: https://imgur.com/a/kniFdZI
There's not been anything so far that seems like a dead obvious reason for why I wouldn't be able to amend these things, so basically wondering if anyone has seen this before, or if any helpful MS folk happen to know exactly what the fix would be.
It can be due to devops access level permissions.
Check your access level under the devops Organization Settings -> Users
Make sure you have "Basic" access instead of "Stakeholder".
See access levels : https://learn.microsoft.com/en-us/azure/devops/organizations/security/access-levels?view=azure-devops
Related
We used to have a plugin in LR6 that used a specific user group, which also had the administrator role assigned to it, for several use cases.
However, when trying to replicate its logic on LR7, this plugin correctly imported the users from a remote data source and put the users into this group. I can see their profile, which seems to be exactly what we need: in the "Inherited Regular Roles" the Administrator role is present.
However, they cannot see the control panel.
In an experiment, I administratively created a user group and assigned the Administrator role to the group. same behavior here, they cannot see anything.
I am poking around the source code, and it seems some parts of the module do use:
PortalPermissionUtil.contains(
permissionChecker, ActionKeys.VIEW_CONTROL_PANEL)
Which seems to verify inherited roles... Am I missing anything?
Bottom line, it seems that I cannot create usergroups of administrators anymore.
It turns out, yes I was missing something: a bug
https://issues.liferay.com/browse/LPS-61319
So, this will be an issue till GA4 at least.
We have a project administrator for a collection of projects on TFS Online. We recently hired so he had to add the guy as a new member into the team.
However he cannot see one specific project we have, even with identical permissions as the other users. His account was created in the same way as the others.
Trying to help the guy out here I offered to try a few things and noticed, If I create a new project as a test. "Test1", and add him as a member, he can see this account fine when he logs in to TFS Online/Connects on Visual Studio.
Which leads me to believe that it's based on some visibility setting within TFS, even though the other members linked to the project can see it fine.
Any possible ideas for me to try?
You need to try and trace his effective permissions. It sounds like there is a denied somewhere.
If you open the admin for that team project and goto the security tab there is a box to add the users account. You should then see the effective permission on the right and he should have and Alowed in the "View project level information" permission.
If he does bot you can roll your mouse over it and click the "why" button and you will see where the overide is coming from.
I have two reports that I need to build. One that has a dozen or so columns. The other has the same columns + 2 extra. The first one is aimed at employees the second with the additional columns is aimed at Sr. Management.
I have a windows group set up for the proper Sr. Mgt users.
I am using SQL 2012.
I've done some SSRS stuff, but not enough to say I'm competent to do more difficult reports.
The problem I'm having is that we do not want the employees to see the sensitive information in those two columns. Frankly, we don't even want them to know the existence of a different report.
Option 1: I was thinking I can just create a folder in SSRS and add the report there and hide the folder. I created it and applied the security but it seems that everyone can see the folder. Maybe they can't edit anything in it or even maybe they can't read anything in it, but this solution, if unchanged, will not meet the goal of having them not even see it exists.
Option 2: I was thinking that I can use the UserID condition to hide the columns in the report and just create one report that differs depending on who was viewing. There are two issues that surfaced in my research. First, there is no facility for using Windows Groups instead of userid. That would mean I have to maintain the list of people inside the report and boy would that be a pain. And second, my understanding is that the export facility does not respect the column actions -- like hiding.
Am I making this too complicated? Is there an easier way to do this? With no other solution, so I need to put up another instance of SSRS for management and make them go back and forth?
Thanks for your time
Option1: You should not be able to 'browse' for folders unless the 'parent' level permission has an 'everyone' user set up to browse on the higher level. Set up a test account and RDP to a box you can use the test account on. Generally under 'Folder Settings' you set up permission and it cascades down until interupted. If you have a parent permission to browse and a lower one not to, they may be able to browse directories. You can ensure that the directory has ONLY dedicated users and the inherited settings are removed manually.
Option2: I would NOT do this. You will have a maintenance nightmare on your hands as you would have to determine in code who was what and update a list that would probably need to be updated somewhere in SQL or a service. As far as I know SSRS does not work with getting parameters and such directly from AD so you would have to code this time and again. For this reason and security context I would avoid this.
Option3: Set up a 'Subscription' to save the report to a file format(excel, pdf, word, etc) or email on a scedule and turn off permission for everyone but admins. If someone can still see the report or directory there is most likely a security context issue.
Option4: You can do a cheapy 'Hide in tile view' move that for most users will hide the directory unless they go to the URL directly and have access. Click on a folder then choose 'Folder Settings' then check 'hide in tile view' and hit okay. Directory is now gone for most part for regular users browsing in default mode.
I think we can just fix your problem, and avoid inventing a complicated and unnecessary solution:
Option 1: I was thinking I can just create a folder in SSRS and add the report there and hide the folder. I created it and applied the security but it seems that everyone can see the folder. Maybe they can't edit anything in it or even maybe they can't read anything in it, but this solution, if unchanged, will not meet the goal of having them not even see it exists.
Chances are that either you set up the security settings wrong, or there's a bigger configuration nightmare to worry about. What you should do is create the folder, go into the settings of the folder, and edit the security (thus breaking inheritance from the parent folder). Before even adding groups, you need to remove anyone that doesn't belong - namely entries like "YOU\Domain Users" - that gives access to anyone on your domain. Once you've cleaned out whomever shouldn't have access, you can add the users/groups that should. Problem solved.
Now, if that doesn't work, then it would seem to me that your SSRS instance is somehow granting everyone sysadmin access - check the Site Settings to see what users and groups are in the System Administrator role. Investigate any groups thoroughly - is BUILTIN\Administrators a sysadmin in SSRS? Check the group locally on the computer - is there another blanket domain group shown there?
If everyone on your domain has complete access to the SSRS instance, then your goal of "hiding" things is impossible.
One of my colleague's is not able to save an Advanced Find query. Options "Save" and "Save As" are grayed out. Searching the Internet revealed the solution. Access rights must be granted to entity 4230 (UserQuery). So I assigned all necessary rights to this entity.
I used a test account with the same rights as my colleague and used it to build the query, saved it. An error occurred saying that I have no CreateAccess rights. Which I have.
Am I missing something here.
Thanks for your help,
Martin
You're probably doing it right but missing on some access privileges. What you could test is to grant a super user rights to a new user (as in - the omnipotent rights to do everything). If you still don't get it to work, the issue isn't with access rights. If you do, you can go shotgun on it and turn on/off half of the grantees and see when you hit the brick wall.
Not nice but functional. :)
I'm getting an issue with TFS where the documents folder is marked with a red cross. As far as I can tell, this seems to be a security issue, however, I am set-up as project admin on the relevant projects.
I’ve come to the conclusion that it’s a security issue from running the TFS Project Admin tool (available here). When I run this, it tells me that I don’t have sufficient access rights to open the project. I’ve checked, and I’m not included in any groups that are denied access.
Please can anyone shed any light as to why I may not have sufficient access to these projects?
I finally got to the bottom of this. The security for SharePoint is set-up independently, and it's this that controls the access to the Documents folder