I am trying to create new collection level custom group which members would see all projects under my organisation but could not set access rights in organisation or projects unless added to project admins. However, I do not find any place where I could restrict access to user access for this group members. Also I cannot find anything that would give automatically access to all projects. However, the project collection administrators group has this permission but it is not visible anywhere.
There is no such permission to control users would see all projects (exclude Public projects) under organisation. You have to add the users to the projects, at least add to Readers group, then they can see the team projects.
You could add a group rule, add the users in this group, and then assign all team projects to them.
More details of Permissions, please refer to the following link:
https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions?view=azure-devops&tabs=preview-page
Related
I am running a gitlab-ce instance where we solve access level on group level by sharing groups with user groups. An example:
There is a group products with a couple of projects in there. No user is directly added as member to that group. There is another group called developers. Product developers are added to developers with maintainer access.
The group products is shared with developers with a maximum role of maintainer.
With that I would assume, that I can transfer a project that I am owner of to group products. However, the list of groups I can transfer my project to only contains groups where I am a direct member with the maintainer role.
TLDR:
Group products is shared with group developers with max role maintainer
User Bob is member of developers with the maintainer role
Bob is owner of project bobs_project
Bob cannot transfer bobs_project to products (but he could transfer it to developers)
From my understanding of the relevant documentation Bob should have the same rights in products as someone directly added as maintainer to products. However, that seems not to be the case.
Am I missing something?
A few points from the documentation you reference might be relevant in your setup:
When transferring groups, note:
You can only transfer groups to groups you manage.
Only explicit group membership is transferred, not inherited membership. If the group’s owners have only inherited membership, this leaves the group without an owner. In this case, the user transferring the group becomes the group’s owner.
Here, Bob has inherited rights in products, not direct rights. That might explain why the group is not listed.
TF50309: The following account does not have sufficient permissions to
complete the operation: Hosted Stakeholder License Security Subject.
The following permissions are needed to perform this operation: Agile
plans..
I am both Project as well as release administrator
I have added the Project collection administrators group to the release administrators.
Yet I can't create a new delivery plan or view the already created one from another team member, because there's this error that prevents me to:
Failed to load data with following error: VS800075: The project with
id
'vstfs:///Classification/TeamProject/0ddc0e80-e58f-40f8-99f2-16c231bd2b45'
does not exist, or you do not have permission to access it.
Pls someone help me out here
In the documentation you can read that you need at least Basic Access Level. Stakeholder access level does not provide access to Delivery Plans. To change your Access Level you need to be member of the Project Collection Administrators group. To set it up:
Go to your Azure DevOps home (e.g. https://dev.azure.com/myorg)
Click Organization Settings in the lower left corner
Click Users in the menu at the left-hand side
Find your own user
Click the three vertical dots on the right-hand side and select Change Access Level
Choose Basic and click Save
You mention that you added the Project Collection Administrators group as a member to the Release Administrators group. First, the Project Collection Administrators group has permissions virtually everywhere, so there is no need. Second, the Release Administrators group has nothing to do with Delivery Plans, but rather with Pipelines. Read more here.
I have a O365 Group and a Team site but not Teams enabled.
In that site I have a list called Portfolio. I have a bunch of users added as owners and members of the O365 group and they are added in to SharePoint online groups respectively.
We are managing permissions for users on individual lists and libraries which seem to be working. However when I try to have unique permissions with Owners and Members Read only access on the list, they still have full control on the list.
As shown in the image here:
Permissions
The Part I don't understand is that it says "The following factors also affect the level of access for Ashar Khan"
Where are these policies set and how do I change them?
By default, O365 group owners would have site collection admin access to the team site. Site collection administrators are given full control over all Web sites in the site collection.
To remove the group owners from site collection administrators, go to site permission settings->Site Collection Administrators:
Context:
I have recently been given the role as Azure Devops administrator in the small company I work in. I have no previous experience with this role, and I am currently reading through the extensive documentation on the topic.
What I've got:
An azure organization with several users, groups, permissions, and projects, some of which are up to 6-7 years old. Responsibility for the organization has been passed along several times without any clear plan or consequence, and I am attempting to get an overview and clean up the structure.
What I want to do:
I want to grant all users in the entire organization permission to read, comment on, tag people, and create new work items in Boards (especially backlog and sprint) in all projects, including the ones they are not a team member or user of themselves. I have tried several permission group setups, but I can't get anything to work. Suggestions are welcome.
Sorry but I'm afraid we don't support this feature.
We can't do this if the user is not a member of the project. (Unless he's a PCA, but it's not recommended to grant users as a PCA cause it'll make much risk).
So you need to add all users to projects first to give their permisions to boards. Here are detailed steps.
Create a new group Group1 in Organization Settings -> Security/Permissions. Add all users in the organization to this group.
Go to Project Settings -> General/Permissions and create a new group Group2. Set the Group1 as members of Group2.
Go to Project Settings -> Boards/Project configuration -> Areas. Choose the ... context menu for the node you want to manage and select Security.
Search Group2 and set 'Edit work items in this node' to Allow. Note that some important permissions should be set to Deny.
This solution needs you to add groups and set permissions in projects one by one.
Description
I am adding project's team members as Project Collection Administrators within the Organisation. To make this easier, I wanted to add the Project Team group as such [Team Name]\Team. To enable more people to be added as admins as the project grows. This appears to be allowed^ but I get an error "We are unable to add members to this group at this time. Please try again at a later time or contact support for help"
^ Link to DevOps Documentation:
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/manage-azure-active-directory-groups?view=azure-devops
Other Tries
I have tried doing it later and also added groups that belong to the organisation such as [org name]\[Team lead Developers] or [org name]\Project Collection Test Service Accounts. These are all allowed but not the group formed by Project Teams.
Steps to the issues
Add a project team group to one of the default organisation permissions groups such as the Project Collection Administrators.
Error is:
We are unable to add members to this group at this time. Please try
again at a later time or contact support for help
I expect the group to be added like any other group.
Any ideas to this issue?
Cheers.
This is as designed.
The Add operations between groups need to be at the same level or a high level group added to the lower level group. For example an organization group can be added to a project group,the reverse is not possible .
So, if the group is a project group, then this project group could not be added to an organization group.
For Project level administration (not Organization level), you can make a specific Team have Project Administration level permissions from this menu:
Project Settings > Security > (select team) > Permissions
and then set the following to Allow:
Edit project-level information
Essentially, your goal will be to copy any desired permits from the Project Administrators to the [team] permits.
Really, you can set all these permissions to "Allow" if you really want that [team] to have "full" access to administer.
This will give that team a lot of flexibility to administer within the Project space. It will not; however, let them administer licensing and other Org level items. From my experience, you cannot add [Team] to [Org] level groups; though, you can add [Org] groups to [Project] and [Team] level groups.
If you really want large groups to administer, and you have AD integration; then you can add an AD email distro or security group to the Project Collection Administrators group. That's not something I would ever do since that would be considered dangerous in my Company, but you may not have the same requirements for security, access, and cost controls.