I have a requirement from our company auditors to be able to prove who can alter code in our source repository. Is there a method of producing a report detailing permissions?
Ideally the report would show all permissions but at least it needs to show check-in permissions. Ideally the report would be standard functionality as this tends to lead to less questioning from the auditors, but if not possible then custom reports/queries would be manageable.
We're using Azure DevOps Services.
Thanks in advance
GS
Is there a method of producing a report detailing permissions?
I am afraid there is no such out of box method/REST API to report detailing permissions.
To get the who can alter code in our source repository, first, we need to check which groups or individuals have permission check in code one by one:
Project Settings->Repos->Repositories:
Then go to Project Settings->Permissions->Repositories and Organization Settings->Permissions, to check members for each group:
Hope this helps.
Related
I'm trying to setup an Azure project page. An issue that I am running into is that the users I have do not have access to do a lot of the maintanence related items on the Sprint Boards and they also do not have the ability to add/edit in the Wiki pages. Some examples of things that users need on the sprint board are: adding new tags, and deleting work items. I've tried granting access levels to all users both individually and under their team, but that doesn't seem to work.
I've even went as far as adding a user to the Project Admin group (which should give them full access) and they still cannot even add/edit a Wiki page or do any of the maintenance on the sprint board. I'm the owner of the project and have all of this access. What settings/permissions do I need to do to get this to work?
If users having the Contributors role in Azure DevOps Projects, then they can edit the wiki pages by default.
This Contributors group/role will provide write and read access to the repositories, pipelines, work tracking, etc.
Check the restrictions to the users and groups by going to this path and modify according to your requirement:
Refer to the Azure DevOps Wiki Permissions Official Doc and this AzureDevOps-Permissions&AccessLevelManagement for more information.
Context:
I have recently been given the role as Azure Devops administrator in the small company I work in. I have no previous experience with this role, and I am currently reading through the extensive documentation on the topic.
What I've got:
An azure organization with several users, groups, permissions, and projects, some of which are up to 6-7 years old. Responsibility for the organization has been passed along several times without any clear plan or consequence, and I am attempting to get an overview and clean up the structure.
What I want to do:
I want to grant all users in the entire organization permission to read, comment on, tag people, and create new work items in Boards (especially backlog and sprint) in all projects, including the ones they are not a team member or user of themselves. I have tried several permission group setups, but I can't get anything to work. Suggestions are welcome.
Sorry but I'm afraid we don't support this feature.
We can't do this if the user is not a member of the project. (Unless he's a PCA, but it's not recommended to grant users as a PCA cause it'll make much risk).
So you need to add all users to projects first to give their permisions to boards. Here are detailed steps.
Create a new group Group1 in Organization Settings -> Security/Permissions. Add all users in the organization to this group.
Go to Project Settings -> General/Permissions and create a new group Group2. Set the Group1 as members of Group2.
Go to Project Settings -> Boards/Project configuration -> Areas. Choose the ... context menu for the node you want to manage and select Security.
Search Group2 and set 'Edit work items in this node' to Allow. Note that some important permissions should be set to Deny.
This solution needs you to add groups and set permissions in projects one by one.
We have an issue. User is in the Contributors group of the VSTS project. Able to view dashboard and work items. Unable to view Repos. Need help. Any suggestions?
User needed an MSDN license to use Visual Studio in addition to being in the correct group of the VSTS project. Trial license was not good enough.
According to your description, highly doubt those users only have Stakeholder access level.
People with Stakeholder access level could not commit their work on branch and unable to view repos.
Assign Stakeholder access to those users who need to enter bugs,
view backlogs, boards, charts, and dashboards, but who don't buy basic access. Stakeholders can also view releases and manage release
approvals. Stakeholder access is free.
Source Link: About access levels
See Stakeholder access for details of features available to stakeholders.
The user should have either Basic access or Visual Studio subscription which include code feature.
Moreover, if it's still not able to see any other projects after giving them those access. There is another concept called Permissions in Azure DevOps. Double check the permission for Contributor group.
Also make sure you have not add them to any other project team group expect the contribute group.
Once deny the Read permission for repos level, user will not be able to see the repos.
Read
Can read the contents of a file or folder. If a user has Read
permissions for a folder, the user can see the contents of the folder
and the properties of the files in it, even if the user does not have
permission to open the files.
I'm developing a document management based on the crm sharepoint integrations at the moment. It is realy a nice way to take advantage of the sharepoint document capabilities inside crm 2011.
BUT!:
I see a huge drawback with this attempt, because the sharepoint security model differs from the crm security model. This way, even if a user has no acces to a account entity, for example, it is possible for him to go to the sharepoint site and look at the documents of this entity, because he got permissions on the list for his own account entities.
Why the heck there is no thread about this big security problem? Is there maybe a simple solution to get around this problem?
I hope someone is able to help me.
Best regards,
Gerrit
There exists a commercial out-of-the-box solution solving this problem from Connection Software company (http://connecting-software.com/index.php/en/solutions/products/cb-dynamics-crm-privileges-to-sharepoint-permissions-replicator).
Basically they deploy tiny plugin into CRM that collects all the event that can possibly require change of permissions. There is a extra service that is processing these events and writes folder-level permissions into SharePoint accordingly.
Eugh. Sharepoint.
In my opinion there is no easy way around this and there are other problems with the way it integrates.
I was on a project where we discussed options around this very issue but was moved on before we came to a conclusion.
My suggestion was to use the Sharepoint Security APIs to assign permissions on SP based on roles/events in CRM. All users start with no permissions in SP.
e.g.
User is assigned as owner in CRM - use plugin to call SP API to give permissions to that specific folder. Previous owner has permissions removed.
Opportunity is created. Use SP security API to give permissions to owner of Opportunity to the folder associated with the opportunity.
And etc etc and so on.
It isn't too pretty and depending on requirements could become particular pain to maintain and test, but I didn't see many other options.
But there are plenty of problems with SP integration I think I was lucky that I was moved on to another project!
Here's the scenareio:
I have a single site collection, with the publishing infrastucture feature activated. Seveal levels below this I have a publishing site with the publishing features turned on. I also have unique permissions for this site.
The problem is that no one except site collection administrators can "Create Page". I have given the individuals everything including full control, and they still can not create pages. They can edit pages, but not create.
Am I doing something wrong? What is the proper way to set up the taxonomy of a site? I am trying to create a hierarcy to match my organization and mostly am using unique permissions on each site/subsite. This is working ok, until i needed a publishing site, but I don't want him to be a site collection admin. I would appreciate any help or ideas with how to make the publishing site work as I have it, or guide me on the proper way to lay out the site.
The fact that you are using Publishing features shouldn't have an effect on permissions. Publishing (for the most part) really has more of an effect on how edits are handled - i.e. immediately deployed or checked in and published at a later point. That's oversimplifying it - but back to your question.
Most likely - what is happening is that you have not given the user permission to the library where the template is that they need access to in order to create the page. I'm 99% sure that is what is happening here. Makes sense - they have the rights to the site - and permissions to edit the pages that exist - but creating a page requires them to access a new file - in a different library. If they don't have permissions to that template library - you get the access denied error.
When your user tries to create a page, they get an access denied error page correct? Copy the URL of that page, and examine it closely. It should reveal the location of the template folder they are trying to access but don't have permissions for. Read-only access to that template library should get your user the access they need.
One other recommendation - check out the access checker web part in Codeplex. http://accesschecker.codeplex.com/. This web part is loaded as a solution and allows you to display a hierarchical list of the sites that a specific user has permissions to. VERY helpful in confirming that you have given the permissions you thought you had.
Finally - in terms of permissions best practices - I think you are doing fine. You've gotten a little frustrated because you took a different path on a site (i.e. publishing) and it's behaving differently. But nothing is wrong. I've been there:) You really have two options w/ SP permissions - SP based groups (visitors, members, owners etc) or pulling in AD groups. Either way, you'll be making the same decision regarding unique or inherited permissions. You either use the same permissions as the parent site - or use unique permissions. HTH