User unable to access Repos - security

We have an issue. User is in the Contributors group of the VSTS project. Able to view dashboard and work items. Unable to view Repos. Need help. Any suggestions?

User needed an MSDN license to use Visual Studio in addition to being in the correct group of the VSTS project. Trial license was not good enough.

According to your description, highly doubt those users only have Stakeholder access level.
People with Stakeholder access level could not commit their work on branch and unable to view repos.
Assign Stakeholder access to those users who need to enter bugs,
view backlogs, boards, charts, and dashboards, but who don't buy basic access. Stakeholders can also view releases and manage release
approvals. Stakeholder access is free.
Source Link: About access levels
See Stakeholder access for details of features available to stakeholders.
The user should have either Basic access or Visual Studio subscription which include code feature.
Moreover, if it's still not able to see any other projects after giving them those access. There is another concept called Permissions in Azure DevOps. Double check the permission for Contributor group.
Also make sure you have not add them to any other project team group expect the contribute group.
Once deny the Read permission for repos level, user will not be able to see the repos.
Read
Can read the contents of a file or folder. If a user has Read
permissions for a folder, the user can see the contents of the folder
and the properties of the files in it, even if the user does not have
permission to open the files.

Related

Need help setting up permissions/security for users with Sprint Board and Wiki page access

I'm trying to setup an Azure project page. An issue that I am running into is that the users I have do not have access to do a lot of the maintanence related items on the Sprint Boards and they also do not have the ability to add/edit in the Wiki pages. Some examples of things that users need on the sprint board are: adding new tags, and deleting work items. I've tried granting access levels to all users both individually and under their team, but that doesn't seem to work.
I've even went as far as adding a user to the Project Admin group (which should give them full access) and they still cannot even add/edit a Wiki page or do any of the maintenance on the sprint board. I'm the owner of the project and have all of this access. What settings/permissions do I need to do to get this to work?
If users having the Contributors role in Azure DevOps Projects, then they can edit the wiki pages by default.
This Contributors group/role will provide write and read access to the repositories, pipelines, work tracking, etc.
Check the restrictions to the users and groups by going to this path and modify according to your requirement:
Refer to the Azure DevOps Wiki Permissions Official Doc and this AzureDevOps-Permissions&AccessLevelManagement for more information.

How do I add a delivery plan when I get thrown this error?

TF50309: The following account does not have sufficient permissions to
complete the operation: Hosted Stakeholder License Security Subject.
The following permissions are needed to perform this operation: Agile
plans..
I am both Project as well as release administrator
I have added the Project collection administrators group to the release administrators.
Yet I can't create a new delivery plan or view the already created one from another team member, because there's this error that prevents me to:
Failed to load data with following error: VS800075: The project with
id
'vstfs:///Classification/TeamProject/0ddc0e80-e58f-40f8-99f2-16c231bd2b45'
does not exist, or you do not have permission to access it.
Pls someone help me out here
In the documentation you can read that you need at least Basic Access Level. Stakeholder access level does not provide access to Delivery Plans. To change your Access Level you need to be member of the Project Collection Administrators group. To set it up:
Go to your Azure DevOps home (e.g. https://dev.azure.com/myorg)
Click Organization Settings in the lower left corner
Click Users in the menu at the left-hand side
Find your own user
Click the three vertical dots on the right-hand side and select Change Access Level
Choose Basic and click Save
You mention that you added the Project Collection Administrators group as a member to the Release Administrators group. First, the Project Collection Administrators group has permissions virtually everywhere, so there is no need. Second, the Release Administrators group has nothing to do with Delivery Plans, but rather with Pipelines. Read more here.

Microsoft Azure DevOps: Grant user in one project RW permission to Boards in another group?

Context:
I have recently been given the role as Azure Devops administrator in the small company I work in. I have no previous experience with this role, and I am currently reading through the extensive documentation on the topic.
What I've got:
An azure organization with several users, groups, permissions, and projects, some of which are up to 6-7 years old. Responsibility for the organization has been passed along several times without any clear plan or consequence, and I am attempting to get an overview and clean up the structure.
What I want to do:
I want to grant all users in the entire organization permission to read, comment on, tag people, and create new work items in Boards (especially backlog and sprint) in all projects, including the ones they are not a team member or user of themselves. I have tried several permission group setups, but I can't get anything to work. Suggestions are welcome.
Sorry but I'm afraid we don't support this feature.
We can't do this if the user is not a member of the project. (Unless he's a PCA, but it's not recommended to grant users as a PCA cause it'll make much risk).
So you need to add all users to projects first to give their permisions to boards. Here are detailed steps.
Create a new group Group1 in Organization Settings -> Security/Permissions. Add all users in the organization to this group.
Go to Project Settings -> General/Permissions and create a new group Group2. Set the Group1 as members of Group2.
Go to Project Settings -> Boards/Project configuration -> Areas. Choose the ... context menu for the node you want to manage and select Security.
Search Group2 and set 'Edit work items in this node' to Allow. Note that some important permissions should be set to Deny.
This solution needs you to add groups and set permissions in projects one by one.

How to grant users permission to create sprints and backlogs in AzureDevOps?

How do I grant user permission to create sprints and backlogs without giving project administrator access? This is the type of access that project managers or scrum masters would need. I want to make sure they are unable to make any code contribution, edit build/release pipeline, add/remove users, make changes to project etc.
Make them a contributor and change their access level to Stakeholder.

Restrict users permission in GitLab?

I've a requirement, where I need to add a few users from the UI. I'm working with "developer" access to the project in GitLab. Even if already a few users are added with different access while the project is created and only users added from the UI to perform developer role without making any changes in the project.
Is it possible and how to implement it?
"Overwriting" permissions is not possible and if you want to simulate this behavior you could create a new group and share this project with another group. Then you would need to deny access to individual group members. See this permission matrix.

Resources