Configure DevOps Boards to be read-only

948 Views Asked by At

I migrated my team's work items from our "old" org/project to our "new" org/project. I want to configure read-only access to Boards in the "old" project for all team members. The team is still actively using Repos, Pipelines, and Test Plans in the "old" project. Team members must retain full read-write access to Repos, Pipelines, and Test Plans.

How do I configure these permissions?

3

There are 3 best solutions below

0
On

To remove write access to work items and tests, you can update the permission of the root area path. You can set "Edit work items in this node" and "Manage Test Plans/Suites" to Deny for the Contributors group:

  1. Create child nodes, modify work items under an area path
  2. Manage test plans and test suites under an area path

To disable using current builds, you can set "Queue Build" permission to Deny of the Contributors group in the Build permissions: Confirm that contributors have pipeline permissions

To disable write access in git repositories, you can set "Contribute" or "Read" permission to Deny of the Contributors group in each repository: Locking down the Repositories.

0
On

As Leo Liu-MSFT stated "I am afraid there is no such way to configure read-only access to Boards, but keep full read-write access to Repos, Pipelines, and Test Plans". Supporting my requested security configuration would be a nice feature to have in DevOps Services. It would like to have fine-grained security control over each DevOps feature.

Good news! I found a way to hack permissions to achieve my goals. Here is the procedure I used:

Configure Contributor access to Repos

  • Update the Reader role permissions in the root Repos configuration. Give Reader role the same permissions as the Contributor role.

Configure Contributor access to Pipelines

  • Update the Reader role permissions in the root Pipelines configuration. Give Reader role the same permissions as the Contributor role.

Configure Contributor access to Test Plans

  • For each defined Team:

    Change all Test Plans permissions to Allow
    

Configure Read-only access to Boards

  • Remove all individual Users from each defined Role.

  • Add my user directly to Project Administrator Role.

  • For each defined Team:

    Assign the Team as a member of the Reader Role

    Remove the Team from the Contributor Role

0
On

I want to configure read-only access to Boards in the "old" project for all team members. Team members must retain full read-write access to Repos, Pipelines, and Test Plans.

I am afraid there is no such way to configure read-only access to Boards, but keep full read-write access to Repos, Pipelines, and Test Plans.

As the document Quick guide to default permissions and access for Azure Boards state:

As a member of an Azure Boards project, you can use the majority of features to track work. Limitations to select features are based on the access level and security group to which a user is assigned. The Basic access level and higher supports full access to all Azure Boards features. Stakeholder access level provides partial support to select features, allowing users to view and modify work items, but not use all features.

In order to keep the full read-write access to Repos, Pipelines, and Test Plans, we need to give team members an access level above Basic access, then we set all Permissions as Deny in the Organization settings and Project Settings about the Boards:

enter image description here

enter image description here

But that user can still modify board.

So, I am afraid there is no such way to configure read-only access to Boards, but keep full read-write access to Repos, Pipelines, and Test Plans.