I migrated my team's work items from our "old" org/project to our "new" org/project. I want to configure read-only access to Boards in the "old" project for all team members. The team is still actively using Repos, Pipelines, and Test Plans in the "old" project. Team members must retain full read-write access to Repos, Pipelines, and Test Plans.
How do I configure these permissions?
On
As Leo Liu-MSFT stated "I am afraid there is no such way to configure read-only access to Boards, but keep full read-write access to Repos, Pipelines, and Test Plans". Supporting my requested security configuration would be a nice feature to have in DevOps Services. It would like to have fine-grained security control over each DevOps feature.
Good news! I found a way to hack permissions to achieve my goals. Here is the procedure I used:
Configure Contributor access to Repos
Configure Contributor access to Pipelines
Configure Contributor access to Test Plans
For each defined Team:
Change all Test Plans permissions to Allow
Configure Read-only access to Boards
Remove all individual Users from each defined Role.
Add my user directly to Project Administrator Role.
For each defined Team:
Assign the Team as a member of the Reader Role
Remove the Team from the Contributor Role
On
I want to configure read-only access to Boards in the "old" project for all team members. Team members must retain full read-write access to Repos, Pipelines, and Test Plans.
I am afraid there is no such way to configure read-only access to Boards, but keep full read-write access to Repos, Pipelines, and Test Plans.
As the document Quick guide to default permissions and access for Azure Boards state:
As a member of an Azure Boards project, you can use the majority of features to track work. Limitations to select features are based on the access level and security group to which a user is assigned. The Basic access level and higher supports full access to all Azure Boards features. Stakeholder access level provides partial support to select features, allowing users to view and modify work items, but not use all features.
In order to keep the full read-write access to Repos, Pipelines, and Test Plans, we need to give team members an access level above Basic access, then we set all Permissions as Deny in the Organization settings and Project Settings about the Boards:
But that user can still modify board.
So, I am afraid there is no such way to configure read-only access to Boards, but keep full read-write access to Repos, Pipelines, and Test Plans.
To remove write access to work items and tests, you can update the permission of the root area path. You can set "Edit work items in this node" and "Manage Test Plans/Suites" to Deny for the Contributors group:
To disable using current builds, you can set "Queue Build" permission to Deny of the Contributors group in the Build permissions: Confirm that contributors have pipeline permissions
To disable write access in git repositories, you can set "Contribute" or "Read" permission to Deny of the Contributors group in each repository: Locking down the Repositories.