Set permissions and access for work tracking

Azure DevOps Services | Azure DevOps Server 2020 | Azure DevOps Server 2019 | TFS 2018 - TFS 2013

You grant or restrict access to various work tracking features by granting users or groups specific permissions for an object, project, or collection. Or, when you assign a user as a team administrator, they have permissions to manage all assets for the specific team. Add users to the Contributors group to provide access to most features as listed in Permissions and access for work tracking.

Note

For public projects, Stakeholder access gives users greater access to work tracking features and full access to Azure Pipelines. To learn more, see About access levels, Stakeholder access.

Role or permission level Functional areas set
Team administrator role To add a user to the team administrator role, see Add a team administrator.
Object-level permissions
Project-level permissions
Project collection-level permissions
  • Create, delete, or edit a process (Inheritance process model)
  • Delete field from account (Inheritance process model)
  • Manage process permissions (Inheritance process model)
  • Edit collection level permissions

Project collection-level permissions include all permissions you can set at the project-level.

Create child nodes, modify work items under an area path

Area path permissions let you grant or restrict access to edit or modify work items, test cases, or test plans assigned to those areas. You can restrict access to users or groups. You can also set permissions for who can add or modify areas or iterations for the project.

You define both areas and iterations for a project from the Project Settings>Work>Project configuration.

  1. Choose (1) Project Settings, expand Work if needed, and choose (2) Project configuration and then (3) Areas.

    Project Settings>Work>Project Configuration

  2. Choose the ... context menu for the node you want to manage and select Security.

    Open the security dialog

  3. Select the group or team member, and then change the permission settings. If you don't see the group you want, try adding it first.

    For example, here we've added the Disallow Access Group, and disallowed members of this group the ability to view, modify, or edit work items in the Customer Service area path.

    Permissions for an area node

    You can specify two explicit authorization states for permissions: Deny and Allow. In addition, permissions can exist in one of three additional states. To learn more, see About permissions and inheritance.

  1. From the web portal for the project, choose the gear icon.

    Web portal, Open Admin context, project level

    If you're currently working from a team context, then hover over the gear icon and choose Project settings.

    Open Project Settings, horz nav

  2. Choose Work and then Areas.

  3. Choose the ... context menu for the node you want to manage and select Security.

    In the context menu, select Security.

  1. From the web portal, choose the gear icon to open project administration pages. Then choose Areas.

    Open the project administration page

  2. Choose the context menu for the node you want to manage.

    Choose the context menu for the node you want to manage.

  3. Select the group or team member, and then change the permission settings. If you don't see the group you want, try adding it first.

    For example, here we've added the Disallow Access Group, and disallowed members of this group the ability to view, modify, or edit work items in the Customer Service area path.

    Permissions for an area node

    You can specify two explicit authorization states for permissions: Deny and Allow. In addition, permissions can exist in one of three additional states. To learn more, see About permissions and inheritance.

Set permissions on queries or query folders

You can specify who can add or edit query folders or queries at the object-level. To manage permissions for a query or query folder, you must be the creator of the query or folder, a member of the Project Administrators or Project Collection Administrators group, or granted explicit access through the object's Security dialog.

Query folder Permissions dialog

Permissions dialog for a query folder

For details, see Set permissions on a shared query or query folder. To learn more about queries, see Create managed queries to list, update, or chart work items.

Edit or manage permissions for Delivery Plans

Delivery Plans are an object within a project. You manage plan permissions for each plan similar to the way you manage permissions for shared queries or query folders. The creator of a Delivery Plan as well as all members of the Project Collection Administrators and Project Administrators groups have permissions to edit, manage, and delete plans.

Delivery Plan Permissions dialog

Permissions dialog for a delivery plan

To learn more, see Edit or manage Delivery Plan permissions. To learn more about Delivery Plans, see Review team plans.

Move or permanently delete work items

By default, Project Administrators and Contributors can change the work item type and delete work items by moving them to the Recycle Bin. Only Project Administrators can permanently delete work items and test artifacts. Project admins can grant permissions to other team members as needed.

For example, as a project admin you can grant a user, team group, or other group you've created to have these permissions. Open the Security page for the project and choose the user or group you want to grant permissions. (To learn how to access project-level Security, see Set permissions at the project-level or project collection-level.)

Note

The Move work items out of this project permission requires the project uses the Inherited process model.

In this example, we grant members assigned to the team administrator role, who belong to the Team Admin groups, permissions to move work items to another project and to permanently delete work items.

Set project-level permissions for a custom group, Team Admin

Manage test artifacts

In addition to the project-level permissions set in the previous section, team members need permissions to manage test artifacts which are set for an area path.

Open the Security page for area paths and choose the user or group you want to grant permissions.

Open Area path permissions for the project

Set the permissions for Manage test plans and Manage test suites to Allow.

Set Area path permissions for the project

To have full access to the Test feature set, your access level must be set to Basic + Test Plans. Users with Basic access and with permissions to permanently delete work items and manage test artifacts can only delete orphaned test cases.

Customize an inherited process

By default, only Project Collection Administrators can create and edit processes. However, these admins can grant permissions to other team members by explicitly setting the Create process, Delete process, or Edit process permissions at the collection level for a specific user.

To customize a process, you need to grant Edit process permissions to a user account for the specific process.

  1. Open the … context menu for the inherited process and choose Security. To open this page, see Customize a project using an inherited process.

    Process, Open security dialog

  2. Add the account name of the person you want to grant permissions to, set the permissions to Allow that you want them to have, and then choose Save changes.

    Here we add Christie Church and allow her to edit the process.

    Permissions for a process dialogue

Note

Each process is a securable unit and has individual access control lists (ACLs) that govern creating, editing, and deleting inherited processes. At the collection level, project collection administrators can choose which processes can be inherited from and by whom. When you create a new inherited process, the process creator as well as project collection administrators have full control of the process and can also set individual ACLs for other users and groups to edit and delete the process.

<! ---

Set permissions on work item tags

By default, all users of the Contributors group can create and add tags to work items.

-->

Additional options for restricting access to work items

See Restrict access, Restrict modification of work items based on a user or group for additional options for customizing work item types to support restrictions.