Set permissions to access Analytics and Analytics views
Azure DevOps Services | Azure DevOps Server 2019
To use Power BI for Azure DevOps or to exercise an OData query for Analytics, you must be granted the View analytics permission. By default, the View analytics permission is set for all project valid users.
To edit an Analytics view or connect to an Analytics view in Power BI, you must have permissions for that view.
If you are just adding an Analytics widget to a dashboard or viewing an Analytics widget added to a dashboard, then no special permissions are required.
You grant or restrict permissions to a user by setting one or more permissions for Analytics to Allow or Deny through the project Security page. By default, all members of the Contributors group are granted access to edit and delete shared Analytics views, and view Analytics data.
Open Project Settings>Security. For details, see Set permissions at the project-level or project collection-level.
Choose the person or group that you want to modify permissions for and then change their permission assignment.
For example, here we set the permissions for Chuck Reinhart, denying him permission to delete or modify shared Analytics views, but allowing him to access Analytics data.
To learn more about working with permissions, see Security & identity.
Analytics does not support security at the area path level. Therefore, if a user has access to a project and can report on that project but they don't have access to work items in specific areas of that project, they can view data through Analytics. Therefore, to protect your data, the best practice is to not allow reporting against Analytics for any user who does not have access to all data within a project.
Manage permissions for a shared view
All members of the Contributors group for your project can use Shared views in Power BI. For shared views that you create, you can manage the permissions of users and groups to create, delete, or view a specific shared view.
To change the permissions for a shared view, open Analytics views, and choose All. For details, see Create an Analytics view.
Choose the actions icon and then select Security.
Change the permissions so that the team member or group can't edit or delete the view.
Add a user or group who you want to grant permissions to or restrict access.
For more information on managing permissions, see Add users to a project or specific team.
Access denied response
Analytics is designed to provide accurate data, not data trimmed by your security settings.
For example, take the following scenario:
- Project A has 200 work items
- Project B has 100 work items
If a user with access to both projects issues a query that says "give me the sum of all work items in Project A and Project B" the result will be 300 which is as expected. Now, say that another user who only has access to Project B makes the same query, you might expect the query to return 100. However, Analytics will not return a result at all in the latter case. Instead, it will return a "Project access denied" error. It does this because it could not return the entire dataset, so it returns nothing at all.
This behavior is different from that provided by the current Work Item Query editor, which would return all the work items in Project B but nothing from Project A without informing you that there is missing data.
Because of this scenario, the recommended approach for querying Analytics is to always provide a project level filter instead of using a global query. For information on providing a project level filter, see WIT analytics.