Set permissions to access the Analytics Service and Analytics views
To use Power BI for VSTS or to exercise an OData query for the Analytics Service, you must be granted the View analytics permission. By default, the View analytics permission is set for all project valid users.
To edit an Analytics view or connect to an Analytics view in Power BI, you must have permissions for that view.
If you are just adding an Analytics widget to a dashboard or viewing an Analytics widget added to a dashboard, then no special permissions are required.
Set permissions to access the Analytics Service
The Analytics Service implements a subset of the security found in the VSTS operational store. The security container in the Analytics Service is at the team project level.
You grant permissions to a user by setting the View analytics permission to Allow through the team project admin Security page.
Open the admin context from the user/team project context, click the gear settings icon, and click the Security tab.
Choose the group that you want to modify permissions for and then set the View analytics permission.
To learn more about working with permissions, see Security & Identity.
The Analytics Service does not support security at the area path level. Therefore, if a user has access to a team project and can report on that project but they don't have access to work items in specific areas of that project, they can view data through the Analytics Service. Therefore, to protect your data, the best practice is to not allow reporting against the Analytics Service for any user who does not have access to all data within a team project.
Manage permissions for a shared view
All members of the Contributors group for your team project can use Shared views in Power BI. For shared views that you create, you can manage the permissions of users and groups to create, delete, or view a specific shared view.
To change the permissions for a shared view, click the actions icon and choose the Security option.
Change the permissions so that the team member or group can't edit or delete the view.
Add a user or group who you want to grant permissions to or restrict access.
For more information on managing permissions, see Add users to a team project or specific team.
Access denied response
The Analytics Service is designed to provide accurate data, not data trimmed by your security settings.
For example, take the following scenario:
- Project A has 200 work items
- Project B has 100 work items
If a user with access to both projects issues a query that says "give me the sum of all work items in Project A and Project B" the result will be 300 which is as expected. Now, say that another user who only has access to Project B makes the same query, you might expect the query to return 100. However, the Analytics Service will not return a result at all in the latter case. Instead, it will return a "Project access denied" error. It does this because it could not return the entire dataset, so it returns nothing at all.
This behavior is different from that provided by the current Work Item Query editor, which would return all the work items in Project B but nothing from Project A without informing you that there is missing data.
Because of this scenario, the recommended approach for querying the Analytics Service is to always provide a project level filter instead of using a global query. For information on providing a project level filter, see WIT analytics.