In Azure Devops, how to let some contributors create sprints without them being Project Adminstrator?

Asked 22/11, 2019 at 17:38 Answered 3/11, 2022 at 17:28

I understand we can let people create 'sprints' in 'area-path' by adding them in 'Project Administrator' group.

Tasks of sprint creation is usually handled by Product-Owner/Business-Analyst in our organization but project administrator has lot of other privileges that is not needed by them. For example: deleting repositories, product-owner doesn't care about them, a lot of them barely worked with git and seldom go to that area.

Now if follow established security practices, 'Principal of least privilege' , adding Product-owner to 'Project-Adminstrator' group is wrong. So how may I achieve the requirement of creation of sprints by them?

They are in the roles of contributors in my org, I have gone into 'Area-Path' security, and set 'Create Child Nodes' as 'allow' , yet they are not able to create sprints.

Dispel answered 22/11, 2019 at 17:38 Comment(1)

Is below reply helpful to you, Please let me know how did it go? – Engedus 28/11, 2019 at 8:12

Here is the same answer as Saurov, but with pictures to clarify how to grant the "Create Child Nodes" permission on specific iteration nodes to specific users.

Go to the Azure DevOps Project Settings (the gear icon in the lower left)
Click "Project configuration" Click the three dots "..." next to the iteration node you want to grant permissions to
Click the "Security" menu option
That's it!

Storyteller answered 3/11, 2022 at 17:28 Comment(2)

Wow, that sure was hidden! Thanks for the imagery, definitely helped. :) – Cornemuse 17/4, 2023 at 9:25

I have created a group for my "Agile Admins", however this setting still doesn't work. I have to resort to giving them project administrator. Which is really frustrating. Is there anywhere else I have to change something? Have done it for areas, iterations for the root nodes. – Towle 26/8 at 12:55

As the official documentation describes, you must be a member of the Project Administrators group to add an Area Path under the root node or edit or delete any child node.

If you want to restrict a user's permission who is in Administrators group. You need to specifically modify his permission to the particular azure project resource.

For example if you want restrict the this user's permission to delete a repository, you need to specifically deny this user's permission to delete a repository at Repositories under Repos in project settings page. This permission to this resource will override his project administrator's permission.

As below screenshot shows, you need to add the user who is already a project administrator member to the Security for all Git repositories, and deny his permission accordingly.

Engedus answered 24/11, 2019 at 9:46 Comment(1)

I do believe this is not a good approach. By this, you would have to go through all possible unwanted permissions and restrict them. Have fun finding all of the places. Instead, you can create a new group of people and assign this group in the 'Project configuration -> Areas -> three dots -> security' to specific rights you need – Ludvig 1/12, 2022 at 8:39

-1

One option is go to 'Iterations' security, and set 'Create Child Nodes' & 'View Permission' as 'allow'. Then make the user/s 'admin' in the Team. This way User can create Sprints and move items from backlog and other permissions remain as Contributor.

Platon answered 14/6, 2022 at 2:43 Comment(1)

As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center. – Contrarious 16/6, 2022 at 19:18

Recommended topics

Hot tags