Skip to content

No Security Permissions for Retro Boards #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
chrisbatchler opened this issue Apr 14, 2020 · 3 comments · Fixed by #650
Closed

No Security Permissions for Retro Boards #5

chrisbatchler opened this issue Apr 14, 2020 · 3 comments · Fixed by #650
Labels
enhancement New feature or request TYPE-Spike

Comments

@chrisbatchler
Copy link

All Project users/teams can view the Retrospectives.

Our team's retros are a safe place to raise issues encountered during sprints and it is not desirable that this feedback could be viewed by other users outside of the Scrum team.
@mpth
Copy link
Contributor

mpth commented Apr 14, 2020

Unfortunately this is technically impossible while the Azure DevOps internal extension data storage is used.

All users in the project collection allways have full read and write access.

https://docs.microsoft.com/en-us/azure/devops/extend/develop/data-storage?view=azure-devops#how-you-can-scope-data

@vhemmert vhemmert mentioned this issue Sep 1, 2020
Closed
@vvyas2
Copy link

vvyas2 commented May 27, 2021

I concur if there is a way to add security to retrospectives (ignoring the collection admin), it might be helpful. e.g. How individual repos/pipelines can be denied permissions.

@dieselart
Copy link

dieselart commented Nov 29, 2021
edited
Loading

Unfortunately this is technically impossible while the Azure DevOps internal extension data storage is used.

All users in the project collection allways have full read and write access.

https://docs.microsoft.com/en-us/azure/devops/extend/develop/data-storage?view=azure-devops#how-you-can-scope-data

The main task in this case is to limit the visibility of the "Retrospectives" section to certain groups of users or specified teams.

In our project, the Customer (Stakeholder) is connected to ADO and can see everything, including the retrospective boards, which is highly undesirable, since commercial information can also be discussed in the retrospective.

I guess half of the teams have a similar problem.

There is no direct solution based on showing / hiding the "Retrospectives" section due to the way the extensions are implemented. However, there is a workaround that will allow you to customize access (but not visibility) to a section for specific teams.

To implement it, you need:

  1. Add an administration hub for this extension.
  2. On the hub page, implement the ability to configure the visibility of the content of the section page in the context of "team <-> project" (many-to-many).
  3. Add a retrospectives section accessibility check for a specific team on a specific project in the Retrospectives hub.
  4. If access is denied, display a stub with some information for the user. Or just display a blank page.

@mindlessroman mindlessroman added the enhancement New feature or request label Sep 21, 2022
@omegasupreme3 omegasupreme3 mentioned this issue Sep 11, 2023
Closed
@JStuve JStuve mentioned this issue Feb 2, 2024
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request TYPE-Spike
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Board Permissions microsoft/vsts-extension-retrospectives
6 participants
@mindlessroman @vvyas2 @yayitserica @chrisbatchler @mpth @dieselart