Azure Boards and External Vendors
Lets take a look at how we can setup Azure Boards securely for External Vendors.
If you have External Vendors and you are happy with them being able to see all your Features and Stories there is nothing to learn here, thank you for stopping by.
However if some of your work items are more sensitive and you would rather external resources did not see them, read on.
You can of course create a separate Team Project for the external Vendors and place the stories you want them to work on there. This is an easy way to give them access to only the stories in that team project by leaving them out of any other team projects.
However that is not always the best solution from a reporting perspective. Perhaps you want some stories visible to the external vendors but not all. Or you want to report on the stories assigned to your external vendors along side stories assigned to your team. So lets assume we want the external folks to log into the same Team Project as your employees, but we want to hid stories from their view.
There are several ways you can organize the external folks. You can add them to their own team or just a group. What we actually need to accomplish this is an Area Path just for them. This area path can be added to any backlog, either an external teams backlog or an existing teams backlog. For the purpose of this discussion, lets add them to a group and assume the people in that group will work on teams with our employees.
The trick is to use Area Path security to make sure your external vendors can only see the work items you want them to see. The short version of this story is: Deny access to all Area Paths then allow access to just the Area Path you want them to see.
The Steps to accomplish this:
- Create a Group for the vendor and add all the external resources to it.
- In your Team Project navigate to Project Settings -> Boards -> Project configuration -> Areas.
- Select the root node under Areas that’s named after the Team Project. In my example above, it’s Parts Unlimited.
- From the ellipsis menu select security.
- On the permissions dialog that opens add the team or group you created that contains the external vendors. Then change all the permissions for this group to Deny. You have now effectively taken away the ability for people on this group to see any work items in Azure DevOps.
- Area Path Security uses an inheritance model. At the moment the External Vendor group will have access to none of the Area Paths under Parts Unlimited unless we give them explicit permissions. Which is what we’ll do now.
- Close the “Permissions for Parts Unlimited” dialog and expand the list of Area Paths. Select the Area Path you want the External Vendor Group to see, and select Security for that Area Path.
- Now on the “Permissions for External Vendor” dialog, select the External Vendor group and Allow access on Work items in this node. As in the screen shot below.
- If you want your external vendors to work on the same backlog as one of your teams make sure you add their area path to the Team Configuration so their work items show up in the backlog.
- Now just add the external Vendors Area path to the work items you want them to see/work on.
The Result
As an employee on the “London” Team this is the backlog I see. Notice the two stories assigned to the External Vendors.
When I sign in as one of our External Vendors this is the backlog I see.
