Skip to main content

Configure Access Matrix for Replication User

In the example below is a description of needed access rights for a user (or AD group) to be able to use OpsHub to replicate work items between collections/organizations.

I have used the ABB AD group "PCP_Work_Replica_U_Access_group" and assigned the needed access to that group in the below example. The service account user has been added as a member of that group.

If new organizations or collections need to be added I suggest that the above AD group is given needed access and not a user directly.

For replication projects "write" access (the one described below) is only done (and needed) to replica project "that gets new workitems created or edited" and "read" access when only "fetching" workitems.

This means that if OpsHub will only "read" workitems from a project only Read access is needed.

Below settings are only needed when OpsHub needs to update/create work items in the project.

For the new service user/AD groups, the following "five" (5) permissions are required for OpsHub replication to migrate and integrate with work items:

When configuration is related to "Project settings --> ..." then this step needs to be done for all projects that will be replicated

Configuration for Azure DevOps Services

1. User/group needs to be added in all projects that are currently being migrated or integrated

Done in: organization settings --> users --> group rules

b1

2. Bypass rules on the work item updates (Required for user impersonation)

Done in: Project settings --> Security

b2

3. Create and Edit work items

Will be solved by steps in 1 + 4 as that will give partial Contributor rights.

4. Area and Iteration (This allows to check and create area paths and iteration paths)

  • Create child nodes

  • Edit nodes

    Done in: Project settings --> Project configuration -->Iterations --> Security

b3 b4

Areas --> Security -->

b5 b6

If you break the inheritance rule for access you need to consider that and give explicit access rights for those areas/iterations.

5. "Create tag definition" is also needed.

b7

Configuration for Azure DevOps Server

1. Access permission 1

Added PCP_Work_Replica_U_Access_group to AD group OCS_Collection_Readers as OCS_Collection_Readers was a member of Readers in the targeted Azure project. (ABB-PA-CommonComponents-Replica in OCS collection)

2. Access permissions 2, 3, 4, and 5

(Access permission 5 change isn't showing in the picture below, but please look at Service configuration bullet 2 as the same value will be used)

b8 b9 b10

Owner: Configuration Management Team