better permission management (user interface, identity picker)
This suggestion is migrated to Developer Community. Please use below link to view the current status.
Permissions can be assigned at project level. This works very well. A user can see only the project in which he is involved.
But the user can access the User Page and can see all the other users oft the VSTS account.
Also every user can select all other users from the Azure AD in the identity picker of a WorkItem (no matter if the user is in the same project or not).
A customer user should not know our other customers. Also a external developer should not know our other customers.
Simply put: It is not compatible with data protection laws. So we straight into a legal conflict.
For the identy picker counting the same reasons.
Besides, it is not really intuitive to use if the user sees unknown names.
Also, I think it is not necessary that access to the admin panel exists.
Over the admin panel a user can find a list of teams:
He can draw conclusions on the other projects.
For Stakeholders vsts hides the code tab. That’s why I think that's no big development or?
From our point of view this is a very important step for the tool.
- hide UserHub for non admin users
- hide admin panel for non admin users
- show only users in the identity picker from the project
This is really important, this is a security risk.
Another vote to get this fixed. I'm going to have to create a new tenant for each client at this rate. Please fix.
[Deleted User] commented
A bit of a security hole. What’s the plan here?
[Deleted User] commented
Hi Microsoft, Is it possible to get an update on this? It's preventing us from using VSTS with our external customers as we cannot share the email addresses of all our users with all other users - it constitutes a security breach.
If anyone has found a solution to share the VSTS backlog with external users but without exposing our customer list to all other users, please post here!
Marco Schmitnägel commented
Important topic! We create a project for each customer and sometimes add external stakeholders to them. Those users just have to find a way to the admin settings security page (https://xxxxxx.visualstudio.com/_settings/security?_a=members) and open the "Project Collection Valid Users" group members - so they can view the names of all our other customers due to the fact, that the project Name (=customer name) is listed in the column "Username or Scope.
IMHO there is no need for an external stakeholder to access any project collection settings page.
I agree, it's very important that you CANNOT select a user in a work item in a project to which that user is not assigned.
This matters for security: exposing emails of users on one team to users on another.
It also makes it very difficult to catch when a work item is assigned to the wrong person.