Make TFS more Audit Friendly
We have outside auditors come in and they want to see stuff like who gave Jerry Project admin rights and when and how long did he have it? Items like that It would be nice to find info like that. It would also be nice to be able to export all of the users of a project in the groups that they are in.
Doug Punchak commented
There is currently a minimal activity\audit capability (2 days) but it needs to go back longer than that. Any public company needs to have this for SarbOx. I've voted for this one but I also posted one for extending the audit functionality if they think this one's satisfied with the 2 day audit report. https://visualstudio.uservoice.com/forums/330519-team-services/suggestions/18540799-extend-activity-auditing-tracking-in-vsts
Pieter Gheysens commented
It would also be very good to know who (and when) sets the VSTS access levels, especially for companies having multiple VSTS Administrators. I have witnessed already some internal discussions about reshuffling access levels for existing users.
I think this idea is a duplicate of https://visualstudio.uservoice.com/forums/330519-team-services/suggestions/2102465-make-tfs-more-audit-friendly which has already over 420 votes
David Jobling commented
This is an enterprise feature and as such I don't expect it to gather as many votes as the more popular mainstream ideas. It is also very boring. But as many of these comments say, it is an absolute requirement for VSTS to be an enterprise product. Not being able to see who give permissions to whom is a huge security hole and it will continue to limit the propagation of the service into the enterprise. As I understand it, all these actions are executed as REST services and thus the logs are available upon request. But they should be available in the UI.
Pierre Donyegro commented
This is a frequent request for large financial organizations. Users access associated with project names with a least a year of historical data.
Anthony Gregg commented
This would be great for when we do our true up with Microsoft. We need to know who is using TFS since we have no control over what users are added by Project Admins.
The ability to audit who created. modified, and/or deleted access to a user/role in TFS which would include security changes made to Release Management as well would be very useful.
Christian Guldbæk commented
It would also be relevant (for the situation I'm in) to have tracking of which files a user has viewed / downloaded.
This other tool helps a little bit:
Anyway, it's far from meeting our needs.
Yes, as tfs admin, i would love this feature
Bilgehan Berberoğlu commented
it would be helpful for us. please add this feature or explain us how we reach this info
Are there any tables which we can query to get this info ?
Farah Ravaee commented
I am in the same page as Peter.
Peter Gissel commented
This is hugely important where I work, which is FDA regulated.
Vanessa Umali commented
We've found that MTM Test Suites are most difficult to track. There is no way to determine who created or deleted Test Suites nor to find out if test cases have been added to or removed from a test suite. If there is a way to do so, please show me how.
Git enterprise boasts these features and is currently the only hosted source control we are allowed to use because of it.
Gian Piero Anselmi commented
As serious organizations really implement ALM, SDLC, SCM etc.its is obvious that Audit functions (who did what and when) for security reasons is a big point for TFS to become a first class tool. Without that most of the big organizations will just drop it.
Log for every bit (WI, SharePoint documents, Changesets, Permission etc.) is needed.
The actual http://servername:8080/tfs/_oi/ is not sufficient.
It would be nice to have a way to track from a security perspective what permissions were changed, by whom and when. This would also need to be maintained in the database indefintely as audit requests can be for any period of time.
This point should not be lost on MS since this may be the greatest barrier to entry for many organizations. If they cannot evidence the audit trail effectively, TFS and MTM are out of their reach.
Yes, I'd also like an update. Working for a US Government agency....