How can we improve Visual Studio Team Services (VSTS)?

Make TFS more Audit Friendly

We have outside auditors come in and they want to see stuff like who gave Jerry Project admin rights and when and how long did he have it? Items like that It would be nice to find info like that. It would also be nice to be able to export all of the users of a project in the groups that they are in.

337 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    27 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Wilco commented  ·   ·  Flag as inappropriate

        There is a function to export all users and subscriptions. That's a great start. For ISO27001, I need one list of all users and their role(s) in all project(s).

      • Negatar commented  ·   ·  Flag as inappropriate

        We are driving access using AAD groups so we can audit from AD. However, we can't find a way to prevent users from being added in the UI as well. Is there any feature that would turn on AAD access only?

      • Oskar Mamrzynski commented  ·   ·  Flag as inappropriate

        We have a need to retrieve which users are members of which VSTS groups and what permissions they get as a result. However, this is only good for the first-time audit.

        We have created a solution that pulls this information out via the API, but it's not a complete picture and having something integrated would work better.

        Also, change management is an important requirement. Getting notified of who changed what permissions, and on which resource, being able to pipe that information into external audit logging, would be a good feature to have.

      • Doug Punchak commented  ·   ·  Flag as inappropriate

        There is currently a minimal activity\audit capability (2 days) but it needs to go back longer than that. Any public company needs to have this for SarbOx. I've voted for this one but I also posted one for extending the audit functionality if they think this one's satisfied with the 2 day audit report. https://visualstudio.uservoice.com/forums/330519-team-services/suggestions/18540799-extend-activity-auditing-tracking-in-vsts

      • Pieter Gheysens commented  ·   ·  Flag as inappropriate

        It would also be very good to know who (and when) sets the VSTS access levels, especially for companies having multiple VSTS Administrators. I have witnessed already some internal discussions about reshuffling access levels for existing users.

      • David Jobling commented  ·   ·  Flag as inappropriate

        This is an enterprise feature and as such I don't expect it to gather as many votes as the more popular mainstream ideas. It is also very boring. But as many of these comments say, it is an absolute requirement for VSTS to be an enterprise product. Not being able to see who give permissions to whom is a huge security hole and it will continue to limit the propagation of the service into the enterprise. As I understand it, all these actions are executed as REST services and thus the logs are available upon request. But they should be available in the UI.

      • Pierre Donyegro commented  ·   ·  Flag as inappropriate

        This is a frequent request for large financial organizations. Users access associated with project names with a least a year of historical data.

      • Anthony Gregg commented  ·   ·  Flag as inappropriate

        This would be great for when we do our true up with Microsoft. We need to know who is using TFS since we have no control over what users are added by Project Admins.

      • Anonymous commented  ·   ·  Flag as inappropriate

        The ability to audit who created. modified, and/or deleted access to a user/role in TFS which would include security changes made to Release Management as well would be very useful.

      • Christian Guldbæk commented  ·   ·  Flag as inappropriate

        It would also be relevant (for the situation I'm in) to have tracking of which files a user has viewed / downloaded.

      • Vanessa Umali commented  ·   ·  Flag as inappropriate

        We've found that MTM Test Suites are most difficult to track. There is no way to determine who created or deleted Test Suites nor to find out if test cases have been added to or removed from a test suite. If there is a way to do so, please show me how.

      ← Previous 1

      Feedback and Knowledge Base