Make TFS more Audit Friendly
We have outside auditors come in and they want to see stuff like who gave Jerry Project admin rights and when and how long did he have it? Items like that It would be nice to find info like that. It would also be nice to be able to export all of the users of a project in the groups that they are in.
There is a function to export all users and subscriptions. That's a great start. For ISO27001, I need one list of all users and their role(s) in all project(s).
We are driving access using AAD groups so we can audit from AD. However, we can't find a way to prevent users from being added in the UI as well. Is there any feature that would turn on AAD access only?
Oskar Mamrzynski commented
We have a need to retrieve which users are members of which VSTS groups and what permissions they get as a result. However, this is only good for the first-time audit.
We have created a solution that pulls this information out via the API, but it's not a complete picture and having something integrated would work better.
Also, change management is an important requirement. Getting notified of who changed what permissions, and on which resource, being able to pipe that information into external audit logging, would be a good feature to have.
Suresh Kumar commented
An Audit Trial is must and basic
How do I know TFS is authenticating via Windows AD
Doug Punchak commented
There is currently a minimal activity\audit capability (2 days) but it needs to go back longer than that. Any public company needs to have this for SarbOx. I've voted for this one but I also posted one for extending the audit functionality if they think this one's satisfied with the 2 day audit report. https://visualstudio.uservoice.com/forums/330519-team-services/suggestions/18540799-extend-activity-auditing-tracking-in-vsts
Pieter Gheysens commented
It would also be very good to know who (and when) sets the VSTS access levels, especially for companies having multiple VSTS Administrators. I have witnessed already some internal discussions about reshuffling access levels for existing users.
I think this idea is a duplicate of https://visualstudio.uservoice.com/forums/330519-team-services/suggestions/2102465-make-tfs-more-audit-friendly which has already over 420 votes
David Jobling commented
This is an enterprise feature and as such I don't expect it to gather as many votes as the more popular mainstream ideas. It is also very boring. But as many of these comments say, it is an absolute requirement for VSTS to be an enterprise product. Not being able to see who give permissions to whom is a huge security hole and it will continue to limit the propagation of the service into the enterprise. As I understand it, all these actions are executed as REST services and thus the logs are available upon request. But they should be available in the UI.
Pierre Donyegro commented
This is a frequent request for large financial organizations. Users access associated with project names with a least a year of historical data.
Anthony Gregg commented
This would be great for when we do our true up with Microsoft. We need to know who is using TFS since we have no control over what users are added by Project Admins.
The ability to audit who created. modified, and/or deleted access to a user/role in TFS which would include security changes made to Release Management as well would be very useful.
Christian Guldbæk commented
It would also be relevant (for the situation I'm in) to have tracking of which files a user has viewed / downloaded.
This other tool helps a little bit:
Anyway, it's far from meeting our needs.
Yes, as tfs admin, i would love this feature
Bilgehan Berberoğlu commented
it would be helpful for us. please add this feature or explain us how we reach this info
Are there any tables which we can query to get this info ?
Farah Ravaee commented
I am in the same page as Peter.
Peter Gissel commented
This is hugely important where I work, which is FDA regulated.
Vanessa Umali commented
We've found that MTM Test Suites are most difficult to track. There is no way to determine who created or deleted Test Suites nor to find out if test cases have been added to or removed from a test suite. If there is a way to do so, please show me how.