Set permissions on queries and query folders in Azure Boards and Azure DevOps

TFS 2018

As with most project objects, you can control access by setting permissions. With queries, you can configure users and groups to create, delete, view, and manage permissions of shared queries and shared query folders.

All users, except those users assigned to the Readers group, can create and edit their own queries and save them under My Queries. Only the signed in user can view queries saved under their My Queries space.

By default, only members of the Project Administrators group can create and edit queries and folders under Shared Queries, or change the permissions for a query or folder.

By creating folders under Shared Queries, you can grant permissions to users for each folder. For example, if you have several teams contributing to a project, then you might want to create a folder under Shared Queries for each team to manage their own set of shared queries.

Prerequisites

  • To create or edit a shared query or manage permissions, you must be a member of the Project Administrators groups with Basic or higher access level. Or, you must have your Contribute permission set to Allow for the shared query folder. To get added to this group, see Change project-level permissions
  • Or, to create a query or folder under a shared query folder, you must have the Contribute permission set explicitly to Allow for the query folder and be granted Basic or higher access level.
  • Or, to change permissions of a query or query folder, you must have the Manage Permissions permission set explicitly to Allow for the query folder and be granted Basic or higher access level.

Users with Stakeholder access can't create or save queries in a Shared folder. To learn more about access levels, see Stakeholder access quick reference.

Tip

Consider creating a query folder for each team and give the team administrators or the team group query permissions to manage their folder.

Default query permissions

A ✔️ (checkmark) in the following table indicates that the corresponding security group has permission to exercise the task by default.

Task

Readers

Contributors

Project admins


Create and save managed My queries, query charts

✔️

✔️

Create, delete, and save Shared queries, charts, folders

✔️

Set permissions on a new query folder

You set permissions from the web portal. To open Queries, see View, run, or email a query.

Tip

You need Delete permissions to rename or move a shared query or folder, and Contribute permissions for the folder where you move the query to.

  1. Add a query folder under Shared queries or a subfolder. Choose the context menu for the folder and choose New query folder.

    Screenshot of New query folder menu option and New query folder dialog, TFS 2018.

  2. To set permissions for the folder, choose the context menu for the folder you just added and choose Security.

    Screenshot of context menu for a query folder, Security option, TFS 2018.

  3. Change the permissions so that the team member or group can contribute and manage permissions for the folder.

    Here we add the Web team and grant them permissions to create and manage permissions to all queries and folders under the Triage folder.

    Screenshot of Permissions dialog for a Shared query folder, TFS 2018.

    Choose the Add... menu to add a user identity or group.

    Contribute allows team members to create and edit queries and folders under the folder where the permissions were granted. And, Manage Permissions allows team members to manage the permission settings on queries and subfolders.

  4. (Optional) Turn off inheritance. Default is On. By turning off inheritance for a folder, you disallow inheritance of permissions that exist up the chain of query folders. For more information, see Permissions, Inheritance.

Set permissions on a shared query

To keep anyone else from modifying a shared query that you create, you may want to set permissions on a specific query. You can set permissions by opening the permissions dialog for the specific query.

  1. Choose the context menu icon and select Security.

    Screenshot of Open query permissions context menu, TFS 2018.

  2. Change the permissions so that the team member or group can't edit, delete, or change permissions for the query.

    Here we deny permissions for the Project Administrators group.

    Screenshot of Permissions dialog for a shared query, TFS 2018.

With queries, you cannot only list work items, you can create status and trend charts and add them to dashboards. You can learn more about permissions and working with queries from these resources: