Ability™ Developer Portal
Try Sandbox for free
Get a month of free access to ABB Ability™ Platform to learn and experiment!
API Playground
Play with ABB Ability™ Platform APIs (no time limits)

# Azure DevOps Standards

Internal Documentation

This document is intended to be used only by the internal Ability team. However, it can be used by other businesses as a guideline.

Azure DevOps resources in the Ability Platform need to be protected with the appropriate access governance and project lifecycles. To achieve the required level of security, the following primary roles have been defined:

  • Organization administrators: high level management of Azure DevOps. Responsible for project creation, assigning administrators, assigning basic licenses, and removing users from Azure DevOps.
  • Project administrators: management on a project level. Responsible for project management and its lifecycle, and user access governance. Project administrators are defined in Azure DevOps on a project level.
  • Line managers: direct managers of employees. Responsible for requesting and approving Visual Studio subscriptions for team members.
  • Head of Delivery: project oversight. Indirectly manages projects by approving actions related to them where appropraite. The current head of delivery is Viswanathan Ramakrishnan.

# Primary Roles Responsibilities

# Organization Administrators

Give access to the core Azure DevOps functionality. Their responsibilities are:

  • removing users from Azure DevOps Organization (in case they are not assigned to any project or they have not logged in during the last six months)
  • changing access licenses
  • creating, archiving, and removing projects
  • assigning project administrators
  • changing organization settings based on the project administrator's requests

# Project Administrators

In charge of their projects in Azure DevOps. Their responsibilities are:

  • granting and revoking user permissions from Azure DevOps Projects
  • creating and deleting teams
  • ensuring that projects are accessible only by approved members
  • performing periodic reviews of member access to Azure DevOps projects and removing those who have changed roles or organizations
  • reporting to Organization Administrators when a user gets removed from accessing the project, or when a project needs to be archived
  • ensuring that there are no more than three project administrators for any project they are managing

# Line managers

Direct managers for target employees. They are responsible for:

  • helping with ordering Visual Studio subscription licenses for team members that need access

# Head of Delivery

Helps the Project Administrators by approving their requests. They are responsible for:

  • approving the creation of new projects
  • approving the archiving and removal of projects

# Organization administrator activities

# Reviews

The following procedures should be done by organization administrators at least every six months. They should review:

  • project usage - any project that is not being used should be archived or removed by the organization administrator (by sending emails to project administrators)
  • user access - any user that did not log in for during the last six months should have his access removed
  • service Account Group assignment - (Security groups, service accounts, and permissions in Azure DevOps)
  • custom agents and agent pools hosted by the provider

# Project administrator activities

# Requests

Project administrators should send a request to organization administrators when they wish to:

  • change a user's license
  • remove a user from the organization

Project administrators should send a request to organization administrators and the head of delivery when they wish to:

  • create a project
  • archive or remove a project

# User access review

Project administrators are responsible for reviewing user access every six months.

# Project usage confirmation

Periodically, organization administrators contact project administrators to confirm if a given project is being used. Unconfirmed projects will be archived, and all team members and projects administrators will have their access to them revoked.

# License management

When a project administrator adds a user to a project, the user is added on an Azure DevOps organization level. Such users are assigned the Stakeholder license by default. To assign users a different kind of license, consider the following:

  • if the user requires read-only access to boards, then the default Stakeholder license is enough (no other actions are required).
  • if the user already has a Visual Studio Subscription, then it is used by default (no other actions are required).
  • if the user requires Microsoft Visual Studio or other Microsoft tools, contact your Line Manager with regards to ordering a Visual Studio Subscription.
  • if the user requires access only to Azure DevOps (without installing any Microsoft tools), then the Basic plan should be used (how to request a license).
  • if the user requires access to Web-based Test Case Management, then the Basic + Test Plans plan should be used (how to request a license).

You can read more about licenses in these articles:

# Code repositories management

Access management in code repositories in Azure DevOps can be independent of Project level access management. Project Administrators are required to provide clear access governance for repositories inside their projects. The following requirements are policies that need to be implemented for projects in scope of a repositories' access governance:

  • only project administrators can add and remove new repositories
  • each repository should be assigned to a team/user and should have a defined owner (e.g. a team leader)
  • only repository owners and project administrators should have privileges to edit policies and manage permissions for any given repository
  • repository owners should review user access at least once every six months

Repository owners are responsible for defining the appropriate policies for their repositories. They are required to implement policies by adhering to the following:

  • no users are allowed to bypass policies
  • at least one reviewer must approve the request
  • users must not be allowed to approve their own changes
  • approvals should be reset when new changes are pushed

# Non Ability Platform Engineering (APE) user management

All non Ability Platform Engineering user privileges which allow access to Ability projects should be managed through this page. To maintain security standards, account owners will receive a two weeks' notice that expired account privileges will be removed automatically. Project Administrators are not allowed to grant privileges to non Ability Platform Engineering users directly in Azure DevOps groups.

To register a new project group for managing access, contact our maintenance team.

Last updated: 9/28/2021, 8:27:20 AM

Ability Azure Inventory (AAI)

Feedback