1. Stay in control of Users and Permissions
If you work in regulated industries like Pharma or Finance, then you understand the importance of maintaining control and compliance when it comes to Access Management. However, your current Access Management system may not be sufficient for monitoring and reporting on Azure DevOps. That's where this tool comes in - it enables you to maintain control over security groups, members, and permissions in Azure DevOps.
With this extension, you can easily monitor various aspects of Azure DevOps, including:
1. Groups & Teams: receive alerts when a group or team is created that is not on your allowed list.
2. Members: keep an eye on members within groups and teams and report any deviations from approved members.
3. Permissions: monitor permissions for groups and teams and report any deviations from allowed permissions.
This tool is essential for anyone who wants to maintain control and compliance within regulated industries. Don't let your Access Management system fall short - try this extension today.
With this extension, you can easily generate reports in json format for seamless integration with existing reporting systems. You can also create human-readable reports in formats like Markdown, HTML, and other text formats that offer high flexibility. The extension supports custom report templates, allowing you to design reports that suit your specific needs perfectly.
A sample report is shown below:
2. Existing Access Management System
If you're already using an Access Management System, you may still need this extension. Here's why: most Access Management Systems use Security Groups in active directories to control access to other IT Systems. While these systems can detect any deviations in members inside security groups, they don't have insight into users, groups, and permissions changed directly in the IT System we want to control. This issue also applies when using Access Management with Azure DevOps, which can result in compliance issues such as:
- Changing groups and group members directly in Azure DevOps can lead to incomplete reporting from an Access Management System.
- Changing permissions on groups and teams directly in Azure DevOps can turn a Readers group into a Writers group, and the Access Management System may not be aware of this change.
To address these issues, we provide a solution that extends the range of Access Management provided by your existing system. Our extension creates a 360-degree view of groups, members, and permissions for your Azure DevOps projects. This enhances your current Access Management System and helps you maintain control and compliance across all your IT systems.
1.1 Who can use this Extension
- QA
- IT-Security
- Compliance Engineers /Departments
- Product / Project owners
- Developers
- Testers
- Anyone who wants to be in control of access management for Azure DevOps projects
3. Getting started
- Install this extension in your organization
- Create a desired configuration for allowed groups, teams, members and permissions
- Setup a scheduled or triggered scan in Azure Pipelines using the pipeline task provided by this extension
3.1 Setup in Azure Pipelines
In the example below required permission settings are defined in the file my-permission-settings.json located in the root of the Git repo.
trigger: none
pool:
vmImage: ubuntu-latest
steps:
- task: ComplianceGuard@0
inputs:
command: 'validate'
settingsFile: '$(System.DefaultWorkingDirectory)/my-permission-settings.json'
accessToken: $(YOUR_PAT_VARIABLE)
4. Configuration
4.1 Validation Settings
You must define allowed groups, teams, members and permissions aka. Validation Settings. Below you will find a series of examples:
Allow ALL groups, teams and members, and all permissions:
{
"projectPermissions": {
"allowedGroups": [
{
"name": "*",
"allowedDirectGroupMembers": [
"*"
],
"allowedDirectAadGroupMembers": [
"*"
],
"allowedDirectUserMembers": [
"*"
],
"AllowedPermissions": [
"*"
],
"DenyPermissions": []
}
],
"allowedTeams": [
{
"name": "*",
"allowedDirectGroupMembers": [
"*"
],
"allowedDirectAadGroupMembers": [
"*"
],
"allowedDirectUserMembers": [
"*"
],
"AllowedPermissions": [
"*"
],
"DenyPermissions": []
}
]
}
}
Only allow one specfic group and team, and allow all permissions:
{
"projectPermissions": {
"allowedGroups": [
{
"name": "Readers",
"allowedDirectGroupMembers": [
"Project Valid Users"
],
"allowedDirectAadGroupMembers": [
"AAD_Sec_Group_Developers",
"AAD_Sec_Group_Testers"
],
"allowedDirectUserMembers": [
"bob@yourdomain.com"
],
"AllowedPermissions": [
"*"
],
"DenyPermissions": []
}
],
"allowedTeams": [
{
"name": "MyTeam",
"allowedDirectGroupMembers": [
],
"allowedDirectAadGroupMembers": [
],
"allowedDirectUserMembers": [
"alice@yourdomain.com",
"bob@yourdomain.com"
],
"AllowedPermissions": [
"*"
],
"DenyPermissions": []
}
]
}
}
An example of a default permission setting for default Groupss on a new Azure DevOps project
{
"projectPermissions": {
"allowedGroups": [
{
"name": "Build Administrators",
"allowedDirectGroupMembers": [
"*"
],
"allowedDirectAadGroupMembers": [
"*"
],
"allowedDirectUserMembers": [
"*"
]
},
{
"name": "Contributors",
"allowedDirectGroupMembers": [
"*"
],
"allowedDirectAadGroupMembers": [
"*"
],
"allowedDirectUserMembers": [
"*"
],
"AllowedPermissions": [
"View project-level information",
"Create tag definition",
"Delete and restore work items",
"View analytics",
"Create test runs",
"Delete test runs",
"Manage test configurations",
"Manage test environments",
"View test runs"
],
"DenyPermissions": []
},
{
"name": "Readers",
"allowedDirectGroupMembers": [
"*"
],
"allowedDirectAadGroupMembers": [
"*"
],
"allowedDirectUserMembers": [
"*"
],
"AllowedPermissions": [
"View project-level information",
"View analytics",
"View test runs"
],
"DenyPermissions": []
},
{
"name": "Project Administrators",
"allowedDirectGroupMembers": [
"*"
],
"allowedDirectAadGroupMembers": [
"*"
],
"allowedDirectUserMembers": [
"*"
],
"AllowedPermissions": [
"Delete team project",
"Edit project-level information",
"Manage project properties",
"Rename team project",
"Suppress notifications for work item updates",
"Update project visibility",
"View project-level information",
"Bypass rules on work item updates",
"Change process of team project.",
"Create tag definition",
"Delete and restore work items",
"Move work items out of this project",
"Permanently delete work items",
"View analytics",
"Create test runs",
"Delete test runs",
"Manage test configurations",
"Manage test environments",
"View test runs"
],
"DenyPermissions": []
},
{
"name": "Project Valid Users",
"allowedDirectGroupMembers": [
"*"
],
"allowedDirectAadGroupMembers": [
"*"
],
"allowedDirectUserMembers": [
"*"
],
"AllowedPermissions": [
"View analytics"
],
"DenyPermissions": []
},
{
"name": "Release Administrators",
"allowedDirectGroupMembers": [
"*"
],
"allowedDirectAadGroupMembers": [
"*"
],
"allowedDirectUserMembers": [
"*"
],
"AllowedPermissions": [
"*"
],
"DenyPermissions": []
}
],
"allowedTeams": [
{
"name": "*",
"allowedDirectGroupMembers": [
"*"
],
"allowedDirectAadGroupMembers": [
"*"
],
"allowedDirectUserMembers": [
"*"
],
"AllowedPermissions": [
"*"
],
"DenyPermissions": []
}
]
}
}
4.2 Report Configuration
The tool will produce an report in Markdown format using a default template. Users can provide a custom report template in Liquid syntax.
Below is an example of a template file:
my-template.md
# My Compliance Report
{% for g in report.security_groups %}
## Group: {%if g.allowed == false %}**X**{%endif%} {{ g.principal_name }}
## Members
{% for m in g.members %}
- {%if m.allowed == false %}**X**{%endif%}{{{m.principal_name}}
{% endfor %}
## Permissions
{% for p in g.permissions %}
- {%if p.allowed == false %}**X**{%endif%}{%if p.allow == true%}Allow {%else%}Deny {%endif%}{%if p.is_inherited == true%}(Inherited) {%endif%}'{{p.display_name}}'
{% endfor %}
{% endfor %}
