Encrypts work item field data and controls access via whitelists, blacklists and Azure DevOps Groups. Ensures sensitive data stays hidden outside the UI.
This extension enhances security in Azure DevOps by encrypting sensitive work item field data and enforcing access control via Azure DevOps Groups, whitelists and blacklists. It ensures that confidential information remains protected while allowing authorized users to view and edit the data.
Last Updates:
March, 2025 (v.1.2)
Improvements:
Simplified field references: Removed the need for full field path references (e.g., System/Custom prefix).
Now, the custom control configuration values can be specified using just the field name.
Full field references (including the System/Custom prefix) are still supported for compatibility.]
Getting Started
Install the extension in your Azure DevOps organization.
Add the Privileged Work Item Field control to a work item form.
Configure the source field, encryption key, and user access settings.
Authorized users will see decrypted values, while others will see only an access-denied message.
How It Works
The user configures a source field that contains encrypted data.
The extension encrypts and decrypts field values using AES-256 encryption for maximum security.
Access is controlled through:
User Whitelist: Specifies users who can access the data.
User Blacklist: Explicitly denies access to certain users.
Azure DevOps Group-based access control: System ID of an Azure DevOps Group of which members are permitted to view and edit the encrypted field.
The encrypted field remains protected in API responses and storage but is decrypted dynamically in the UI for authorized users.
Users who do not have access will see only an access-denied message instead of encrypted content.
Key Features
AES-256 Encryption: Uses industry-standard encryption to secure field data.
Field Encryption & Decryption: Protects sensitive data from unauthorized access.
User-Based Access Control: Restricts visibility and editing via Azure DevOps Groups, whitelist and blacklist settings.
Secure Data Storage: The data is stored in encrypted form in the database, ensuring protection even outside the UI.
Seamless Work Item Integration: Works with any standard or custom text field.
Supports Azure DevOps REST API: Ensures secure handling of work item data.
Configuration Options
Setting
Description
Source Field
The work item field containing encrypted data. Supports standard and custom fields.
Encryption Key
A secret key used for encrypting and decrypting the field value.
User Whitelist
A list of allowed users (email addresses, separated by semicolons).
User Blacklist
A list of denied users (email addresses, separated by semicolons).
Privileged Group ID
Azure DevOps Group ID for access control.
Example Usage
Store confidential project details securely in work item fields.
Restrict access to financial, legal, or security-related information.
Ensure only specific teams can edit and view sensitive data while keeping it hidden from others.
Important Notes
The encrypted data is stored securely in the database, ensuring that it remains protected even if accessed outside the UI or API.
Users who do not have access will not see encrypted content; they will only receive an access-denied message.
To prevent corruption of the encrypted content, it is advisable to hide and/or restrict access to the source field. Unauthorized modifications to the encrypted field could result in unreadable data or errors during decryption.
It is advisable to use a multi-line text field for the source field to ensure proper storage of encrypted content. However, a single-line text field can be used for short input values.
Feedback and Issues
If you have any questions, feel free to leave them in the Q&A section. For feedback or suggestions on new functionalities, please provide them via the Ratings & Review section.
You can also always reach us via email. We appreciate your input and strive to improve the extension based on your needs!
Change Log
March, 2025 (v.1.2)
Improvements:
Simplified field references: Removed the need for full field path references (e.g., System/Custom prefix).
Now, the custom control configuration values can be specified using just the field name.
Full field references (including the System/Custom prefix) are still supported for compatibility.]
March, 2025 (v.1.1)
New Functionalities:
Added support of Azure DevOps Groups for the access control:
The members of the dedicated Azure DevOps Group can view and edit the encrypted work item field data.
The blacklist of users can be used for restricting individuals from accessing the encrypted data, even if they are members of the dedicated Azure DevOps Group.
