Edit

Set permissions on queries and query folders in Azure Boards and Azure DevOps

  • Article

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019

As with most project objects, you can control access by setting permissions. With queries, you can configure users and groups to create, delete, view, and manage permissions of shared queries and shared query folders.

All users, except those users assigned to the Readers group, can create and edit their own queries and save them under My Queries. Only the signed in user can view queries saved under their My Queries space.

By default, only members of the Project Administrators group can create and edit queries and folders under Shared Queries, or change the permissions for a query or folder.

By creating folders under Shared Queries, you can grant permissions to users for each folder. For example, if you have several teams contributing to a project, then you might want to create a folder under Shared Queries for each team to manage their own set of shared queries.

Prerequisites

  • To create or edit a shared query or manage permissions, you must be a member of the Project Administrators groups with Basic or higher access level. Or, you must have your Contribute permission set to Allow for the shared query folder. To get added to this group, see Change project-level permissions
  • Or, to create a query or folder under a shared query folder, you must have the Contribute permission set explicitly to Allow for the query folder and be granted Basic or higher access level.
  • Or, to change permissions of a query or query folder, you must have the Manage Permissions permission set explicitly to Allow for the query folder and be granted Basic or higher access level.

Users with Stakeholder access can't create or save queries in a Shared folder. To learn more about access levels, see Stakeholder access quick reference.

Tip

Consider creating a query folder for each team and give the team administrators or the team group query permissions to manage their folder.

Default query permissions

A ✔️ (checkmark) in the following table indicates that the corresponding security group has permission to exercise the task by default.

Task

Readers

Contributors

Project admins

View and run managed queries, view query charts

✔️

✔️

✔️

Create and save managed My queries, query charts

✔️

✔️

Create, delete, and save Shared queries, charts, folders

✔️

Set permissions on a new query folder

You set permissions from the web portal. To open Queries, see View, run, or email a query.

Tip

You need Delete permissions to rename or move a shared query or folder, and Contribute permissions for the folder where you move the query to.

  1. Choose All. Expand Shared Queries.

  2. To add a folder, choose More actions for an existing folder or the top container folder, and choose New folder.

    Screenshot that shows Open More actions menu, choose New folder.

  3. Enter the name for the folder. If you want to change the location of the folder, select Rename from the folder drop-down menu.

    Here we name the folder Service Delivery with the intention that it gets used by the Service Delivery team.

    Screenshot of New folder dialog.

  4. To set permissions for the folder you just added, choose the actions icon and select Security.

  5. Change the permissions so that the team member or group can contribute and manage permissions for the folder. Enter the name of a user or group within the search box.

    Here we add the Service Delivery team and grant them permissions to create and manage permissions to all queries and folders under the Service Delivery folder.

    Screenshot of Permissions dialog for a query folder.

    Contribute allows team members to create and edit queries and folders under the folder where the permissions were granted. And, Manage Permissions allows team members to manage the permission settings on queries and subfolders.

  6. (Optional) Turn off inheritance. Default is On. By turning off inheritance for a folder, you disallow inheritance of permissions that exist up the chain of query folders. For more information, see Permissions, Inheritance.

  7. Close the dialog when you're done.

  8. Reopen the Security dialog and choose Service Delivery to verify that the permissions are set.

    Screenshot of Permissions dialog for a query folder, verify permission settings.

  1. Choose All. Expand Shared Queries.

  2. To add a folder, choose More actions for an existing folder or the top container folder, and choose New folder.

    Screenshot of Open Actions menu, choose New folder.

  3. Enter the name for the folder. If you want to change the location of the folder, select it from the Folder drop down menu.

    Here we name the folder Service Delivery with the intention that it gets used by the Service Delivery team.

    Screenshot of New folder dialog, Azure DevOps Server 2019.

  4. To set permissions for the folder you just added, choose the actions icon and select Security.

  5. Change the permissions so that the team member or group can contribute and manage permissions for the folder. Choose the Add... menu to add a user identity or group.

    Here we add the Service Delivery team and grant them permissions to create and manage permissions to all queries and folders under the Service Delivery folder.

    Screenshot of Permissions dialog for a query folder, Azure DevOps Server 2019.

    Contribute allows team members to create and edit queries and folders under the folder where the permissions were granted. And, Manage Permissions allows team members to manage the permission settings on queries and subfolders.

  6. (Optional) Turn off inheritance. Default is On. By turning off inheritance for a folder, you disallow inheritance of permissions that exist up the chain of query folders. For more information, see Permissions, Inheritance.

Set permissions on a shared query

To keep anyone else from modifying a shared query that you create, you may want to set permissions on a specific query. You can set permissions by opening the permissions dialog for the specific query.

  1. Choose the actions icon and select Security.

    Screenshot of Open query permissions context menu.

  2. Change the permissions so that a team member or group can't edit, delete, or change permissions for the query.

    Here we deny permissions for the Disallow access group.

    Screenshot of Permissions dialog for a shared query.

With queries, you cannot only list work items, you can create status and trend charts and add them to dashboards. You can learn more about permissions and working with queries from these resources: