How to secure an external Vendors Access to VSTS/TFS

A lot of customers I work with have external vendors. They would like those vendors to have their own backlog of work we can assign to them. However they don’t want them to be able to see all the other work items, and sometimes Builds or Releases.

You can use Stakeholder access level. But sometimes that is too restrictive.

If you want them to have Basic or better access but limit their view.

  • Create a Team for the vendor and add all vendor resources to the team. If they don’t need a backlog and will just run queries for their work. you can just create a Group instead of a Team.
  • Make sure someone at your company is the team administrator.
  • From the Team project navigate to Control Panel -> Work -> Areas
  • Select the Main node in the Areas that is named after the Team Project
  • From the ellipsis context menu select security
  • Add the Team to this dialog and select Deny for all the items in the list

image

  • Save changes
  • Navigate to the node you want this vendor to be able to access work items for and select security
  • Select the External Vendor Group

image

  • Change their permissions for Edit work items in this node and View work items in this node to Allow.
  • Now this group can only see work items under the Area External Vendor

To make sure they can’t see Builds and Releases.

  • Navigate to Builds and click on the Security button at the top of the build list.
  • Set View Build definition and View Builds to Deny
  • For releases navigate to Releases and click the ellipses next to All Release definitions
  • Set View release definition and View release to Deny

image

image