Get Started
Support Home

We’ve launched a new Help Center!

Visit the new Documentation space for Azure DevOps, monday.com, and Jira. Or, if you require any assistance or have any questions, please visit the new Customer Support Portal for Azure DevOps, monday.com and Jira.

Learn more

Restricting access the service account needs for reports

Gathering Feedback
Follow
New post
Avatar
Chelsea Lopez

Currently, the 7pace Reporting requires that a member of the Project Collection Admin group be set as the "service account".  This gives the service account full access to areas that should not be needed by 7pace (like Repos, Pipelines, and Audit).  I would like to understand the exact security that is required for 7pace Reporting and then craft an account with only those specific permissions applied.  

I'm concerned that the 7pace service account has limitless permissions with the potential to wreak havoc in the name of someone else (the user that was set up as service account).  

Can we get a security role of this nature on the roadmap and stop using Project Collection Admin? 

0

Comments

2 comments

Sort by Date Votes
  • Avatar
    Andrea Moro

    Hi Chelsea, 

    thank you very much for your message. With our current architecture, we are somewhat limited in what we can do. The setup you described is required to ensure that Timetracker reporting has access to all the data required by the underlying caching logic to work properly. That being said, the user running the reports can have their permissions limited so they don't need full access.

    Regarding your request, although theoretically we could allow users to specify all the access settings manually, this would be error prone and hard to maintain, which is why the app currently does not support this functionality. We will monitor this and other similar thread and reassess in due course.

    Kind Regards,

    Andrea
    Product Owner - www.7pace.com

    0
    Comment actions Permalink
  • Avatar
    Andrea Moro

    Hi again

    as a quick addition to the above, I just wanted to clarify that should this become a non-negotiable requirement there is a workaround available. This would require you to create a new user inside the Project Collection Admin group and authorize it using PAT (personal access token). And in this PAT you could also limit permissions to read-only. However, as per my previous message, we don't support adopting this solution because it is error prone and it comes with some significant limitations (e.g. the completed and remaining work fields will not update for this user).

    Kind Regards,

    Andrea
    Product Owner - www.7pace.com

    0
    Comment actions Permalink

Please sign in to leave a comment.

Powered by Zendesk