Use authorization concept in work items to comply with data protection regulations

Officially Answered

Follow

New post

Robert Hardt

• December 23, 2020 14:58
• Edited

Background

The 7pace Timetracker is covering most of the data protection regulation so far, which is great. It uses an authorization concept with different user roles with specific access rights. This guarantees that In the report view and almost everywhere else only data regarding the personal access rights is visible and exportable:

But there is one point where you can still see data of other employees. In the single work items you can see not only your data but data of others as well, like in this screenshot:


As you can see, as a normal team user I am able to see data of my colleague in the work item. Unfortunately this fact that every user is able to see the data of other users in the single work items is definitely violating the basic data protection regulation of at least our country, Germany. 

Request

There has to be a possibility to apply the authorization concept here as well or build in an option to configure this data view as desired.

2

• 

  Sascha Zierfuss

  • December 23, 2020 14:44

  Hi Robert!

  Whose time information is visible in the section highlighted in your screenshot is determined by your Azure DevOps organization's configuration as only users in the organization can see the total time tracked. Azure DevOps provides further capabilities that restrict who can have access to work items and these are the ones you should make use of to limit who can view work items and thus the related time data.

  We believe that the Azure DevOps tools provide enough limitations and configurability to who can view that data. However, please share which regulation clause you believe that our approach goes against and I will investigate this further.
  
  

  0

  Comment actions Permalink

Please sign in to leave a comment.