I am a developer. I have come across a scenario where I need to get the list of all user stories on which I had worked once but now its owner is some one else like QA. Now those user stories have QA person as owner so I can not write query as [Owner = 'MyName'].
Any idea?
Have you investigated the Lookback API (https://rally1.rallydev.com/analytics/doc/#/manual)? You can query the history of most Rally artifacts to look for ones of which you were once the Owner.
I haven't used Rally but, just thinking : since it was a story you worked on, there's a high chance you have added some comments on it, or possibly even created it yourself.
Is there a way to use this in your query?
For eg - [CommentBy = Adarsh Kumar], or [CreatedBy = Adarsh Kumar]
I use Rational Team Concert, and this may be a problem there too. If one modifies the design where you have a Dev owner, and a FVT owner, and give the ability to query on these two separate fields, it would be easier to track efforts at the end of the year eh? ;-)
Related
I am a DBA and I work across all of our dev teams. I often will get a task on someone else's user story. I will not be a member of the team that the user story belongs to. I need a way to see all of the user stories that I have a task on so that I can easily track the status, etc of the overall user story.
We are using Rally/Agile-Central
The best way is to use the Custom List app and go to a location in the project hierarchy above anywhere you might have a story or task assigned to you. If you then ask it to filter on owner equals you, then it will give you the stories you own, but also the stories owned by someone else that you have a task assigned to you.
It does the equivalent of this query for you automatically:
((Owner = daniel#acme.com) or (Tasks.Owner = daniel#acme.com))
Foreword: I've searched around on this question a fair bit and found answers which are close to a solution, but not what I'm looking for. So here I am, and I hope someone can help me. I'm relatively new to VSTS, so be gentle (or at least constructive) ;P
The Question: I'm looking for a way to restrict access to specific tickets (NOT by ticket type) that contain NDA protected data, whilst keeping them in the same backlog and iterations as the rest of the tickets related to a project.
We have many different NDA protected customers, so whilst creating a new ticket type per NDA, and restricting access to this, could work, it's not the solution I'm looking for.
Alternatively, I'm barking up the wrong tree, and there is an entirely different and "better way" to support this use-case?
Edit 1 - More info: Let's say I have 1 backlog for a product. It contains only 2 work items. It's important there is only 1 backlog for planning and overview by a product owner.
One of the two work items contains sensitive information only half the development team should have visibility to. How do I keep both tickets in the same backlog and iterations, but hide the sensitive one from some team members?
Thanks in advance for your time!
Regarding permission of work items in a team project, you can set the permission in area and iteration scope, but can’t for specific work items.
So, you need to put these work items in different area and manage permission for this area. Simple steps:
Go to team project admin page
Work=>Areas
Click New/New child, to create a new area.
Click …=>Security, set the permission for the group(s) or user(s)
Click the default team’s settings => Areas
Click + Select areas to add that area in order to show related work items (in that area)
How do I get users (not team members) of a given project using Ruby Rally Toolkit? I am trying to run a query to change the roles of all the users in a given project to "Editor", for that I need to get the list of all users of a project.
Unfortunately there's no easy way to get the list of all Users with ProjectPermissions in a Project. This endpoint:
https://rally1.rallydev.com/slm/webservice/v2.0/Project/12345678910/Editors
Will obtain a list of all Editors in a Project. However that doesn't help very much if you want to promote any Viewers in a Project to Editors - and there's no such collection as:
https://rally1.rallydev.com/slm/webservice/v2.0/Project/12345678910/Viewers
or
https://rally1.rallydev.com/slm/webservice/v2.0/Project/12345678910/Users
Although it would makes sense and be kind of nice if there were.
Unfortunately your only recourse is to query through all Users and their UserPermissions in your Ruby code, examine their ProjectPermissions, and operate on anyone having ProjectPermission.Role = Viewer for the Project of interest. Sorry there's not a better way, at least that I know of.
Should database be verifying if user is authorized to perform certain action?
Two examples:
1)User is enrolled in 30 teams max and it can see scoresheet of these teams only. I'm passing in userid and teamid to the stored procedure and fetching the scoresheet only if user is authorized to view the scoresheet. Is it more appropriate to only pass in only teamid and check beforehand what all teams user is enrolled in? Should I do both?
2)Currently I'm passing in userid of the poster and the commentid of the comment to be deleted and I'm deleting comment only if both criteria is met - userid matches to the poster id and commentid matches to the commentid - just to make sure user is deleting his own comment and not somebody else's. Is it an overkill?
Multiple layers of validation is best practice and it doesn't seem like your methods would cause additional overhead. Just make sure to limit connecting to the database once, I've found that the most costly part of running database queries is the connection and cursors.
http://msdn.microsoft.com/en-us/library/aa174437%28v=sql.80%29.aspx
Security experts will tell you that No amount of security is enough! But at the same time you have to find a balance b/w security and unnecessary layers of protection that are bound to affect your application's performance.
Answering your 2nd question first: It is a good idea to pass both userid as well as commentid, and matching both, so that you accidentally don't delete all comments by a particular user.
Coming to your 1st question now: As I understand it, you want users only part of the team to be able to view the team's scoresheet, right? In order to do so passing only the teamid of all the teams the user is a part of will do. I am not sure what you mean by authorization here!
NOTE:
I have answered your question from a theoretical view with no idea about your Table structure or whats written in your Stored Procedures.
Your frontend is a much more friendlier (libraries, frameworks, best practices) environment to implement whatever access restrictions or authorization that you could possibly have in mind. Adding another layer inside the database just adds a lot of complexity and duplicate implementation of your access restrictions.
I would only consider doing it if clients connect and execute commands directly against the database.
So, rely on the ids provided by the application and spend your energy on sanitizing user input and implementing a sane authentication model. You will need it.
i am currently having a problem, i guess a lot of people have run into before and i would like to know how you handled it.
So, imagine you have 10.000 Users on your App. ( each one has an own user/pw login to administrate his stuff ).
Imagine further, that you have a growing normalized SQL-tablestructure in the backend, with tables like: Users, Orders, OrderPositions, Invoices, etc.
So, to show/edit/delete stuff of a table which isn't the usertable itself, u'll probably have links like these, to let ypur users interact with the application.
~/Orders/EditOrder?id=12
~/Orders/ShowOrderPosition?orderId=12&posId=443
Ok, and now the problem:
How, do i prevent in a "none-complex"-way, that user A has access ( show/edit/delete ) the data of user B.
Example:
User B calls:
~/Orders/ShowOrderPosition?orderId=12&posId=443
which is an order of user A, so user B should have no access to it.
So, in my code i would need to have a UserIdentity-check before or within every single SQL-statement, like:
select * from OrderPosition op, Order o, User u
where op.Id = :orderId
and op.Fk_OrderId = :orderpositionId
and o.Id = :orderId
and o.Fk_User = :userId
Only this way i can make sure, that the data belongs to the requesting user.
To reach the usertable will of course get far more complex, the deeper the usertable-connection is "buried" in the normalization ( imagine tables like payments or invoices, connected to the order-table... )
Question:
What is your approach to deal with this, concidering: Low complexity, DRY and performance
( Hope u understand what i mean ;) )
This is a bit like a multi-tenant application - I have gone down this route and denormalized an ID onto all those tables that require this kind of check (a tenant ID, in your case, sounds like the user id).
I then created an interface that contains this field only and applied it to all those classes in my model layer that required this access.
In my base data access (repository) class, where all the select/update/delete calls go through, I then check to see if the class if of the type of that interface, and I then check that the current access matches that ID.
Of course, this depends on how your code is structured, and how simple/complex making this global kind of change will be...
Never expose ids.
And if you have to: encrypt them.
Performance
for ultimate performance you will have to denormalize to the point that reading the row and comparing with some application level variable would give you an answer on what kind of rights the user has (this is fairly fast and if your DAO/BAO level is well organized plugging it in will keep it relatively DRY and at relatively low complexity.) NOTE: complexity is also a function of your security model, once you start to implement inheritable, positive and negative, role-based access rules then it can not be really simple.
DRY
another route to take (which is very seldomly taken these days) is to use your database roles to manage security; this might get complicated but will offer unparalleled security (as it will be ensured at the DB level and not application level. Complexity should go down, at the application code level, if you manage to encapsulate all of your access paths into VIEWS, which might require quite a bit of re-tailoring at the database level. However(!), it might be possible to implement security model with very little changes to the application code - by renaming existing tables and replacing them with secured views)
Don't use your internal ID column, encrypted or not, it'll come back to bite you one day.
Create a random, unique, string (GUID, whatever), which contains the link between the user and the data he's requesting. So, instead of having, for user 34567:
Edit order
Create a record {"5dsfwe8frf823jrf",34567,12} in a temporary table and show:
Edit order
When the users clicks the link, fetch 34567,12 from your temporary table.
The string 5dsfwe8frf823jrf is impossible to guess = no security risk.