Protecting of Query associated with Source Control Precondition
Hi
In CCM 5.0.2 we are using the precondition of "Require Work Items to Match Query" and have a query which is used to verify that the only valid work items are those of a particular type have an estimate and for the current iteration.
We have discovered that some developers are amending the query to allow them to deliver their code against work items that would not have been permitted by the query.
is there a way to prevent the changing of this query. I found the below older question on the forums. Does this mean that if a developer edits the query but as long as they do not try and save it when they try the deliver code the precondition check will then work on the unsaved version of the query?
https://jazz.net/forum/questions/162335/all-users-can-modify-predefined-queries?errno=2
is there a reccomeneded way to prevent such precondition queries being tampered with?
In CCM 5.0.2 we are using the precondition of "Require Work Items to Match Query" and have a query which is used to verify that the only valid work items are those of a particular type have an estimate and for the current iteration.
We have discovered that some developers are amending the query to allow them to deliver their code against work items that would not have been permitted by the query.
is there a way to prevent the changing of this query. I found the below older question on the forums. Does this mean that if a developer edits the query but as long as they do not try and save it when they try the deliver code the precondition check will then work on the unsaved version of the query?
https://jazz.net/forum/questions/162335/all-users-can-modify-predefined-queries?errno=2
is there a reccomeneded way to prevent such precondition queries being tampered with?
One answer
As far as I can tell, you can modify any query - in memory - This is a temporary query and would not get called by your operation behavior. That would only call the saved query, because the query reference is stored in the operation behavior and it should not even be able to see the en memory copy of the query being edited. To change the query, you have to be able to save it.
Two approaches I can think of to make it impossible to save.
1. Create the query as predefined query, if at all possible.
2. Create a team, make you a member with a role and share the query with that team. Remove permission to save queries owned by the team for everyone in that team area.
3. Use this query in the operation behavior
Other users than administrators or you should not be able to edit and save the query.
They won't even be able to see it.
Two approaches I can think of to make it impossible to save.
1. Create the query as predefined query, if at all possible.
2. Create a team, make you a member with a role and share the query with that team. Remove permission to save queries owned by the team for everyone in that team area.
3. Use this query in the operation behavior
Other users than administrators or you should not be able to edit and save the query.
They won't even be able to see it.
Comments
Hi Ralph. Thanks so the operation Behaviour only acts on the saved query not in Memory when defined it grabs a server copy of the query to use. That was the bit I wasn't too sure about.
Also the permissions to update Operation Behaviour is I guess controlled by the "Save Process Description" part of permitted actions and whichever role has that granted.
But ensuing that the query is also predefind and protected as that is also needed
I explained above how to protect it without removing the capability to save their own queries above. Making it predefined requires to do it in the process XML.