In this guide, we'll answer common questions about our Productboard <> Azure DevOps integration.
How do you secure the integration between Productboard and Azure DevOps?
We rely on an SSL (Secure HTTPS) connection when interacting with any type of Azure server, whether it's cloud-based or on-premise.
How are permissions managed in the Productboard <> Azure DevOps integration?
The integration is authorized via a "Personal Access Token" belonging to a specific user in an Azure DevOps instance. The permissions granted to the Productboard integration depend on two factors:
- What are the permissions granted in Azure DevOps to the person configuring the integration?
- What permissions were granted by that person when creating their Personal Access Token?
By changing the permissions of the designated user within your Azure DevOps account, or by adjusting the permissions granted to the Personal Access Token, you can manage the access of the integration.
How does the Productboard <> Azure DevOps integration affect my Azure DevOps instance and data?
Our integration can perform these actions in your Azure DevOps account:
- create new Work Items
- update the Hyperlinks section of Work items (when you link an existing PB feature)
- create Work Item comments
The integration never attempts to delete a Work Item. The Azure DevOps integration does not overwrite existing data, except data created by the integration itself (e.g. updating a hyperlink).
How do I prevent sensitive information from passing from Azure DevOps to Productboard?
Users can limit Productboard's access to sensitive information from within their Azure DevOps instance. Access can be restricted in two ways:
- Limit the access of the Azure DevOps user who authorized the Productboard integration
- Limit the permissions of the Personal Access Token used to authenticate the integration.
How do you secure a webhook subscription to my Azure DevOps instance?
To prevent the injection of invalid data by an attacker, Webhook subscriptions are configured to sign each request using HMAC. If the HMAC signature does not match the expected one, we will ignore the request.
Our webhook subscription will only send us raw IDs of work items in your Azure DevOps account. If the work item ID is linked to a Productboard feature, we will request full details from Azure DevOps. If a work item ID is not linked to a Productboard feature, no request will be made, and the full details of that work item (e.g. title, description, etc) will never be sent out of your Azure DevOps instance.
What is the difference between how Productboard handles cloud and on-premise versions of Azure DevOps?
Our integration communicates with on-premise instances of Azure DevOps exactly the same way as it does with cloud-based versions. The only difference is that customers using on-premise versions will need to whitelist our IP addresses and one port. Instructions for doing so can be seen here.
What are your recommendations to keep my Azure DevOps on-premise instance as safe as possible?
- Whitelist only those three IP addresses & one port we mentioned in the integration setup documentation. This ensures that only Productboard may access your Azure DevOps instance.
- Grant a minimal level of access to the user account which generates a Personal Access Token.