Share via

How to restrict Test Plan/Test Suite/Test Case modifications based on State in Azure DevOps

Dmitry Baranov 60 Reputation points
2025-11-11T08:39:28.9366667+00:00

I'm trying to determine how to restrict users from modifying Test Plans, Test Suites, and Test Cases when they are in a specific state (e.g., Approved). I've attempted several approaches:

  1. Using rules: When I make the Test Suite Audit field read-only for the Approved state, it prevents creating new test cases in the Test Suite. I can make other fields read-only with this approach, but it doesn't fully solve the problem.
  2. Using area security restrictions: I created an area where users are denied permission to modify work items. Then, using service hooks and an Azure Function, I trigger the Test Plan area to change to this restricted area when approved. This works for the Test Plan itself, but users can still create new Test Suites within it.

Is there any way to fully restrict modifications to both a Test Plan and its nested entities? Or similarly, to a Test Suite and its nested entities?

Azure DevOps
Answer accepted by question author
  1. Rakesh Mishra 3,870 Reputation points Microsoft External Staff Moderator
    2025-11-13T12:22:55.65+00:00

    Hi @Dmitry Baranov , there are 2 parts in your question.

    1. When state change to Approved, restrict changes
    2. Restrict changes to a group/role

    But I'm afraid there is solution to each problem but not for the combination which you are looking for.

    Option 1 — Using Permissions (applies to a specific group)

    This is the only way to restrict a particular group of users from editing.

    1. Go to Project Settings → Permissions → New Group Create a group, e.g. Test-ReadOnlyGroup, and add restricted users.
    2. Go to Project Settings → Project configuration → Areas → [Select Area] → Security
      • Select Test-ReadOnlyGroup
      • Set Edit work items in this node → Deny
      • Optionally also Deny:
        • Manage test plans
        • Manage test suites
    3. Test:
      • A user in the group can open Test Cases, Test Plans, and Test Suites but cannot edit or save changes.
      • Other users can edit normally.

    Limitation: This applies all the time, not only when State = Approved.

    Option 2 — Using Process Rules (applies to all users)

    If you want all users to be restricted once the Test Case is approved:

    1. Go to Organization Settings → Process → [Your Inherited Process] → Test Case → Rules → New rule
    2. Condition:
      • When State = Approved
    3. Action:
      • Make field read-only → select fields like Title, Steps, Priority, Description, etc.
    4. Save and test:
      • When any Test Case is moved to Approved, everyone sees the fields as read-only.

    Limitation: Cannot target specific users or groups. It applies to everyone.

    Why you can’t combine both

    Azure DevOps currently has no built-in feature that lets you apply a rule condition like

    “Make field read-only when State = Approved AND user is in group X.”

    Rules can only check field data, not security context. Permissions can check security groups, but not work item state. That’s why this specific combination isn’t possible out-of-the-box.

    The only workaround is custom automation (like a Service Hook + Azure Function that reverts changes if a restricted user modifies an Approved item), but that’s a custom-coded solution, not supported directly in UI.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.