Azure Devops - `The query ... does not exist, or you do not have permission to read it` while running a build task

Mh - I’m running into a very interesting security issue when running a build task.

The task is making API calls to Azure DevOps to retrieve work items via a query.

The task succeeds in calling the /_apis/wit/fields endpoint but fails calling /_apis/wit/wiql/... returning The query ... does not exist, or you do not have permission to read it .
The url opens fine in the browser and returns the result as JSON.

So for some reason the account (Project Collection Build Service) seems not to have permissions to read work item data. I can’t find any security setting that would explain this any pointers?

Does the build service have read permission on the area path?

Does the [Project Build Collection] have permission to read the query, this can be checked on the security for the query folder?

Checked the query folder permissions. When denying permissions I can reproduce the exact error but the customer has it set to Allow so looks fine

For the area path the permissions are also the default (Allow) for view work item data

Ok. Issue resolved. Customer went the Area / Iteration security again setting everything to Allow and it is working now.

Thanks

I really try and dissuade clients from setting area / iteration security as its a pain to get right and most of the time really unnecessary

Agreed. The cost of resolving issues related to fine grained security controls probably outweighs the potential cost of people doing things in AzD they shouldn’t be allowed to in most cases…

Same here, we only go as far as enabling members of the team to edit their own primary/child area and iteration path structure so they can layout their work without help. Mostly to prevent someone from rearranging the wrong teams assets by accident. Any contributor in the team project can edit any of the work items and it has worked out just fine.