TFS: How to set permissions per Work Item in a project? - tfs

Is there a way in TFS that user have permission to add Issue in a project and should not have permission to add/edit other work Items like User Story etc ??
is there any extension or utility to do this on TFS ??

You cannot restrict the editing of specific work item types. Permissions are controlled at the area path level. A user with permissions to create work items under an area path can create any type of work item under that area path.

No, there is no such build-in configuration. It's also not able to use any extension or utility to do this on TFS.
Permissions for work items are based on the areas/iterations where they occur, and are set through the dialogue that defines areas and iterations.
In other words, you are not able to set any permission either to a specific work item or work item type.
You could submit a user voice here, our PM will kindly review your suggestion.

There is only one out-of-box way to do this: Create child nodes, modify work items under an area path. You may try the following:
Create new team and area path for Issues Team Add a team, move from one default team to several teams.
Edit Security for the Root Area Path and restrict edit work items for the Issues Team.
Edit Security for the Issues Team Area Path and allow to edit work items for the Issues Team.
In this case, your Issues Team can create and edit any work items under Issues Team Area Path, but can not edit any other work items.

Related

TFS Permission for work item

I use TFS 2012 and want to set following permission to group of TFS users.
Allow create new issue item.
Deny create new task item.
Deny change his task item and can only change remind time, description and state of it. and cant change assigned user, priority and iteration of it.
can I set this permission.
Edit
in the area configuration exist following access:
Create Child nodes
Delete this node
Edit this node
Edit work items in this node
Manage test plans
View permissions for this node
View work items in this node
and in the iteration configuration exists following access :
Create child nodes
Delete this node
Edit this node
View permission for this node
Can I add my requested access to area and iteration security configuration.
thanks in advance
Best practise is to affect to yours members Contributor group, with this group permissions permit to work on project without administrator role.
You can set permission in security section on Web Portal
link : http://msdn.microsoft.com/en-us/library/ms252467(v=vs.80).aspx

TFS - Specialized Group has no access to Work Items

I created a tfs group that would work on a specific project located in a collection. Now we're using work items to track bugs etc, but that group doesn't have access to those work items via the Team Web Access portal. I don't want this group to have access to all the projects in the collection, just the one they are working on. But i need them to be able to access work items that come up.
Currently when they access the Team Web Access portal, they get message indicating there are no accessible team projects in this team project collection.
if they can access their code in the collection already, how come they can't see the work items, and how can i change that, but still limit what they see?
Ok, found what i was looking for after some time. for the benefit of the community here is where that hidden security setting is done.
For the new group, i needed to go under Team/Team Project Settings/Area and Iterations!!!!
Yes, this silly place to but a SECURITY button. If you go in there, click the security button on the bottom of the dialog, you will then see ALL the WORK ITEM related permissions.
EDIT work items in this node;
Manage Test plans;
View this node;
View work items in this node.
I needed to check all of these to ALLOW.
Again, seems like a stupid place to put these settings, than with all the other security settings via TEAM Project Settings. I hope they had a good reason for that.
They will need the View collection-level details permission added to their group (at the collection level). By default, the Project Collection Valid Users group has these permissions, so you can just add your group as a member of the valid users group.

Deny read and browse source code on TFS 2012

I am trying to set permissions on TFS 2012 so as to deny read and browse of source code for some users/teams. Until now I have succeeded on denying read but I cannot deny a user from browsing it. That means, the user can easily see the full tree of files and folders. I would like the user not to be able even to browse it!
Found the solution!
I finally managed to totally hide source code from specific group of users (although I allow them to see work items) by setting "Edit collection-level information=>Not Set" on "Project Collection Valid Users" in "DefaultCollection Groups".
Of course I had to manually deny every permission on the root ($) of source but I suppose this could work for any path you like.
After that I created areas and allowed on this group specific areas and everything goes perfect!
Alex, thanks for your support on that!
I would try removing access to project level information on the Project Settings, if that doesn't do it you may have to remove access to the project as a whole.
One thing I would caution though is using Deny, especially on groups of users. Removing allow is better than specifically denying when having groups of users.
For instance: User A maybe a member of Administrators, but also a member of contributors. As a member of Administrators he should be able to do the action of the security setting in question, but we don't want contributors to do it. If we remove allow from contributors, than the allow in Administrators would still work. However, if we deny the contributors the deny overrides the allow in User A's Administrator group and User A cannot do the action of the security setting in question.

How do I bind a field definition rule to an AD Group for a custom TFS 2010 Work Item Template?

I am attempting to add a "Requested By" field to a custom Work Item Template in TFS 2010. When I create the field in the work item, I wish to have the values restricted to a particular AD group. I'm looking for functionality similar to the "Assigned To" field in the standard templates. However, if I add this AD group to one of the TFS groups, they all get added as valid users in TFS and that is not the behavior I'm looking for. I simply wish to restrict the values for a field to an specific AD group. I've tried adding the AD group to the "Group" property of the VALIDUSER field definition rule, but I get the following error:
---------------------------
Error
---------------------------
Error importing work item type definition:
TF26204: The account you entered is not recognized. Contact your Team Foundation Server administrator to add your account.
---------------------------
OK
---------------------------
Thanks in advance!
[Update]
On further investigation, I have found that it works with certain AD groups, but not with others. For instance, it works with our "Developers Group" but not with "Domain Users". It's actually a fairly small subset of groups that I've tested that work. Again, Any help would be appreciated!
The simplest way I've found is to use the ALLOWEDVALUES field definition rule. Add to the list of allowed values the name of a TFS Group. I have still not been able to get the AD group to work directly. But my big problem was that when I was trying to use a project group, I was putting the project name in the "[Project]\Group Name".
As stated here
some people may think that “[project]” is a place holder for the
project's name, but it is meant as a literal.
You should be able to add an AD group, by simply writing it as domain\group.
Note, however, that the group needs to have some access privileges to the team project (e.g. A member of Contributers).
Have you tried to create a TFS Group, add the AD group in the TFS Group, then add the TFS Group in the "Group" property of the VALIDUSER field definition ?
If I remember correctly you can't put AD group in the "Group" property of a TFS Field, but only TFS Groups...

Managing SharePoint Document Lists

I have created a couple of Document Lists on our SharePoint 2007 portal. I then checked in the page and submitted for approval. The approver aproved the change. However, all the previously created document lists have a drop down list for each uploaded document with options like: View Properties, Edit Properties, Manage Persmissions etc. But the one I created does not have that drop down list when you hover over the documents. The person who approved the change is not able to see those options either. I am pulling my hair on this one.
A custom permission set may have been applied. Can you also not delete the list? If you go into the document list, do you have the settings option?
If possible, ask someone with Site Collection Administrator or Farm Administrator permissions to log in and view the permissions on the new list. This should reveal if there is something out-of-whack with that list. If it's inheriting permissions from the parent and all the other lists are as well, and you have access to the other lists but not this one, well...this just shouldn't happen.
Can you find out what list permissions look like?

Resources