Who has accessed a team project in TFS? - tfs

How can I see who has accessed files in a team project in TFS? Normal View History only shows you check ins. And exporting the Audit Log from TFS doesn't show you this info. I am interested in knowing who has made a read/get latest access on a specific team project.
This needs to be documented for my QA department. Are there any TFS SQL scripts that can show this info?

Sorry, we do not have this kind record of User's each operation such as read/get latest on a specific team project.
As you have mentioned history command will only displays the revision history of one or more files or folders. It only related to each changeset(checked in files).
Audit logs basically display some modify operation in TFS will also not include any access info at present.
Dig into sql database to query such information maybe a solution. However, highly not recommend to do this, since it may cause some potential risks of your database. And it will also lose support from Microsoft.
This should be a feature quest, you could submit it here. Our PM will kindly review any suggestion.

Related

TFS 2013 audit get latest version commands

We're using TFS 2013. I'm interested to know if it's possible to see which developers are performing a 'Get Latest Version' command from various projects. tbl_command shows Get commands, but this doesn't tell me what was gotten. Is this available somewhere?
If I were you, I would open up the SQL Transaction inspection tool and see any sql transactions that are happening (this will take some trial and error to tune the filters to find what transactions you are looking for). Then when you find the table that is being queried specifically for a "Get Latest Version" and not just a regular "Get", then just as a sql table trigger that fires an INSERT trigger into another table that keeps track of Who, What, When, and Where this is happening. I'm sorry I cannot give you the details of what transaction this is happening, but I've done this methodology to find transactions when I need to keep track of when developers were adding LABELS to TFSVC branches and now I can know when they are sneaking in labels anywhere in my TFS system.
Every time a developer performs a get-latest, the server updates its Workspace tracking tables. Through these, you can track exactly which workspace mappings and which version of each element in the workspace mapping has been served to a user through TFVC commands.
A user can delete their workspace from the server, after which this information is lost however.
If you want to use this data for audit purposes, it may not be enough.
Files downloaded through tf vc view commands are not stored in the workspace cache, even though that command can be used to download individual files. Individual file downloads through the Web UI are also not tracked in any workspace cache.
Each file downloaded result in a HTTP call on the TFS application tier and those logs should provide data on which files were downloaded by which user.
If you don't have all the logs and haven't configured high retention on the tbl_command, then you should consider that each user with access permissions potentially has downloaded all files they have the permissions for.

TFS Permissions Audit

I have a requirement from our company auditors to be able to prove who can alter code in our source repository. Is there a method of producing a report detailing permissions?
Ideally the report would show all permissions but at least it needs to show check-in permissions. Ideally the report would be standard functionality as this tends to lead to less questioning from the auditors, but if not possible then custom reports/queries would be manageable.
We're using TFS 2018 on premise.
You could check extension TFS Permission Visualizer, which displays TFS security groups and permissions in a form of a graph.
Also, you could refer to the solution Extracting effective permissions from TFS on GitHub. This practical guidance and sample code is based on extensive research to address two of the commonly heard requests on Team Foundation Server security:
Report on the effective permissions of a TFS user/group.
Report on security auditing for TFS.
Clone and build TFS Team Project Manager.
Here's what it looks like:
See also: https://github.com/ALM-Rangers/Extracting-effective-permissions-from-TFS/blob/master/Doc/Extracting%20effective%20permissions%20whitepaper.md

Opshub Migration from TFS to VSTS not mapping users

So I've been trying to perform a migration (code only, no work items) of a medium sized project from an on-premises TFS2010 to VSTS using the OpsHub tool. My user is an administrator on both sides, and the migration runs and completes without tossing errors.
The problem is that it just doesn't do what it says it will. I spent a long time mapping the users from TFS to VSTS during the setup, but it completely ignored that mapping and assigned every single changeset to my VSTS account. The docs also say that it should preserve the original TFS check-in time in the comment of the new VSTS changeset, but it never does that to any of them -- the comments are just brought over exactly as they were.
It seems like there must be a setting set wrong in OpsHub to turn these features on, but I can't find any kind of options screen or anything in the tool. It looks like other users are able to successfully map the TFS users to the VSTS users and have it work like you would expect, but I can't make heads or tails of it.
Thanks for any help or advice on this.
If you are using the free version then this feature is not supported by it and same is mention on the visual studio gallery download page, only the commercial version of migration utility supports partial user impersonation, i.e. writing changes as per configured user mapping.

TFS 2008 - Require database reviewer on check-in

I have a team project that contains n number of branches, and each branch contains a Database folder in the root. The database folder is where developers check in views, stored procedures, etc. We have had some issues with developers checking in SQL Code that was poorly written, introduced performance bottlenecks, and so on. The DBA has asked me to prevent developers from checking in changes to the Database folder until he has had a chance to review them.
I know that I can add a 'Database Reviewer' as part of a required check-in note, but I don't need a database review every time a developer checks in; I only need the database review to be required if the changeset contains changes to the Database folder. I haven't been able to come up with anything worthwhile on Google, so I don't think that this is functionality that is built in to TFS. Could someone point in the direction of how to resolve this, or explain how they resolved a similar problem in the past?
Thanks!
There is no clear cut solution for this, but you have a few options.
Remove the check-in permissions to the Database folder for normal developers and have them send their changes as a Shelveset to the Database guy.
Ask the developers to become more professional and have them walk by the SQL guy to review their code with them, so that they will be more proficient in SQL later (would be my preferred choice is the SQL Guy isn't part of the team)
Ask the SQL guy to join the team and have him pair with the developers when writing complex SQL scripts (that's even better).
There is no option to make the check-in note optional for specific branches, folders or files right built into the product, but by developing a custom checkin policy you could require data to be entered in the Database Reviewed field. Combine this with the Custom path policy to limit this check-in policy to specific paths in source control.
That custom policy would look something like this:
public override PolicyFailure[] Evaluate()
{
if (
PendingCheckin.CheckinNotes.CheckinNotes.Values.Any(
note => note.Name == "Database Reviewed By" && string.IsNullOrWhiteSpace(note.Value)))
{
return new PolicyFailure[]{new PolicyFailure("Database Review Required", this) };
}
else
{
return new PolicyFailure[0];
}
}
Check out this small sample project to see how you can create a custom checkin policy. And the requirements if your Check-in policy needs to support multiple Visual Studio versions.
TFS 2012 adds a Code Review feature which can be made required using a 3rd party check-in policy (again, combine with the custom path Policy to make it required only for certain paths). There are a few projects on codeplex that provide similar features for older versions of TFS. These include Team Review and TFS Review Workflow.
There isn't anything built in to handle this. I think the best way to handle it would be to lock down those folders so developers can't check in there. Create a branch/folder where you can allow the developers to check in there. This would give the DBAs the ability to review the changes before they merge/migrate them.
TFS 2012 includes a code review workflow that could also be used if you could upgrade TFS. There is also a custom add-on called Team Review that works with TFS 2008. It provides a nice workflow but it would still be voluntary.
https://teamreview.codeplex.com/releases/view/40528
Thanks,
Mike

TFS setup related issues

Is there any focused documentation on achieving the following with TFS. I find myself having to read through tonnes of documentation on MSDN and I find nothing is listed under topics as such or maybe I don't know what to look for. I have no experience in TFS other than checking files in and out and I am still trying to understand what each of these mean and how to find it in the docs, without much luck.
Gated check-in + continuous build for select projects.
Gated check-in + scheduled builds for other select projects.
Dashboards and reporting to select individuals or groups
Access for testing team members to only selective work item creation of the TFS project they are assigned to. They
should be able to get the latest version of the code and be able to log a workitem-bug, workitem-issue, workitem-testcase but they should not be able to create for eg. workitem:use case.
Testers should not be able to modify code.
Sending mails to persons who have a work item assigned to them, with
select persons in copy.
Sending of emails to anyone against whom a bug is assigned. When bug
is closed the person who raised the bug should get notified via
email.
Sending mails to key persons of a project defined somewhere in TFS,
on build failure of that project.
If anyone has already done something like any of the points listed above then can you please let me know the steps? Somehow the documentation jumping too many links and going in various tangents.
Thanks for your time and patience..
In order:
Go to the Microsoft TFS site at http://msdn.microsoft.com/en-us/vstudio/ff637362.aspx. Look for the training videos. Most of the stuff you want is covered.
The Visual Studio Team Foundation Server Branching and Merging Guide at http://vsarbranchingguide.codeplex.com/ is an excellent guide.
The Introduction to Visual Studio Team Foundation Server 2010 Training Kit at http://www.microsoft.com/en-us/download/details.aspx?id=27152 is helpful.

Resources