How to manage access in a projects of solution - tfs

I have a solution that contains several projects, I want a team to work on this source code, but every developer can only see his own project and can't see the rest of the projects. But he can build and run the whole solution. What solution do you have for this?

It should be able to achieve this no matter you are using TFVC or Git as your source control.
TFS build is using build service account not the user which trigger build. Once the build service account have appropriate permission, it will get source from TFS server and download to build agent.
The permission in TFS is mutual independence. And permissions can be granted directly to an individual user, or to a group.
In version control permissions, explicit deny takes precedence over administrator group permissions.
You could deny the Read permission for those users. And set the other related build permission such as view build definition and queue build to allow.
Read
Can read the contents of a file or folder. If a user has Read
permissions for a folder, the user can see the contents of the folder
and the properties of the files in it, even if the user does not have
permission to open the files.
Queue builds Can queue new builds.
View build definition Can view build definition(s).
View builds Can view builds belonging to build definition(s).
...
However, there is still some difference for Git and TFVC for control project permission:
In TFVC you can open the web portal and go to the code tab. There you can right click on any folder and select permissions. You can use any fine grain you like and control inheritance.
In Git you can only control permission ls at the Repository and Branch level.
Besides, you may also need a account with full permission of solution and all projects to create the build pipeline. Otherwise, the user may not able to select the mapping relationship in source get configuration.

Related

Working and building a project with multiple developers with specified permission for each one?

We are two developer(me and my friend) and working on a MVC ASP.Net project in Visual Studio 2017 with TFS Online(visualstudio.com, TFVC).
All of us have full access to all files for developing and building to view and test.
We want to outsource part of our project to another developers and we don't want to access full permission of project files to new developers.
If we didn't access full permission to all files to new developers, they can't build project to view and test.
Is there a way to access just some files of a project to another developers but they could build project to view and test?
VSTS/TFS grant users the specific set of permissions that are appropriate for certain roles in your organization. Details of permission please refer this link.
It's not hard to restrict someone to access some project files. You could just deny the Read permission on a folder level when using TFVC source control.
Read
Can read the contents of a file or folder. If a user has Read permissions for a folder, the user can see the contents of the folder
and the properties of the files in it, even if the user does not have
permission to open the files.
If you are using the host agent to build, during the get source step. You(=the new developers) are using your own account to pull source from server to build agent. Without the access to some files in the project, you could not pull down the entire project source code. Definitely, you should not be able to run the build as well.
If you are using the private agent to build, it's able to use network service account as the build service account and queue build. Just give the build service account appropriately permission, you should be able to pull down all source files in the project and run the build. However, since you have denied the access of some other files in the project, it's also not able to view and test them .
In this case, as a workaround, suggest you create an apart branch with your main develop branch, just put some files which your new developers need to work with in this branch. And deny their access to your main branch, When their work have done, they could build/test on the new branch.
Once everything is fine, they could merge changes from the new branch to your main branch. You could then also build/test the entire project in the main branch again.
With this kind of architecture, it's more easy to manage both permissions and team work.

VSTS Permission to one branch

I have a user who is a stakeholder in VSTS. He needs to be able to access a branch in the project I am working on. So he can work on it then commit to it. I don't want him to see any other projects I have on VSTS. Is this possible? I don't really want him to be able to access the other branches but it doesn't matter too much - hiding the other projects is more important.
Actually people with Stakeholder access level could not commit their work on branch.
Assign Stakeholder access to those users who need to enter bugs,
view backlogs, boards, charts, and dashboards, but who don't have a
TFS CAL. Stakeholders can also view releases and manage release
approvals. Stakeholder access is free.
Source Link: About access levels
See Stakeholder access for details of features available to stakeholders.
The user should have either Basic access or VS Enterprise which include code feature.
Moreover, it's able to forbid him to see any other projects you have on VSTS. This is another concept called Permissions in VSTS. Do not add him to any other project team group expect the one he will work on.
You could also be able to deny the Read permission for branch/folder level
Read
Can read the contents of a file or folder. If a user has Read
permissions for a folder, the user can see the contents of the folder
and the properties of the files in it, even if the user does not have
permission to open the files.

File level access permission in TFS

I have my TFS server and it has multiple branch like Dev,Test, UAT and Main. my problem is I have some security concern regarding web.config resides under Main branch. I want so access mechanism using which I can apply access permission on single file only.
I need that my team lead can only able to see that web.config file resides into Main branch but my developers can't see it.
how is this possible using TFS 2013?
Yes, this could be achieved. The simplest way is through source control explorer, select the file in Main branch from source control explorer and right click it, choose security.
On the pop-up dialog, you could be able to change the related permissions of this single file xxx.config.
In TFS deny trumps allow, then simply change the read permission for the group of developers from allow to deny.

TFS -locked for checkout by in workspace- but the Server was decommissioned

TFS- is locked for edit from DEV Server, older server which was decommissioned. I don’t have access to that workspace to unlock if from Visual Studio,so it needs to be overridden from the TFS server.
Error:
/DISK1/Setup.exe is locked for Check-out by user(name) in workspace DEV Server
I have tried with TFS Side Kicks by using server name, would not find the workspace of above path.
Talk to your administrator or someone who has the permission of Unlock other user's changes, to use Lock Command to removes a lock from this item:
The following example unlocks and makes all files in the src/ Team Foundation version control server folder available for check-out and check-in by other users.
c:\projects>tf lock /lock:none src/
Option 1
You should be able to find the workspace using TFS Side Kicks. I am guessing that one of your other filters are incorrect, e.g. Owner name or Last accessed date(from). By deleting the workspace you also delete the check-out lock.
Option 2
You can also find the file/directory in Visual Studio Source Control, right-click it, select Find and Find by Status. In the resulting dialog press Find and you should see the check-out lock. Right-click on the file(s) and select Undo....
Both operations require that you are part of the administrator group for the Team Project in question.

Allow create and edit build definition, but not edit existing definitions

I manage a large TFS 2013 team project, whose code we're now splitting into multiple independent parts, each part becoming a tenant in the team project. Each such part would have its own build definition(s). I want people in each part to be able to create/edit/manage their build definitions, but not others.
Currently, I create the build definitions myself upon request, and then set permissions on the new definitions, and tell people to edit them. I have permissions to that since I'm in the Builders VSO group, and therefore have Edit build definition and Administrator build permissions on the Team project.
However, I'd like to grant everyone the permission to create new build definitions and administer them, but not have permissions to change other permissions. Is this possible in TFS?
Its not currently possible to do that out of the box. However, you could setup a webpage that automated the task that you currently perform and add a new build definition and give permission to the correct team... Then they can manage it from then.
I would recommend using PowerShell for the action and the webpage mearly calls that.

Resources