I'm a TFS admin and I'd like to make few users autonomous in order to create their projects on in and manage them.
But at the same time I don't want them to be able to modify and access previous projects that are not related to their job.
Is it possible to make this kind of segregation happen?
And if so, how?
To create a new project the user need "Create new projects" permissions, by default these permissions exist only to "Projects Collections Administrators" that give full access toe everything.
What you can do is to create a new group and in the collection level permissions give to these group the "Create new projects" permissions and deny other permissions that you don't want they will do.
After they create the project they can put themselves as a "Project Admin" and manage their projects.
In this way you give to the users the ability to create and manage new projects but they can't touch in another projects.
Related
We have multiple projects but want to have single user to be able to see and work in just one project in Jira Software Cloud
It will be good to have new dedicated permission scheme. You may start by copy the default one:
Permissions can be based on Project Role or Group and depend on what will be your preference to manage.
If they are set on "Project role" as given on picture below if you is set to be in "Developer" role of certain project he will have browse permissions to it and each project that this permission scheme can be configured with users in certain roles and so these users will be the one granted with permissions
Target Project needs to be updated to use the new the new permission scheme .
It will be good to change default permission scheme to be more restrictive i.e. probably just user group admins to have access to projects that are using it.
Hope this helps!
The trick is to restrict access to all your projects apart from the one you want them to be able to see.
Then create a group that has permission to access the restricted projects.
Finally, add all your users to the group that has access apart from the single user that you want to restrict.
Create a new project role "Team member".
Copy the default permission scheme and replace "Application access - Any logged in user" with "Project role - Team Member".
Apply the new permission scheme to your project.
Add the user to the project under the role "Team Member".
Caveat: some permissions may be lost because of the "Any logged in user" permission removal which is sooo generic it hurts. So you need to check that existing users still have the access they expect. First step would be to add them to the project under the "Team Member" role.
When I try to create a task group from a task in my build definition in TFS 2017, I get an error that says
Access denied. (user name) needs Edit task group permissions to
perform the action. For more information, contact the Team Foundation
Server administrator.
I've checked the following documentation pages, but none of them seem to mention how to grant edit task group permission:
Task Groups
Permissions and groups in VSTS and TFS
Build and release permissions
I'd like to know the correct way to grant this permission.
Additional information:
My account is a member of a Builders group in the appropriate project, and that Builders group has Allow set for every permission listed at the above Build and release permissions link, except override check-in validation by build and Update build information which are both Not Set, and the documentation recommends leaving those permissions as they are.
There are three related permission Administer task group permissions, Delete task group, Edit task group for task groups configuration.
You could set it from Build&Release --Task Group--right click it in left pane--select security.
However just like some other permission settings, you could also directly add a user or TFS group here. After add a user, there should be a users list under TFS group list.
"Build Administrators", "Contributors","Project Administrators" or "Release Administrators" there are just four default groups here. You don't have to add your user account in these groups and set the permission for a specific group to grant related permission of "task group". For example, if you don't want to give all users in a group the correspondingly permission, you could simply give the permission for a user.
In your case, you could add your old "Builders" group here or just add your owner account either directly here or one of a default group.
The other answer is good, except that I have no Builders group... perhaps due to the upgrade path that had been followed on that server.
Go to Task Groups hub, e.g. http://{server}:8080/tfs/{collection}/{project}/_apps/hub/ms.vss-releaseManagement-web.hub-metatask, and hover on Task Groups in left pane, click Ellipsis and choose Security. By default, the old Builders group is not in there, but Build Administrators is. The permission Edit task group can be set here, if needed, but it looks like the correct thing to do is add the user to one of the groups Build Administrators, Project Administrators or Release Administrators.
We have an enterprise customer that we have delivered a system for. It is part of the agreement for us to supply them with the source code of the latest release. We are using TFVC on TFS online, and we thought it would be easiest to give them access to our Main branch. But I have difficulties with only allowing them to access the code and nothing else. The user I am testing with, can see too much: I.e. things like dashboard, current team members etc.
Is it possible for me to only expose code from the Main branch and nothing else to an external user?
Giving access to TFS Main Branch out of Organization (AD) is not advisable considering security.. Instead consider giving source code into zip format there are lot of large file sending (FTP sites) are available..
Still for your request of restricting access to user have a look over this
https://www.visualstudio.com/en-us/docs/setup-admin/restrict-access-tfs
you can consider replicating your part of source code into separate stream and give reader read only access to that stream.
Hope this helps... :)
Refer to these steps to set the permission:
Add user to your VSTS (Basic)
Remove this user from all group if you added
Go to admin page of a team project Version Control (Setting > Version Control)
Select a folder/branch
Click Add > Add User to add that user
Select the user that you added
Set Read permission to Allow
Go to Security page (click Security)
Click Create group to create a new group
Set View project-level information to Allow and deny other permissions for this group
Click Members of that new group
Click Add to add that user to this group
After that, this user can access the code (Just the folder/branch the user has the read permission) on web access (Code > Files).
How to grant permission to a user to manage users and groups and prevent the same user to import and export work item types in TFS. if i added the user to project admin group the user would be able to do both of the mentioned tasks.
There is no any way to do it out of the box.
As you can see, "Project Admnistrators" group is hardcoded project group, which you cannot remove or manage it permissions. TFS system have no special permission to deny import/export workitem types. "Project Administrators" members can modify WITD by default.
But there is a workaround.
First of all you will need to create a custom group (for example: "PM"), grand the same permissions for it (like "Project Administrators" already have) and move all PM users from "Project Administrators" to the new group. After that, members of this group cannot modify the project templates.
Then you have to prevent the addition of any user to the "Project Administrators" group.
You can use this command for it:
TFSSecurity.exe /a+ Server FrameworkGlobalSecurity GenericRead n:"[PROJECT]\Project Administrators" DENY /collection:http://tfsserver:8080/tfs/DefaultCollection
Now each user in "[PROJECT]\Project Administrators" group will lose the whole access to the TFS Server.
Of course, you must inform the users about that.
I am new to JIRA.
I have multiple customers, which I want to have READ only access to their own certain projects. (for instance customer X can access project Y only)
The rest, I dont want them to see.
In addition, I have developers that I want them to have READ/WRITE permissions.
I didn't quite understand the Permissions Schemes and the Roles and the Project setup to create such scenario.
(READ, WRITE permissions I mean for VIEW only and CREATE TICKETS etc...)
Thanks!
Provide them only browse permission, but nothing else.
Best is to use project roles to do so, such that you don't need a specific permission scheme per project.
- Create a role 'Customer'
- Create a permission scheme 'Customer Project Permission scheme'
- Configure the permission scheme such that
- The customer role has browse permissions
- The developer role has all other (applicable) permissions
such as edit, move ...
- Link the permission scheme to a project
- Configure the project such that
- the userid(s) of your customer(s) appear as a member
of the project role 'customer'.
- the userid(s) of your developer(s) appear as a member
of the project role 'developers'
Check http://confluence.atlassian.com/display/JIRA/Managing+Project+Roles
The Atlassian guys are way better than me to explain this stuff.
Hope this helps,
Francis