I have almost 400 projects to create in my TFS project collection in TFS 2017. I don't want to have to create and configure each project, one at a time. I'd like to create a custom process template, which seems easy enough to do, but I can't find how to add an AD group to the Project Administrators group.
The GroupsandPermissions.xml file allows the creation of new groups but doesn't accept the Project Administrators group as an option. I've read here where others have tested it. Also the macro for project administrators is reported not to work because the group already exists.
Any ideas how to add an AD group to project administrators in the process template or otherwise?
Related
I manage a large TFS 2013 team project, whose code we're now splitting into multiple independent parts, each part becoming a tenant in the team project. Each such part would have its own build definition(s). I want people in each part to be able to create/edit/manage their build definitions, but not others.
Currently, I create the build definitions myself upon request, and then set permissions on the new definitions, and tell people to edit them. I have permissions to that since I'm in the Builders VSO group, and therefore have Edit build definition and Administrator build permissions on the Team project.
However, I'd like to grant everyone the permission to create new build definitions and administer them, but not have permissions to change other permissions. Is this possible in TFS?
Its not currently possible to do that out of the box. However, you could setup a webpage that automated the task that you currently perform and add a new build definition and give permission to the correct team... Then they can manage it from then.
I would recommend using PowerShell for the action and the webpage mearly calls that.
We use TFS as source control. In TFS we host a solution consisting of multiple Visual Studio projects. We do not want our contractors to see the source code of ONE of these projects (limited users should still see all compiled assemblies). What is the best way to achieve our objective without setting up two repositories and having to synchronize all code changes between them?
I would recommend that instead of just changing the permissions in place that you move the projects that you want to protect to a separate folder with its own solution. Secure that folder as above. You can then build it separately and deploy it to an internal nuget repository.
you can then reference that repository from within the Visual Studio package manager and it will be managed as an external dependency. If you update and publish the other solution then the other devs will be notified of updates..
You control access rights to a folder by selecting Advanced->Security from Source Control Explorer. From there, you can turn off security inheritance for the item(s) you need to protect. Then, create a TFS-specific group containing the 'limited users' only and only allow them access to the particular project folder. Alternatively, create a group for the contractors and deny them access.
This is based on VS/TFS 2012.
But my guess is that you will also need to create a specific solution for the contractors that doesn't have the particular project included.
Is there any way to remove the ability for members of the Project Administrator group from being able to modify the Work Item Type Definitions in their projects?
If I were to create a custom group that mimics project administrators (contains the sames permissions), which permission or permissions would need to be denied?
Thanks for your help!
This may help:
Manage process template permission
Users who have this permission can download, create, edit, and upload process templates to the team project collection.
For some reason our developers can only add projects that they've created to Team Explorer, even though they've all been given rights to the other projects. I created a top level group and added all of their AD users to it, and I assigned that group rights to access all of our projects.
They can see the projects in Source Control Explorer, and are able to do their work, but if they try to add a project to Team Explorer, the Connect to Team Project dialog box only shows their own projects.
Is there some other set of permissions?
If you want to make everyone can see and operate each others project, you need to put your team group into Project Collection Administrators in Collection level
If you don't want everyone have admin right,
you need to tell everyone to put the team group into Readers group in the team project they created.
Actually, I don't think there is a way to create a group in Collection level to access all team projects.
In fact, I think the best solution for you situation should be everyone use the same Team project and put everyone in the Reader group in that team project.
So everyone can create their own project under that team project instead of creating their own team project.
If you still want to let everyone create their own team project,
I suggest you use Team Foundation Server Administration Tool to manage group membership.
Permission right usually given on team project level basic. By "top level group" if you mean by giving permission at collection level. then i will suggest you try adding member at 'team project level' under any required group with necessary permission. if you cant add the member ask the admin of the team project to add separately.
you can directly access the security page through web access by.
[TFS web access url]/[Collection]/[team project]/_admin/_security
Under the "TeamExplorer - Connect" there is an option to "Select Team Projects..." When you click on this a box should pop-up titled "Connect to Team Foundation Server" that has a select dropbox, a "Team Project Collections" panel and a "Team Projects" panel. The latter has a list of projects in the collection and each has a checkbox next to them.
Make sure the projects you are interested in are in the list, and have the box checked. You can use the "Select All" checkbox to turn them all on at once.
HTH
I'm new to Team Foundation Server 2010 and I have a question about permissions.
Is it possible for a project to inherit permissions from a project collection? I want to setup a custom contributor group at the project collection level and add the developers to it. Each time they create a new project I want to inherit the permissions from the project collection. That means I don't have to explicitly add the developers to the project each time they create one.
Maybe there is some other way of doing this and not having to setup a custom contributors group? Any help would be appreciated!
I would recommend setting up some Active Directory Groups along the lines of:
TFS Contributors
TFS Administrators
TFS Project Managers
(You could also do this for specific projects. You get the idea.)
Give these AD groups the permissions you need, and simply add/remove the developers to the AD groups. If you can get the ability to manage the AD group, this will be much simpler that administering through the TFS admin tools.
Hopefully, you'll already have AD groups that fit these needs, saving you the trouble. Maybe a team-wide distribution list, for example?
You can create collection level roles (TFS Groups) and edit your process template to grant permissions to those roles so there are set by default in every new project.