I have a requirement from our company auditors to be able to prove who can alter code in our source repository. Is there a method of producing a report detailing permissions?
Ideally the report would show all permissions but at least it needs to show check-in permissions. Ideally the report would be standard functionality as this tends to lead to less questioning from the auditors, but if not possible then custom reports/queries would be manageable.
We're using TFS 2018 on premise.
You could check extension TFS Permission Visualizer, which displays TFS security groups and permissions in a form of a graph.
Also, you could refer to the solution Extracting effective permissions from TFS on GitHub. This practical guidance and sample code is based on extensive research to address two of the commonly heard requests on Team Foundation Server security:
Report on the effective permissions of a TFS user/group.
Report on security auditing for TFS.
Clone and build TFS Team Project Manager.
Here's what it looks like:
See also: https://github.com/ALM-Rangers/Extracting-effective-permissions-from-TFS/blob/master/Doc/Extracting%20effective%20permissions%20whitepaper.md
Related
How can I see who has accessed files in a team project in TFS? Normal View History only shows you check ins. And exporting the Audit Log from TFS doesn't show you this info. I am interested in knowing who has made a read/get latest access on a specific team project.
This needs to be documented for my QA department. Are there any TFS SQL scripts that can show this info?
Sorry, we do not have this kind record of User's each operation such as read/get latest on a specific team project.
As you have mentioned history command will only displays the revision history of one or more files or folders. It only related to each changeset(checked in files).
Audit logs basically display some modify operation in TFS will also not include any access info at present.
Dig into sql database to query such information maybe a solution. However, highly not recommend to do this, since it may cause some potential risks of your database. And it will also lose support from Microsoft.
This should be a feature quest, you could submit it here. Our PM will kindly review any suggestion.
I am using TFS 2018 update2, I have been given Project collection administrator level access for a project collection. But when I connect using VS2017 and create a Team project, I am getting TF218027 error. Please, let me know what the solution for this is.
The error message is very clearly, your account need to gain appropriate permission.
You need to set permissions on SQL Server Reporting separately from TFS itself.
TFS, Reporting Services and SharePoint all have independent permissions. The group "Project Collection Administrators" is internal to TFS and thus only gives access to the TFS functions, not the functions it uses on other servers.
The recommended approach is to create groups in AD (eg. "TFS Collection X Admins") in AD; and then use that group to give permissions in each of TFS, SharePoint and Reporting Services.
You could add a 'Content Manager' permissions, detail steps, please take a look at this thread: Error TF218027 when creating a Team Project in TFS 2010
Another way just as jessehouwing suggested in comment, you do not have to create with Report set, if your team actually no need the report feature, you could also disable the report settings, how to check the report configuration, please take a look at this link.
We have code that we want to be excluded from our Check-In policy that runs a custom code analysis rule set through our on-prem TFS server. We need to install the TFS Power Tools to implement the Custom Path Policy.
The problem is, we have a large number of non .Net developers using our same area for checking in code (i.e. DB developers, QA Engineers) and would like to exclude their code from our check-in policy (it doesn't apply). The only way we can find to do this is through the custom path settings which means they all have to install the Power Tools on their local machines as well.
Is there any other way other than moving the code to another area or having them install the Power tools to exclude their code?
I don't think there is a better way to achieve that except the two ways you mentioned.
Theoretically speaking, the policy in TFS server side can achieve that. Please refer to below link and check if that helpful.
http://almsports.net/tfs-server-side-check-in-policy-for-git-repositories/1025/
You can also reference the related thread: Restricting TFS check-in policy to specific users
I have a team project that contains n number of branches, and each branch contains a Database folder in the root. The database folder is where developers check in views, stored procedures, etc. We have had some issues with developers checking in SQL Code that was poorly written, introduced performance bottlenecks, and so on. The DBA has asked me to prevent developers from checking in changes to the Database folder until he has had a chance to review them.
I know that I can add a 'Database Reviewer' as part of a required check-in note, but I don't need a database review every time a developer checks in; I only need the database review to be required if the changeset contains changes to the Database folder. I haven't been able to come up with anything worthwhile on Google, so I don't think that this is functionality that is built in to TFS. Could someone point in the direction of how to resolve this, or explain how they resolved a similar problem in the past?
Thanks!
There is no clear cut solution for this, but you have a few options.
Remove the check-in permissions to the Database folder for normal developers and have them send their changes as a Shelveset to the Database guy.
Ask the developers to become more professional and have them walk by the SQL guy to review their code with them, so that they will be more proficient in SQL later (would be my preferred choice is the SQL Guy isn't part of the team)
Ask the SQL guy to join the team and have him pair with the developers when writing complex SQL scripts (that's even better).
There is no option to make the check-in note optional for specific branches, folders or files right built into the product, but by developing a custom checkin policy you could require data to be entered in the Database Reviewed field. Combine this with the Custom path policy to limit this check-in policy to specific paths in source control.
That custom policy would look something like this:
public override PolicyFailure[] Evaluate()
{
if (
PendingCheckin.CheckinNotes.CheckinNotes.Values.Any(
note => note.Name == "Database Reviewed By" && string.IsNullOrWhiteSpace(note.Value)))
{
return new PolicyFailure[]{new PolicyFailure("Database Review Required", this) };
}
else
{
return new PolicyFailure[0];
}
}
Check out this small sample project to see how you can create a custom checkin policy. And the requirements if your Check-in policy needs to support multiple Visual Studio versions.
TFS 2012 adds a Code Review feature which can be made required using a 3rd party check-in policy (again, combine with the custom path Policy to make it required only for certain paths). There are a few projects on codeplex that provide similar features for older versions of TFS. These include Team Review and TFS Review Workflow.
There isn't anything built in to handle this. I think the best way to handle it would be to lock down those folders so developers can't check in there. Create a branch/folder where you can allow the developers to check in there. This would give the DBAs the ability to review the changes before they merge/migrate them.
TFS 2012 includes a code review workflow that could also be used if you could upgrade TFS. There is also a custom add-on called Team Review that works with TFS 2008. It provides a nice workflow but it would still be voluntary.
https://teamreview.codeplex.com/releases/view/40528
Thanks,
Mike
I've been looking over TFS documentation and books for a specific instance where it is stated that full remote administration of TFS is possible. It looks like some functionality is exposed through web services, but that seems to be mostly the same as that for users. It also looks like TFS can be mirrored and copied to multiple places, so that suggests a type of remote administrative ability (or of remote configuration settings being copied).
There's even a TFS server administration tool available on Codeplex (http://tfsadmin.codeplex.com/releases/view/57795), but it looks kinda junky for TFS 2010, and I'm not 100% certain that it administers all the possible settings. Could someone please verify for me with certainty if TFS has remote administration functionality or not? Thanks very much for your help!