TFS2017 - How to prevent team members seeing WIs outside of their area? - tfs

We have a project that has been running for a while and has some external clients. I'd like to configure TfS so that while the development team can see all the Work Items, the external clients / stakeholders can only see the work items which relate to their area and not any of the general development tasks or those relating to other stakeholders.
I tried to follow the Microsoft guidance for setting up multiple teams and areas (so will use their examples).
Areas are configured as follows
Fabrikam Fiber
-> Email
-> Web
Teams are configured as follows
Fabrikam Fiber (this team 'owns' the Fabrikam Fiber area and includes sub areas)
-> Email (this team 'owns' the Email area only)
-> Web (this team 'owns' the Web area only)
Teams have the following members
Fabrikam Fiber (whole development team)
-> Email (Adam only)
-> Web (Bill only)
So logging in as the following I would expect to see:
Development team. Can access whole project, both team projects and work items in any area
Adam. Can only access the Email team project and see work items in the Email area
Bill. Can only access the Web team project and see work items in the Web area
But what actually happens is that both Adam and Bill can see everything that the development team can (projects / work items).
What have I done wrong and how can I make this work as I would expect? I'm sure I tried this in the past and it worked fine but that project now also has the same issue. We're using TFS2017 On Premises.
Thanks!
Update 30/04/2018
Thanks for the responses!
Step 1 of Cece's answer didn't apply to me as it's a single code base but Step 2 does mean that I can prevent the user from seeing work items in the other area - hurrah!
However I'm still stuck on how to prevent the user from seeing that the other areas exists at all (so in my example I wouldn't want Email to see Web listed on the homepage - as these are client names). I had a better look at the Contributor group etc following Daniel's comment and having read the links Cece provided. Logically I would expect that I should remove the Email team from the Contributor's group as that is Project level (and then they would only have their area permissions) but then all I get is a message saying 'This project only contains a default team.' There is also a tantalising Permission called 'View project-level information' but this doesn't seem to be editable.
I seem to have hit a brick wall again so any further advice would be greatly appreciated!

You need to set both TFVC permission and area path permission:
Set permission for projects. Go the version control tab, select the project that you want to set permission, add the user, and grant Deny permission for Read.
Set permission for area path. Go to Work tab, select Security for the area path that you want to set permission, add the user, and grant Deny permission for View work items in this node.

Related

Unable to get Access level tab in TFS

I am using TFS 2013, Update 5.
I am unable to see the 'Access Levels' tab in the admin section.
Verified also that the account has Console Permissions.
Added the account in [TEAM FOUNDATION]\Team Foundation Administrators group in TFS Admin Console.
While sending request from my site. I am getting
Request URL: `http://<account_name>:8080/tfs/_admin/_licenses`<br>
Request Method: GET<br> Status Code: 404 Not Found<br> X-TFS-ServiceError:
Page+not+found.
The tab just simply isn't there.
And also I am unable to see the TEST tab in the projects.
Tried the solution: Access levels configuration tab not visible in TFS 2015
I have cleared the TFS_cache and restarted the server. Even after that, I am unable to view the tab though I have added myself to Team Foundation Administrators Group. Because of this access I am unable to view the Test tab in the project collection home page, Access tab in control section and Adding / Modifing charts under work item.
Kindly help me to fix the issue.
Just check the access level or your account, make sure you are not in the Stakeholder level. Just change the access level to Basic or Advanced Level if the user was in Stakeholder level.
If you change the default access level to Stakeholder, all users not
explicitly added to the Basic or Advanced level will be limited to the
features provided through Stakeholder access.
Then try the solution mentioned in this thread: Access levels configuration tab not visible in TFS 2015
Besides, based on the error message "Status Code: 404 Not Found", generally it should an client-side issue. SO, just try below things to narrow down the issue:
Using IP instead of the server name in URL, e.g :
http://192.168.1.10:8080/tfs/_admin/_licenses
Try with other client machines or browsers
Cleaning the caches on your current client machine
Check if that works for you.
Cause of HTTP 404 Errors:
Technically, an Error 404 is a client-side error, implying that the
error is your mistake, either because you typed the URL incorrectly or
the page has been moved or removed from the website and you should
have known.
Another possibility is if a website has moved a page or resource but
did so without redirecting the old URL to the new one. When that
happens, you'll receive a 404 error instead of being automatically
routed to the new page.
If that still not work, then try to repair the TFS server, then try it again.
Even after multiple ways in the admin level if you are unable to see tab, Navigate to TFS console-->Application Tier-->Administration Security. Under users and Groups section select [Team Foundation]\Team Foundation Valid Users and set the permission of Edit Instance-level information to Allow. This way it has solved my problem.

The account you entered is not recognized. Contact your Team Foundation Server administrator to add your account

I am using TFS 2013 and I am trying to customize a workitem template using the ProcessEditor form (I also tried to do the same using the editing and importing xml file),I am trying to add a "ReadlOnly" rule to a field only for some new TFS global group, so I added the new Group and after that I could see and select the newly added Group from the "For" dropdown but when I am trying to save the changes I always got the error "The account you entered is not recognized. Contact your Team Foundation Server administrator to add your account" I googled the error and found a suggestion here http://www.databaseforum.info/30/943697.aspx that it may be a caching issue so I waited days for this and restarted the client and the TFS server machines but without any luck although I can use old created groups without any issues however if I renamed one of these old groups then tried to use it I still got the same error message no matter I add the new groups as a member of any other group.
First, make sure your TFS admin not have done any security changes (adding account or groups or permissions) for your account.
If not, you could try below two possibilities to narrow down the issue:
Check if you had added a field that contained backslashes as values
and TFS may interpreted it as user account. For example if your field
contained a list of suggested values that looked like this: Category
1\Subcategory 1
When you add a value such as
<TRANSITION from="Resolved" to="Complete" for="[project]AllTesters" not="[project]NewTesters">
</TRANSITION>
you should not extend the project to [your project name]AllTesters, should just use [project]AllTesters
For more detail info and ways, please refer below similar issues:
TF26204: The account you entered is not recognized
Experiment on Limit AssignedTo field of WIT to Team Members
Warnings TF26171 and TF26204 during WIT import
Here is the thing, I left it for couple of days and when I returned to it I found everything is working like a charm, I added now some new groups and couldn't see them so I guess I will wait some days for it to work!
the issue was the service agent job that was responsible on syncing the AD changes with the tfs was stopped, everything worked fine when I started it

Opshub Users mapping not showing complete list of users ?

I am having a issue migrating projects to visual studo online, i am using the ops hub utilty but when i get to the mapping users screen it is not showing complete list of users form our directory . Please advise
You will have to add the relevant users as Team Members/Readers/Contributors. (typically, you will have to make them a part of valid users of the project) and they'll load up in the user mapping screen.
Considering large number of users at collection level who may or may-not be part of all the projects, the newer version of the tool has been modified to load only users of the project(s) that are selected for migration making the user-mapping a little more convenient.

TFS 2013 Disabled AD Users Appearing

I've got an issue where users that are disabled in Active Directory are still appearing in a Team Project Collection in Team Foundation Server 2013. This is a problem because any projects that are within the collection have these users inherited and are visible when assigning work items, etc.
These users in the screenshot below are all disabled and none of which are a part of any group or groups on TFS.
Specifically these users:
Kumar
Carl
Mishra
Bertram
Shah
Rajendran
Arora
It would also be nice to hide these users:
Network Service
Sharepoint account
Local Server Account (******-DEV1$)
I have tried the following:
Removing [Built-In]\Administrators group as per instructions here: https://stackoverflow.com/a/15640409/559988
Clearing the TFS data cache and restarting IIS as per instructions here: https://social.msdn.microsoft.com/Forums/vstudio/en-US/31487b77-8a1a-4b1f-8cdb-8f3528a3a389/tfs-2013-user-management
Verified the users are disabled in Active Directory
Verified the disabled users are not apart of any groups in Active Directory
Verified Active Directory sync is working (added a new user and it appeared just fine).
Has anyone else had this issue with disabled users appearing in TFS 2013 or know how to resolve it?
Thank you
This phenomenon is correct. The disabled user in Active Directory will still appear in TFS. Since these users are imported from AD, and belong windows group, so you can't delete these from security page. TFS server will automatically sync from the AD.
You may need to manually delete the users instead of disable the users in Active Directory .
Update
You can't hide the user in security. If you are get annoyed with these users when assigning work items. You can filter the user which you want to display in work item drop list. Please see my answer in this question: TFS-2015 limiting user list for detailed step.
After trying everything in Patrick's post above I am unable to resolve this issue.
This issue also remains unresolved in a similar post here: How do I remove a user from tfs?
The only way I was able to partially-resolve this was by upgrading from TFS 2013 to TFS 2015. The users still appear in the Project Collection users group, but no longer appear in the Team Project as options for work items, etc.
It's unclear why this is the way it is.

TF218027 Error When User Creates New Team Project

I have a user who gets the following error when they attempt to create a New Team Project:
TF218027: The following reporting folder could not be created on the
server that is running SQL Server Reporting Services[...]
After several attempts to fix using feedback from this site as well as others, I have narrowed down the problem somewhat, but not sure what to do next.
The user is in the appropriate group in SSRS, with Content Manager and Team Foundation Content Manager roles. I have also broken the permission inheretance per This stackoverflow article.
The odd thing I have observed is that by putting the user into SSRS directly, it works. By being a member of a group instead, it does not work.
Any advise would be appreciated greatly.
Windows group memberships are only refreshed on log on. If you added the user to the group right now, the user might need to log off and log on again to get the new group membership into effect.

Resources