I'm trying to publish my web extension to an on-premises TFS 2017U3:
tfx extension publish --service-url "http://fqdn:8080/tfs"
It tells me the account doesn't have permission to "Create a new publisher":
Checking if this extension is already published It isn't, create a new
extension. error: Received response 403 (Forbidden). Check that you
have access to this res ource. Message from server: Failed Request:
Forbidden(403) - Access Denied: (account name) needs the following
permission(s) on the resource to perform this action: Create a new
publisher
I've checked the following links, but none of them mention any "Create a new publisher" permission:
About permissions and groups
Grant permissions to manage
extensions
Set build and release permissions
Add administrators, set permissions at the project-level or project collection-level
Permissions lookup guide for VSTS & TFS
Google search tfs "create a new publisher" permission
Where can I find the "Create a new publisher" permission?
You could try this:
1 - At the server level, create a group, for example, "TFS Extension Publishers":
tfssecurity /gcg "TFS Extension Publishers" "publishers who can manage extensions for the server" /server:ServerURL
2 - Grant access to the "TFS Extension Publishers" group to manage extensions:
tfssecurity /a+ Publisher "//" CreatePublisher n:"[TEAM FOUNDATION]\TFS Extension Publishers" allow /server:ServerURL
tfssecurity /a+ Publisher "//" PublishExtension n:"[TEAM FOUNDATION]\TFS Extension Publishers" allow /server:ServerURL
tfssecurity /a+ Publisher "//" UpdateExtension n:"[TEAM FOUNDATION]\TFS Extension Publishers" allow /server:ServerURL
tfssecurity /a+ Publisher "//" DeleteExtension n:"[TEAM FOUNDATION]\TFS Extension Publishers" allow /server:ServerURL
3 - Add existing users and groups to the "TFS Extension Publishers" group.
tfssecurity /g+ "[TEAM FOUNDATION]\TFS Extension Publishers" n:User /server:ServerURL
Full reference: https://learn.microsoft.com/pt-br/vsts/marketplace/how-to/grant-permissions?toc=/vsts/security/toc.json&bc=/vsts/security/breadcrumb/toc.json&view=tfs-2017
Related
A user who is in the project administrators role and an administrator for the agent pool containing an existing build agent receives a permission denied message when trying to add a user defined capability to the build agent. What additional permissions do they need to be able to make this change?
They cannot be added as a TFS administrator or a collection administrator for internal security reasons.
You could add your custom user-defined capabilities with following steps:
Go to Agent Pools through the Settings button on top of the menu.
Select one of the agent in your agent pool.
Click the Capabilities tab to add your custom capabilities.
If the user is without permission to do this, you could try to add his account as the “Service Account” or “Administrator” role of the agent in the queue.
You could also give him the Administrator Role on a project agent pool. More details please take a look at this link: https://learn.microsoft.com/zh-cn/azure/devops/pipelines/agents/pools-queues?view=azure-devops#security
I'm having troubles trying to add Azure Resource Manager Service Endpoint in TFS 2017. When i enter the required data and click on "Verify Connection" I can see the verified
when I click OK button , I get the following error
Does anyone have any idea how to fix it?
First double check if you have followed below tutorials to create this service Endpoint:
How to Setup an Azure Resource Manager Endpoint
Creating an Azure Resource Manager Service Endpoint
Such as make sure you have gave the service principal access to create resources in your subscription.
Click Browse and select Subscriptions
Select the subscription you are using
Click the Access button
Click Add
Select Contributor as the roll
Search and select the name of the application you just created
Click OK to grant the service principal access to your subscription
For more troubleshooting, please take a look at this link-- How to: Troubleshoot Azure Resource Manager service endpoints
Update from OP
Issue fixed by Upgrade to TFS2017 update1.
I'm attempting to use Release Management vNext in TFS 2015 Update 2 RC2, however whenever I try to deploy to an environment, I get the error:
TF50309: The following account does not have sufficient permissions to complete the operation: [DefaultCollection]\Project Collection Service Accounts. The following permissions are required to complete the operation: View Project-Level Information.
I've looked everywhere in the settings, and cannot seem to find a way to configure the [DefaultCollection]\Project Collection Service Accounts group with this permission, the closest it comes is "View Collection-Level information".
Any idea what I'm doing wrong here?
If you have project level security permission, you can check user has 'View project-level information' permission. And check user is member of which groups and that groups have 'View project-level information' permission set.
view project-level permission is the permission of project-level. Just the same as View Collection-Level permission for project collection-level.
If you want to give a user or group the view-project level permission. Please follow the steps below to set this permission:
By GUI Give "View project-level information" permission to User in
Team Foundation Server
By Command: Tfs security /a+ details you can refer from
msdn
However this may solve your issue: Adding your build account on the environment machine in the following group
so this is the issue:
I have a TFS 2012 installed on a server A and I want to install a TFS Build Service on server B. The TFS on server A has a DefaultCollection which I want to link it to a Team Build. When I try to configure the build server it shows a failure message: User1 needs "ManageBuildResources" permission set to allowed. User1 is NOT in any group, its a single lonely user, then I ask a coworker about the permissions. Now in the security settings of Team Explorer it shows that User1 has "ManageBuildResources" set to allowed on DefaultCollection. Still, when I try to configure it, it shows again the same failure message.
So I read in the Microsoft website that User1 must be in Project Collection Administrators group in order to configure a build server, do I need to make User1 a member of this group, even if User1 has all the privileges? Because I don't understand why it shows that User1 doesn't have privileges.
Thanks in advance!
Yes, you currently need to make a user part of Project Collection Administrators in order to be able to add a build server to your collection.
I'm trying to setup a TFS Build service but the config wizard keeps bombing out on Edit collection-level information permissions, which I have set as required.
There isn't much background information for this, its a new 2003 virtual sever with nothing but TFS build service installed. The only other Warning I get is about no firewall being installed so I cant see that interfering. The section of interest in the log is below.
Verify: Verify that the running account has the required Team Foundation Server permissions(TBRUNNINACOUNT): Starting Verification
TF279000: User domain\user.name does not have permission to add members to the Build Services group. To perform this action, the user must have the 'Edit collection-level information' permission set to Allow.
!Verify Error!: TF279000: User domain\user.name does not have permission to add members to the Build Services group. To perform this action, the user must have the 'Edit collection-level information' permission set to Allow.
"Verify: Verify that the running account has the required Team Foundation Server permissions(TBRUNNINACOUNT): Exiting Verification with state Completed and result Error"
!Verify Result!: 1 Completed, 0 Skipped: 0 Success, 1 Errors, 0 Warnings
Any help is greatly appreciated, I have no idea where to go from here.
Thanks, Tom.
I'm not sure why your Build should edit something on Collection level, but what should solve the problem is to add the permission to the "Project Collection Build Service Accounts". I expect that TBRUNNINACOUNT is member of this group, otherwise the build might fail.
To set the persmission do the following steps:
Open Team Explorer
connect to the TeamProjectCollection the build service should be used for
Right click on the root to get the context menu
choose "Team Project Collection Settings -> Security"
select the "Project Collection Build Service Accounts"
set 'Edit collection-level information' permission
Close dialogs by using ok
Now the account has the needed permission and the wizard should run through that point.
I had the same issue as basically I was picking up from where Tom left off.
On the TFS Server used for the source control I added my AD user account to the Project Collection Build Administrators group and it worked.