VSTS Permission to one branch - tfs

I have a user who is a stakeholder in VSTS. He needs to be able to access a branch in the project I am working on. So he can work on it then commit to it. I don't want him to see any other projects I have on VSTS. Is this possible? I don't really want him to be able to access the other branches but it doesn't matter too much - hiding the other projects is more important.

Actually people with Stakeholder access level could not commit their work on branch.
Assign Stakeholder access to those users who need to enter bugs,
view backlogs, boards, charts, and dashboards, but who don't have a
TFS CAL. Stakeholders can also view releases and manage release
approvals. Stakeholder access is free.
Source Link: About access levels
See Stakeholder access for details of features available to stakeholders.
The user should have either Basic access or VS Enterprise which include code feature.
Moreover, it's able to forbid him to see any other projects you have on VSTS. This is another concept called Permissions in VSTS. Do not add him to any other project team group expect the one he will work on.
You could also be able to deny the Read permission for branch/folder level
Read
Can read the contents of a file or folder. If a user has Read
permissions for a folder, the user can see the contents of the folder
and the properties of the files in it, even if the user does not have
permission to open the files.

Related

TFS extension - Restrict access to a hub group

I am developing an extension for TFS (Team Foundation Server), specifically version 2017, using JavaScript.
In this extension, I am adding a Hub Group (see picture below)
However, this Hub Group should only be accessible/visible to certain users.
How do I accomplish this? I have not been able to find this feature in the TFS extension tutorials and documentation.
Sorry, it's impossible either from extension side or permission side. Even with the build-in hub group such as Code/ Work /Build and Release. There is also not able to directly hide the hub group. Unless you change the access levels.
Assign Stakeholder access to those users who need to enter bugs,
view backlogs, boards, charts, and dashboards, but who don't have a
TFS CAL. Stakeholders can also view releases and manage release
approvals. Stakeholder access is free.
Source Link: About access levels
See Stakeholder access for details of features available to stakeholders.
Most extensions require that users have at least Basic access, not Stakeholder.
In your case, I will not suggest you directly change the user access level. Since he will also lose other features he had before. As a workaround, it's able to forbid him to see or use the things under hub group/hub you have on TFS. This is another concept called Permissions in TFS.
For example, you could be able to deny the Read permission for branch/folder level
Read
Can read the contents of a file or folder. If a user has Read
permissions for a folder, the user can see the contents of the folder
and the properties of the files in it, even if the user does not have
permission to open the files.

File level access permission in TFS

I have my TFS server and it has multiple branch like Dev,Test, UAT and Main. my problem is I have some security concern regarding web.config resides under Main branch. I want so access mechanism using which I can apply access permission on single file only.
I need that my team lead can only able to see that web.config file resides into Main branch but my developers can't see it.
how is this possible using TFS 2013?
Yes, this could be achieved. The simplest way is through source control explorer, select the file in Main branch from source control explorer and right click it, choose security.
On the pop-up dialog, you could be able to change the related permissions of this single file xxx.config.
In TFS deny trumps allow, then simply change the read permission for the group of developers from allow to deny.

TFS 2015 Prevent Checkin via Web Portal

The Code tab in a Team Project's TFS web portal allows users to check in/out items. Is there a way other than assigning users to the Stakeholder access level to prevent them from being able to check things in via the Web Portal if they have the permissions to actually check into a Team Project? It seems like you cannot explicitly exclude the Code tab form the Default or Advanced access levels, nor can you define a custom access level.
Our issue with the check in of an item from the Web Portal is that it does not evaluate any check in polices, nor can you associate the object you are checking in with a Work Item. We to want enforce developers using only Visual Studio to check in items into source control.
TFS doesn't provide the feature to stop users from checking in at web page. The workaround it to give the access level for your users.
Here is an user voice about your issue that you could vote and add comments: https://visualstudio.uservoice.com/forums/330519-team-services/suggestions/19026091-prevent-users-to-check-in-changes-from-tfs-web-pag
Maybe that you could consider to user Git version control in TFS. In Git repository of TFS, it provide git branch policies that may solved your issue. This is much similar to the check in policies.
Here is a document about move from TFVC to Git: https://www.visualstudio.com/learn/migrate-from-tfvc-to-git/

Securing folders in source control

I would like to know how I can secure an Area (folder within project) - i.e. give access to external consultants for reading and writing.
But I do not want them to be able to access other folders within that Project.
I know how to assign access to the folder (defined Area), but I'm not sure how I can safely remove their rights on the Project without cutting off their access to the folder (Area).
Any help appreicated.
It depends wither you mean Area Paths or Source Control folders.
!!Source Control
In TFVC you can open the web access and go to the code tab. There you can right click on any folder and select permissions. Her you can use any fine grain you like and control inheritance.
In Git you can only control permission ls at the Repository and Branch level.
!!Work Item Tracking
If you open the web access and go to the administration section (cog on top right) and then the Area Path tab you can control the permission in the same way you can with source code. If you have VSTS or TFS 2015 Update 2 you can also control inheritance.
!!Real solution
However any sort of compartmentalisation comes with significant overhead of managing it. If you are a defence company or bank and there is that one folder that you don't want externals to have access then it's easy. Remove inheritance for that folder and only allow specific access.
Anything more and you run into complexity and friction for users. Ultimately you should trust everyone you give access to your Team Project. Ifnuoy don'ttrust them, then don'tgive them access...
Go to the Administer Server page and create a new TFS user group.
Add the users to the TFS user group.
Go to the Code screen, right click the folder and choose Security. Next add the TFS User Group you create and give them the rights you want:

In TFS 2015, how do I block contributors from checking into a branch while allowing the project administrators branch?

I'm working with TFS 2015 using the ALM Rangers Development & Release Isolation Branching Strategy and Team Foundation Version Control. I would like to keep developers from checking code into the Main branch and letting them only work in Dev and Release branches. I want to allow the Project Administrators and above to perform the merges and check ins to Main.
With Team Web Access:
I selected the drop-down next to my Main branch and selected
"Security".
Set Inheritance to "Off".
For Contributors, Set Check in and a few other permissions to "Deny".
Saved Changes.
For Project Administrators, set the same permissions to "Allow"
Saved Changes.
TFS changed the values of each of the Project Administrators permissions to "Inherited deny*"
I have heard that setting "deny" can cause problems. Now I understand why I was told that. Is there a way to achieve my stated goal above, through standard TFS permission settings?
Cann’t reproduce your problem with the same settings in my TFS2015.
According to TFS permission setting, most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
To achieve what you want, you can create a new group such as DenyMainGroup. Adding the developers to this group. Make sure your project administrator members don’t belong to it. For this group, set Check in and a few other permissions to “Deny”. For Contributors and Project Administrators, set the same permissions to”Allow”. Saved Changes.

Resources