I have a script that we are using to configure security in our on-premise TFS 2017 instance. We want to give the Contributors group access to change iteration info for a project (which normally only the Project Admins can do). I was able to accomplish giving them access to create new iterations under the Admin > Work > Iterations tab by running the following commands:
tfssecurity.exe /a+ Iteration $rootIterationUri CREATE_CHILDREN "n:[$projectName]\Contributors" ALLOW /collection:$collection
tfssecurity.exe /a+ Iteration $rootIterationUri DELETE "n:[$projectName]\Contributors" ALLOW /collection:$collection
tfssecurity.exe /a+ Iteration $rootIterationUri GENERIC_WRITE "n:[$projectName]\Contributors" ALLOW /collection:$collection
However, I also want them to be able to change the default team's iteration settings as well (changing the default iteration, what's in the Backlogs hub, etc.) and I can't find how to do that. Does anyone know what I can run in TfsSecurity to grant this access?
If you want to configure the default team's settings, you must either be a team administrator or a project administrator.
So, you need to add the Contributors group to team administrator or a project administrator group.
eg:
tfssecurity /g+ "[ProjectName]\Project Administrators" "n:[ProjectName]\Contributors" /collection:http://server:8080/tfs/DefaultCollection/
Related
I'm a TFS project administrator.
I'd like to add a member of the team to whatever group is needed so that they can manage test plans/export test suites and the like.
The simplest way is just adding the user to Contributors group for a team project, which will have the manage test plans and test suites task.
Note: Stakeholders cannot create or manage test plans. You must have at least Basic access.
If you don't want to add the user to default Contributors group in project, you could also directly assign permission to him or by creating a new group, permissions can be given at Project level and at Area path level(Manage test plans & suites permission).
More details please refer: Default manual testing permissions and access
Update
work- Areas- Right click area - select Security- Contributor
Is there any way to completely remove an user from a TFS2013 server (even from project valid users list).
I've a developer who is part of different collections/projects (around 50) and it's hard to remove them from each and every collection/project. Also if I go and remove manually I'm not sure how accurate it will be. They are moved to a different project and are not using TFS anymore. I want to remove him completely.
When a user with access to Team Foundation Server (TFS) leaves a company, an administrator would typically remove them from Azure Active Directory or Active Directory. This will automatically void their user account and remove their ability to access or connect to TFS.
In your case to remove an obsolete account from TFS, usually need to delete the user from all groups/collection they belonged to. You could remove it from Global Security dialog in security of team project collection. In the Users and groups list, click the user whom you want to remove, and click Remove.
For multiple collection/groups, you could also use tfssecurity command.
Use tfssecurity /i command to list users belongs to which groups
tfssecurity /i "domain\account" /server:http://serverName:8080/tfs
And using tfssecurity /g- command to remove that user from a group
tfssecurity /g- "[TeamProject1]\Contributors" n:domain\account /collection:http://serverName:8080/tfs/Collection
Another solution could be using this 3-party software--Team Foundation Server Administration Tool it works with tfs 2013.
Moreover, changes you make to local or Active Directory groups do not get reflected in TFS immediately. Instead, TFS will synchronize those groups regularly.
A periodic clean-up job that is executed removes people from the global groups. If you just wait, they will disappear in a couple of days. They will not have access to any of the TFS assets however.
Well, you could also kick it off: Force TFS to sync with Active Directory
I'm managing an instance of TFS 2015. I added a special TFS group to a branch to deny access to certain users. I now want to remove this group from the branch, but I don't see how it's possible. I'm currently looking in the Version Control tab under the TFS Control Panel for the project, where I added the group to the branch to begin with. Is there a place to specifically remove a TFS group from a branch? Otherwise what is a reasonable work-around?
You can use tfssecurity /g- to remove a user or a user group from an existing group. More details of tfssecurity command from MSDN. A example:
tfssecurity /g- groupIdentity memberIdentity [/collection:CollectionURL] [/server:ServerURL]
Or, refer to this issue Cannot remove user/group from area-level, iteration-level, version control, build security setting, it seems by design. Please try the method from the comment: 'If your user's permissions are all configured to "not set", then the user will be removed from the dialog the next time you launch it.'
I'm working with TFS 2015 using the ALM Rangers Development & Release Isolation Branching Strategy and Team Foundation Version Control. I would like to keep developers from checking code into the Main branch and letting them only work in Dev and Release branches. I want to allow the Project Administrators and above to perform the merges and check ins to Main.
With Team Web Access:
I selected the drop-down next to my Main branch and selected
"Security".
Set Inheritance to "Off".
For Contributors, Set Check in and a few other permissions to "Deny".
Saved Changes.
For Project Administrators, set the same permissions to "Allow"
Saved Changes.
TFS changed the values of each of the Project Administrators permissions to "Inherited deny*"
I have heard that setting "deny" can cause problems. Now I understand why I was told that. Is there a way to achieve my stated goal above, through standard TFS permission settings?
Cann’t reproduce your problem with the same settings in my TFS2015.
According to TFS permission setting, most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
To achieve what you want, you can create a new group such as DenyMainGroup. Adding the developers to this group. Make sure your project administrator members don’t belong to it. For this group, set Check in and a few other permissions to “Deny”. For Contributors and Project Administrators, set the same permissions to”Allow”. Saved Changes.
I have a custom group in TFS, and I would like to grant access to this group for every team project so we don't have to do this one by one.
It seems like the developers have access via Source Control Explorer, but cannot see these projects via 'Connect to Team Project'.
Any idea what is going wrong, or what permission is missing?
We are using TFS2012 on-premise.
The tfssecurity command line tool allows us to manage permissions for TFS groups and users. We could use it in a PowerShell script to grant access to projects that already exists. However I haven't found a way to use this command at the TFS collection level in order to grant permissions for future projects.
The approach I use is based on the fact that TFS permissions are inherited unless explicitly denied.
To create an user group that will automatically access all existent projects as well as the futures ones, follow those steps:
Create a new security group at the project collection level. From Visual Studio you can do it from the "Team / Team Project Collection Settings/Group Membership" menu. On TFS Online you can access to "Account Settings / Security" page.
Add the new group as a member of the "Project Collection Administrators" group. This will grant access to all projects in the collection, including the futures ones.
Deny the permissions of the new group, in order to limit the administrator permissions inherited by the group. You can use an existent TFS group as template, and deny all permissions except those explicity allowed to the group which behavior you want to copy. For example, if you want to create a group with the same permissions that has the default "Project Collection Valid Users" group, you can deny all permisisons except "Create a workspace", "View build resources" and "View collection-level information"
It is possible but you’ll need to give your users a log more privileges than they need to have. You can give them privileges that are similar to project collection administrators and they will have access to all projects but with elevated privileges.
It is possible do this but only for source control like you’ve already done but I’m not really sure about connecting to projects, working with workitems and such.