I'm new to Visual studio online. A project manager will join me for a project, and I want to give him full permissions to create/edit/manage processes, features, backlogs. I want also to deny his access to everything else ( Code, builds, tests... ).
What I have done :
- Created a group ( Project managers ) and added him in it.
- Added this group to project team
- Denied access to everything in "Version Control" tab
This way, the user can see the project, and can create features and backlogs, but not see code.
The problem is that, for a reason I can't figure out, the user can't see the items I have created before( features etc ), everything seems empty, he can only do it when I add his group to the group Project Administrators. I can't figure out what is the missing permission in Project Administrators ( or inherited one ) that I should give to his group.
Can someone help me please ?
NB: Maybe I don't have to create a new group and use one of the existing ones.
You can check if the group has the permission to view/edit the work items via following steps:
Open your project from Web Portal.
Click "Manage Project" button in the up right corner.
Click "Areas" tab.
Right click on the root area and select "Security".
Add your group if it isn't listed in the dialog and make sure it has "View work items in this node" and "Edit work items in this node" permission at least.
Related
Is it possible to create a TFS Group / role where users in that group can only manage work items but not check in code?
If so, how would you go about doing this and what permissions does this role need?
I want this for my Project Managers / Business Analysts.
To enable permissions to manage work items, please go to Settings in Team Explorer and select Work Item Areas and Work Item Iterations.
Then on the admin/_areas page (like http://servername:8080/tfs/DefaultCollection/Agile/_admin/_areas), right-click the Area and select Security. Set the Edit work items in this node and View work item in this node to be Allow. You then should do the similar settings to Iterations.
To disable permissions to access source control code: right click the project in Source Control Explorer and select Advanced -> Security to deny source control related permissions:
A developer has left our team. Whilst working with us, he was a member of our TFS2013 instance. I've removed him from every group within the Team Project and Team Project Collection, and checked that he is not in any groups on the TFS server directly. His account in active directory has in fact been deleted. However, I still see his name in two places;
1) On the drop down list for 'Assigned To' on tasks/backlog items on the Scrum board
2) On the Team Project Collection Users list, his user appears if you select 'Users' but he is not a member of any groups. There is no Remove option anywhere on the screen.
Is this simply because he has previously checked in code/had tasks assigned to him in the past? I realise it is easy to say 'yes' to this question as it seems perhaps obvious, but I would like to know if it is possible to completely remove his user from these 2 places.
1) First check if he isn't part of any teams and/or an admin of a team (under the team icon). If the Witd types are customized, it can also be that he was manualy added. Otherwise force a synchronisation of the active directory; https://mohamedradwan.wordpress.com/2013/12/29/force-synchronizing-tfs-2013-users-with-windows-accounts/
2) If the synchronisation didn't fix this as well, its possible there are explicit rights defined on his user account. You need to remove that specific right.
For some reason our developers can only add projects that they've created to Team Explorer, even though they've all been given rights to the other projects. I created a top level group and added all of their AD users to it, and I assigned that group rights to access all of our projects.
They can see the projects in Source Control Explorer, and are able to do their work, but if they try to add a project to Team Explorer, the Connect to Team Project dialog box only shows their own projects.
Is there some other set of permissions?
If you want to make everyone can see and operate each others project, you need to put your team group into Project Collection Administrators in Collection level
If you don't want everyone have admin right,
you need to tell everyone to put the team group into Readers group in the team project they created.
Actually, I don't think there is a way to create a group in Collection level to access all team projects.
In fact, I think the best solution for you situation should be everyone use the same Team project and put everyone in the Reader group in that team project.
So everyone can create their own project under that team project instead of creating their own team project.
If you still want to let everyone create their own team project,
I suggest you use Team Foundation Server Administration Tool to manage group membership.
Permission right usually given on team project level basic. By "top level group" if you mean by giving permission at collection level. then i will suggest you try adding member at 'team project level' under any required group with necessary permission. if you cant add the member ask the admin of the team project to add separately.
you can directly access the security page through web access by.
[TFS web access url]/[Collection]/[team project]/_admin/_security
Under the "TeamExplorer - Connect" there is an option to "Select Team Projects..." When you click on this a box should pop-up titled "Connect to Team Foundation Server" that has a select dropbox, a "Team Project Collections" panel and a "Team Projects" panel. The latter has a list of projects in the collection and each has a checkbox next to them.
Make sure the projects you are interested in are in the list, and have the box checked. You can use the "Select All" checkbox to turn them all on at once.
HTH
I am trying to figure out how to modify the work items permissions on a specific TFS project to inaccessible?
I want to make the work items 'invisible' to all users.
The MSDN documentation is a little unclear (at least for a newbie):
http://msdn.microsoft.com/en-us/library/ms252587.aspx
it mentions TFSSecurity could be used from command line and I think i need to deny WORK_ITEM_READ for that project - could someone provide the syntax for that?
Thanks!!!
You can do it with TFSSecurity. But unless you enjoy command line pain, just use Team Explorer (via Visual Studio).
Right click on a project in Team Explorer and select "Team Project Settings" then select "Areas and Iterations".
In the resulting dialog make sure that the root Area (called "Area") is selected then select the "Security" button in the bottom of the dialog box (next to close).
That will launch the security options for the work items under that Area. From there you can uncheck "View work items in this node" for everyone in the list.
However you will be unable to remove Collection admin's rights to view the work items. You may be able to do that via TFSSecurity.exe but it would be abnormal to do so.
Suppose I have a solution inside a TFS collection that contains 3 projects. Ho do I specify what users can do on each project? I mean user A can has readonly access to Proj1, user B can edit Proj1, Proj2 and Proj3 while user C can edit Proj3 but not even see Proj1 and Proj2.
Thanks!
Here's one way:
Open The "Source Control Explorer" TFS Window.
Right click the root folder of a project where you want to have specific access.
Choose "Properties"
Click on the "Security" Tab of the the pop-up properties window
Add the "Windows User or Group" of the user(s) you wish to deny to the "users and groups" list.
Select the user or group in the "Users and Groups" window.
Click on the "Deny" checkbox for whatever operations you wish to deny for those users.
edit
If you also wish to deny bug tracking, etc in addition to source control, there is a very similar set of steps for the "Team Explorer" window. It's too detailed to go into here, but it should be pretty straight-foward with the help of the MSDN documentation.