I have created my own group of users in RT.
What I don't understand is why privileges and rights that I give to this group do not apply at the group level. Is it really necessary to add the group to each queue and then assign the privileges? This would be very tedious.
Yes, it is necessary to add the group to each queue and define the privileges.
The privileges shown in the Global rights are different from those available at the queue level.
You can configure privileges for Roles like Requestor and Owner which would be applicable to all queues.
Related
Background
I'm working on implementing Agile permissions along with Code permissions for a TFS project. There will be multiple teams in this project, we currently have 3 but will grow. I am set up with Project Admin rights.
Area Permissions
At the root TFS Area Project Admins have the ability to create, delete and edit this node rights. Team members do not.
Problem
When I add my self to one of the teams groups I'm no longer able to delete items from this node even though I am a Project Admin. That means I can never be a part of the teams? This will hurt me in capacity planning amongst other areas where I work on tasks when not administrating the project.
Am I missing something? Is there a setting to allow Most Privileged or something that allows me to be a team member and still perform administration of the project?
Don't use explicit Deny permissions -- an explicit Deny overrides explicit Allows. "Not Set" is what you're looking to use -- that means "deny, unless otherwise allowed".
The problem is that "Deny" will override any other permissions. Deny always wins.
you can do 2 things
Remove ADMIN from the team group. An admin account shouldn't need to
be a member of a contributors group as admin is a superset of the
permissions given to contributors.
If for some reason you cannot remove the account from this group then
change the permissions. TFS permissions have 3 states. Allow, not set, Deny.
As the deny is causing the issue, then change the
permissions to "not set" this will still prevent members of the
contributors group from being able to manage permissions, but will
stop overriding the admin users permissions
I have assigned permissions to users on Group Level in TFS. I have a user who is assigned on more than one group and is allowed to check-in code in both groups. I want to allow user to check-in code changes in Group A but not in Group B.
I will be thankful to you if you can guide me how i can do this.
Regards,
No, we cannot achieve that.
In general you should try to avoid having users in multiple groups as in TFS deny always wins.
That means if you set check in as Deny for Group B, then all the users in Group B will not be able to check in changes even though the user in other groups have the Allow permission.
Permissions
It combines the permissions from all the users groups.
If the user is denied access to anything they still can't access it
even if they are given access to it elsewhere.
If the user is given access to something in any group they will have
access to it (unless of course something else denies them).
If there's no explicit allow or deny in any of the users groups, they
will be denied access.
I think that people in GroupA work in part of source control and GropB in another. If so You have to enable check-in policies in both groups and instead configure source countrol foder or branch security policies in order to anable or not chech-in or even other features on any group.
To do that:
Go in source control explorer
Rigth click on folder or branch: Advanced->Security
Enjoy!
TFS2015 u2. I'm editing a release definition, assigning approvers for an environment.
I have several server-level groups. When I start typing group names in the "Specific users" box on the Approvals page of environment properties, one of them ("Application Hosting Team") comes up, another ("QA Team") doesn't. The former is a part of collection admins, the latter has no specific rights. If I grant the QA team collection admin, it comes up, too.
Question - which rights do I have to grant (short of admin) so that TFS considers it eligible for approving releases? Preferably on collection level.
EDIT: Adding the server level group to "Project Readers" will do, but I'd hate to go through all the projects...
Found two collection level ways:
Create a collection level group, add server level group to that one, grant Allow for Edit collection level items
Add the server group to "Release Management Service Accounts"
Either works. The former is slightly more work, the latter might grant more rights than strictly necessary to approve releases.
If a user has access to multiple security groups, does TFS take the highest level group, or the lowest level group for access rights?
For example, if user John, belongs to the Read Group (can only read the source control but not edit) and then is added to the Developer Group (can read and edit source control) which group does TFS recognize?
Since he belongs to both groups can he still only Read since that is the lowest level or can he now edit since he is also part of the Developer Group and that is the highest level?
Permissions
It combines the permissions from all the users groups.
If the user is denied access to anything they still can't access it even if they are given access to it elsewhere.
If the user is given access to something in any group they will have access to it (unless of course something else denies them).
If there's no explicit allow or deny in any of the users groups, they will be denied access.
Access Levels
Access levels are done separately from group permissions - access can be set to limited, standard or full in the tfs 2012 admin area.
For TFS 2010 the only group that acted a bit weirdly was the work item only group, which afaik acted as a explicit deny on everything but editing your own work items. This functionality is replaced with access levels in tfs 2012.
I want to make a TFS 2010 project read-only so users can view the info in work items but not add any details or new work items. I think I need to change the security permission on the project but it's not clear which permission I would change from the Contributors list.
In my opinion the right way is to alter the group memberships.
Remove all users from the constributors and higher groups and move them to the Readers group.
Two choices.
Choice 1: If this is a common pattern where the prevailing default is that folks are restricted, but some people have access (i.e. devs cannot change things but Tech Leads can), modify contributors and create a secondary group (for example, 'Tech Leads') that has the additional read rights. In this scenario, the Contributors group would contain tech leads, but only specific individuals with the extra rights would be in the Tech Leads group.
Choice 2: If the prevailing default is normal contributor access, but specific individuals (i.e. external contractors) need to be denied access, and you need to be 100% sure this goes through, regardless of any other group membership, then leave Contributors as is, and add a new group called (in this example) 'Contractors' and DENY specific access as needed.
Like before, everyone is a contrib, but contractors have some absolute limitations imposed on them, and the 'DENY' in the Contractors group overrides the 'Allow' from contrib. A use case for this would be cases where specific code has to be hidden from external vendors or some other sub-group and needs to be 100% rock solid - just be careful with denies as they will trump any number of allows you inherit from other groups.
Hope that helps!
Addendum: For restricting or changing rights on workitems, you need to do two things. First, set up appropriate group mempership (noted above), then in the project, under Team Project Settings -> Areas and Iterations, click the Security button to set this up on a node by node basis (or at the root if you want to do these restrictions project wide).