I have projects from two separate TFS collections that I am migrating to VSO. For this reason, I need two developer groups.
Is it possible to clone a group, with all permissions intact (even inherited ones)?
Unfortunately, there is no clone functionality in the UI or a command line. The closest would probably be to write a script that used tfssecurity to get the membership and permissions for a group and recreate it. There may be additional issues, but it will get you close at least.
Related
I have almost 400 projects to create in my TFS project collection in TFS 2017. I don't want to have to create and configure each project, one at a time. I'd like to create a custom process template, which seems easy enough to do, but I can't find how to add an AD group to the Project Administrators group.
The GroupsandPermissions.xml file allows the creation of new groups but doesn't accept the Project Administrators group as an option. I've read here where others have tested it. Also the macro for project administrators is reported not to work because the group already exists.
Any ideas how to add an AD group to project administrators in the process template or otherwise?
Is there any way to completely remove an user from a TFS2013 server (even from project valid users list).
I've a developer who is part of different collections/projects (around 50) and it's hard to remove them from each and every collection/project. Also if I go and remove manually I'm not sure how accurate it will be. They are moved to a different project and are not using TFS anymore. I want to remove him completely.
When a user with access to Team Foundation Server (TFS) leaves a company, an administrator would typically remove them from Azure Active Directory or Active Directory. This will automatically void their user account and remove their ability to access or connect to TFS.
In your case to remove an obsolete account from TFS, usually need to delete the user from all groups/collection they belonged to. You could remove it from Global Security dialog in security of team project collection. In the Users and groups list, click the user whom you want to remove, and click Remove.
For multiple collection/groups, you could also use tfssecurity command.
Use tfssecurity /i command to list users belongs to which groups
tfssecurity /i "domain\account" /server:http://serverName:8080/tfs
And using tfssecurity /g- command to remove that user from a group
tfssecurity /g- "[TeamProject1]\Contributors" n:domain\account /collection:http://serverName:8080/tfs/Collection
Another solution could be using this 3-party software--Team Foundation Server Administration Tool it works with tfs 2013.
Moreover, changes you make to local or Active Directory groups do not get reflected in TFS immediately. Instead, TFS will synchronize those groups regularly.
A periodic clean-up job that is executed removes people from the global groups. If you just wait, they will disappear in a couple of days. They will not have access to any of the TFS assets however.
Well, you could also kick it off: Force TFS to sync with Active Directory
I have a TFS 2015 installation where we have a rather big number of projects. Currently there are old projects, that aren't used anymore but need to stay available as an archive (read only).
I'd like to make a workspace or something in TFS so that these projects normally don't come up in the normal view.
One way I found out is to set the TFS offline, make a copy of the database, bring the copy of the database online and then delete all projects that are still active and rename it. After that bring back online the original database and delete all archived projects.
This can be done once. Maybe once a year, but it will result in a large number of databases. This will make it worse than leaving the inactive projects in the workspace.
Does anyone have better idea? Or: What do you do with old projects?
First, there currently is no archiving function on TFS. However you can use something else as a workaround. To do this, you can either create a project designated as archived that you then have to assign permissions to and so on or move the project into another collection using the TFS Integration Toolkit.
Set the Read permission to Deny of contributor group will hidden the collection to come up in the normal view.
Below are some related blogs for your reference:
How to: Archive Team Foundation Server Team Projects
completely archive a TFS2012 project
Moreover, there has been a feature request in UserVoice, you can also vote up it to get more attention.
The process you are using (cloning a collection) would be the only method to achieve an archive as you describe it.
I would start by understanding why you have so many projects! Prefer larger Team Projects that contain many Products, Projects, Teams that are easier to manage.
I manage a large TFS 2013 team project, whose code we're now splitting into multiple independent parts, each part becoming a tenant in the team project. Each such part would have its own build definition(s). I want people in each part to be able to create/edit/manage their build definitions, but not others.
Currently, I create the build definitions myself upon request, and then set permissions on the new definitions, and tell people to edit them. I have permissions to that since I'm in the Builders VSO group, and therefore have Edit build definition and Administrator build permissions on the Team project.
However, I'd like to grant everyone the permission to create new build definitions and administer them, but not have permissions to change other permissions. Is this possible in TFS?
Its not currently possible to do that out of the box. However, you could setup a webpage that automated the task that you currently perform and add a new build definition and give permission to the correct team... Then they can manage it from then.
I would recommend using PowerShell for the action and the webpage mearly calls that.
We use TFS as source control. In TFS we host a solution consisting of multiple Visual Studio projects. We do not want our contractors to see the source code of ONE of these projects (limited users should still see all compiled assemblies). What is the best way to achieve our objective without setting up two repositories and having to synchronize all code changes between them?
I would recommend that instead of just changing the permissions in place that you move the projects that you want to protect to a separate folder with its own solution. Secure that folder as above. You can then build it separately and deploy it to an internal nuget repository.
you can then reference that repository from within the Visual Studio package manager and it will be managed as an external dependency. If you update and publish the other solution then the other devs will be notified of updates..
You control access rights to a folder by selecting Advanced->Security from Source Control Explorer. From there, you can turn off security inheritance for the item(s) you need to protect. Then, create a TFS-specific group containing the 'limited users' only and only allow them access to the particular project folder. Alternatively, create a group for the contractors and deny them access.
This is based on VS/TFS 2012.
But my guess is that you will also need to create a specific solution for the contractors that doesn't have the particular project included.