Deny workitem workflow editing - tfs

We are using tfs 2013 update 4.
One of our colleagues downloaded TFS PowerTools by itself and started to edit workflow and fields of our projects.
Is there any way to deny this functional for him?
Hi is not a project administrator, not TFS adminstrator. TFS powertools allows to change witd for all who can see the project.

Set his Manage Process Template permission to Deny. This is a collection-level setting.

They must have higher level permissions than you think. Maybe an AD group they are a member of has been added in to Collection Admins or something like that?
Customize a process template
"To download or upload process templates, you must either be a member
of the Project Collection Administrators group, or your Manage process
template permission must be set to Allow"
Download the sidekicks utility and you'll easily be able to see which permissions the user has.
Team Foundation Sidekicks
If they are a member of Project Admin, Collection Admin or Server Admin then remove them or explicitly deny the "manage process template" permission

Related

Remove "Edit team project level permission ACLs" from TFS project admins so that they are not allowed to add users

I want to restrict my TFS 2015 Update 3 (Moving to TFS 2018 shortly) project administrators, so that they are not allowed to add individual users to the TFS security groups. To add users we have in-place a custom solution where users are added to Ldap.
I have came to know from the link that "Edit team project level permission ACLs" permission defines the user management for the Project Administrators.
Is there a way by which I can stop the TFS team project administrators to not allow to add users?
Unfortunately, there is no such setting to not allow to add users. I have submitted a UserVoice at website below, you can vote it:
https://visualstudio.uservoice.com/forums/330519-visual-studio-team-services/suggestions/33317830-add-a-permission-that-not-allow-adding-users-in-tf

In TFS 2015, how do I block contributors from checking into a branch while allowing the project administrators branch?

I'm working with TFS 2015 using the ALM Rangers Development & Release Isolation Branching Strategy and Team Foundation Version Control. I would like to keep developers from checking code into the Main branch and letting them only work in Dev and Release branches. I want to allow the Project Administrators and above to perform the merges and check ins to Main.
With Team Web Access:
I selected the drop-down next to my Main branch and selected
"Security".
Set Inheritance to "Off".
For Contributors, Set Check in and a few other permissions to "Deny".
Saved Changes.
For Project Administrators, set the same permissions to "Allow"
Saved Changes.
TFS changed the values of each of the Project Administrators permissions to "Inherited deny*"
I have heard that setting "deny" can cause problems. Now I understand why I was told that. Is there a way to achieve my stated goal above, through standard TFS permission settings?
Cann’t reproduce your problem with the same settings in my TFS2015.
According to TFS permission setting, most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
To achieve what you want, you can create a new group such as DenyMainGroup. Adding the developers to this group. Make sure your project administrator members don’t belong to it. For this group, set Check in and a few other permissions to “Deny”. For Contributors and Project Administrators, set the same permissions to”Allow”. Saved Changes.

Areas and iterations, permissions required

What are the correct permissions/settings to allow an user to create/edit areas and iterations?
I have an user that is getting this message in the admin section of areas or iterations:
You do not have one or more permissions required to update the iterations for this team
The weird thing is that the user can indeed create/edit areas and iterations, this user is part of a TFS Group I created for the Project, the Security properties of this group are:
Create test runs - Allow
Delete team project - Not Set
Delete test runs - Allow
Edit project-level information - Not Set
Manage test configurations - Allow
Manage test environments - Allow
View project-level information - Allow
View test runs - Allow
The Security of Areas and Iterations have allow to everything.
This used to be enough in TFS 2010, but it don't know why the message appears in TFS 2012.
Another thing, If I change the Security Property of "Edit project-level information" to Allow the user does not get the message, but in TFS 2010 this setting allowed users to change the permissions of another users and I don't want that.
U can use TFS Sidekick to effectively see how a users inherited different permissions on the different area's in TFS. U can use this tool to check out other projects where the permissions work and see if the adjustments u made had the effect u wanted. I dont advice to change permissions by this tool but use the administrator console to give this permissions to the group u want to.
Tfs 2012 Sidekick
I don't know if its the correct answer, but i added my custom group to the Project "Team". I have to read more about this Teams thing in TFS2012.
You (as project admin) have to use security policies on Iteration and area nodes from project web portal. (ex: http://tfsxxxx:8080/tfs/<collection>/<project>/_admin/_iterations ..../_areas).
Select an iteration or area node, right-click and select Security in order to set right to:
Create child nodes
Delete this node
Edit this node
View permissions for this node

How can I grant access to all Team Projects for a custom group

I have a custom group in TFS, and I would like to grant access to this group for every team project so we don't have to do this one by one.
It seems like the developers have access via Source Control Explorer, but cannot see these projects via 'Connect to Team Project'.
Any idea what is going wrong, or what permission is missing?
We are using TFS2012 on-premise.
The tfssecurity command line tool allows us to manage permissions for TFS groups and users. We could use it in a PowerShell script to grant access to projects that already exists. However I haven't found a way to use this command at the TFS collection level in order to grant permissions for future projects.
The approach I use is based on the fact that TFS permissions are inherited unless explicitly denied.
To create an user group that will automatically access all existent projects as well as the futures ones, follow those steps:
Create a new security group at the project collection level. From Visual Studio you can do it from the "Team / Team Project Collection Settings/Group Membership" menu. On TFS Online you can access to "Account Settings / Security" page.
Add the new group as a member of the "Project Collection Administrators" group. This will grant access to all projects in the collection, including the futures ones.
Deny the permissions of the new group, in order to limit the administrator permissions inherited by the group. You can use an existent TFS group as template, and deny all permissions except those explicity allowed to the group which behavior you want to copy. For example, if you want to create a group with the same permissions that has the default "Project Collection Valid Users" group, you can deny all permisisons except "Create a workspace", "View build resources" and "View collection-level information"
It is possible but you’ll need to give your users a log more privileges than they need to have. You can give them privileges that are similar to project collection administrators and they will have access to all projects but with elevated privileges.
It is possible do this but only for source control like you’ve already done but I’m not really sure about connecting to projects, working with workitems and such.

TFS 2010 - restrict ability to customize Work Item Template

Is there any way to remove the ability for members of the Project Administrator group from being able to modify the Work Item Type Definitions in their projects?
If I were to create a custom group that mimics project administrators (contains the sames permissions), which permission or permissions would need to be denied?
Thanks for your help!
This may help:
Manage process template permission
Users who have this permission can download, create, edit, and upload process templates to the team project collection.

Resources