A developer has left our team. Whilst working with us, he was a member of our TFS2013 instance. I've removed him from every group within the Team Project and Team Project Collection, and checked that he is not in any groups on the TFS server directly. His account in active directory has in fact been deleted. However, I still see his name in two places;
1) On the drop down list for 'Assigned To' on tasks/backlog items on the Scrum board
2) On the Team Project Collection Users list, his user appears if you select 'Users' but he is not a member of any groups. There is no Remove option anywhere on the screen.
Is this simply because he has previously checked in code/had tasks assigned to him in the past? I realise it is easy to say 'yes' to this question as it seems perhaps obvious, but I would like to know if it is possible to completely remove his user from these 2 places.
1) First check if he isn't part of any teams and/or an admin of a team (under the team icon). If the Witd types are customized, it can also be that he was manualy added. Otherwise force a synchronisation of the active directory; https://mohamedradwan.wordpress.com/2013/12/29/force-synchronizing-tfs-2013-users-with-windows-accounts/
2) If the synchronisation didn't fix this as well, its possible there are explicit rights defined on his user account. You need to remove that specific right.
Related
I'm relatively new to developing with tfs (only used git before).
I'm connecting to a server, which contains a decent amount of projects.
When I create a new work item, I can select only the server below 'classification' and not the specific project.
How can I allocate a work item directly to a project instead of the server?
Thanks!
You could directly create work item under the specific team project. The simplest and effective way is through web portal.
Project--Work--New Work Item--Work Item Type
After this the a work item directly allocated to this project instead of the server.
In work item, several features depend on the team project or team that
you have selected. For example, dashboards, backlogs, and board views
will change depending on the context selected.
When you add a work item, the system references the default area and
iteration paths defined for the team context. Work items you add
from the team dashboard (new work item widget) and queries page are
assigned the team default iteration. Work items you add from a team
backlog or board, are assigned the team default backlog iteration.
You navigate to your team context from the top navigation bar.
If you are new to tfs work item, suggest you take a look at related tutorial in MSDN: Plan and track your project with work items. Besides in TFS, there is a concept of permission, also make sure your account have enough permission for the project and adding work item.
What are the correct permissions/settings to allow an user to create/edit areas and iterations?
I have an user that is getting this message in the admin section of areas or iterations:
You do not have one or more permissions required to update the iterations for this team
The weird thing is that the user can indeed create/edit areas and iterations, this user is part of a TFS Group I created for the Project, the Security properties of this group are:
Create test runs - Allow
Delete team project - Not Set
Delete test runs - Allow
Edit project-level information - Not Set
Manage test configurations - Allow
Manage test environments - Allow
View project-level information - Allow
View test runs - Allow
The Security of Areas and Iterations have allow to everything.
This used to be enough in TFS 2010, but it don't know why the message appears in TFS 2012.
Another thing, If I change the Security Property of "Edit project-level information" to Allow the user does not get the message, but in TFS 2010 this setting allowed users to change the permissions of another users and I don't want that.
U can use TFS Sidekick to effectively see how a users inherited different permissions on the different area's in TFS. U can use this tool to check out other projects where the permissions work and see if the adjustments u made had the effect u wanted. I dont advice to change permissions by this tool but use the administrator console to give this permissions to the group u want to.
Tfs 2012 Sidekick
I don't know if its the correct answer, but i added my custom group to the Project "Team". I have to read more about this Teams thing in TFS2012.
You (as project admin) have to use security policies on Iteration and area nodes from project web portal. (ex: http://tfsxxxx:8080/tfs/<collection>/<project>/_admin/_iterations ..../_areas).
Select an iteration or area node, right-click and select Security in order to set right to:
Create child nodes
Delete this node
Edit this node
View permissions for this node
I have a TFS 2010 Work Item Type with a custom field called "Requested By." This field can be populated with any name, but since most of the requests come from project developers throughout the organization, the SUGGESTEDVALUES property should populate the dropdown list with members of any TFS team project.
I have tried various values for SUGGESTEDVALUES, but both Collection\ Project Collection Valid Users and Server\ Team Foundation Valid Users seem to return every valid Active Directory account—well over 10,000 names.
I recognize that one option is to add an ALLOWEDVALUES item with multiple LISTITEM entries for Project\ Contributors for every team project, but with more than 150 team projects in the organization, this would be time-consuming initially and challenging to manage in the future.
Is there any easy way to populate the drop-down with TFS valid users who have actually been assigned to any team project in the collection, and exclude "Valid" users who exist in Active Directory but have never been assigned to a project?
What do you get if you use Project Collection Valid Users?
Project Collection Valid Users is the correct group to use, and I have entered it correctly.
However, one project team wanted to make their code available to the entire organization, and added ORG\Domain Users to the [Project]\Readers group. This was discovered by running a full audit with TFS Projects based on a hunch that something like that must have happened.
Having answered this question with "because a project team was doin' it wrong," I have posted a follow-up question to find out how to correctly grant all valid TFS users access to a specific project. See How can I grant Team Project access to all Project Collection Users? for the discussion on (hopefully) doing this "the right way."
For some reason our developers can only add projects that they've created to Team Explorer, even though they've all been given rights to the other projects. I created a top level group and added all of their AD users to it, and I assigned that group rights to access all of our projects.
They can see the projects in Source Control Explorer, and are able to do their work, but if they try to add a project to Team Explorer, the Connect to Team Project dialog box only shows their own projects.
Is there some other set of permissions?
If you want to make everyone can see and operate each others project, you need to put your team group into Project Collection Administrators in Collection level
If you don't want everyone have admin right,
you need to tell everyone to put the team group into Readers group in the team project they created.
Actually, I don't think there is a way to create a group in Collection level to access all team projects.
In fact, I think the best solution for you situation should be everyone use the same Team project and put everyone in the Reader group in that team project.
So everyone can create their own project under that team project instead of creating their own team project.
If you still want to let everyone create their own team project,
I suggest you use Team Foundation Server Administration Tool to manage group membership.
Permission right usually given on team project level basic. By "top level group" if you mean by giving permission at collection level. then i will suggest you try adding member at 'team project level' under any required group with necessary permission. if you cant add the member ask the admin of the team project to add separately.
you can directly access the security page through web access by.
[TFS web access url]/[Collection]/[team project]/_admin/_security
Under the "TeamExplorer - Connect" there is an option to "Select Team Projects..." When you click on this a box should pop-up titled "Connect to Team Foundation Server" that has a select dropbox, a "Team Project Collections" panel and a "Team Projects" panel. The latter has a list of projects in the collection and each has a checkbox next to them.
Make sure the projects you are interested in are in the list, and have the box checked. You can use the "Select All" checkbox to turn them all on at once.
HTH
Can you prevent a user with project admin or project collection admin rights from updating a project's work item definition or its project template?
Basically we have a TFS instance with multiple projects and project collections. We want to ensure we have one template and work item definition across all of them so any updates should happen across all project\project collections.
thanks
p.s. we do this since we are interfacing with another system and if a new, required field is added it will cause issues.
Members of the "Project Collection Administrators" and "Project Administrators" group have hard-coded admin permissions. Even if you remove the "Edit Project-Level Information" permissions, they have the ability to give that permission to themselves again.
The only way to prevent members of these groups from modifying the work item definitions, is to remove them from the group. Some people create a new administrators group and give them the same permissions, except for the permission to modify work item types.