Access Denied: User <> needs Checkin, CheckinOther permission(s) for $<> - opshub

I am getting the below error
"OH-SCM-009: Error occurred while sync. TF14098: Access Denied: User Pradeep Damodaran needs Checkin, CheckinOther permission(s) for $/DisCo/Dev."
while trying to run the OPSHub utility from TFS 2012 to VSO. I have admins permission on both the Source as well as the Destination projects.

For the "$/DisCo/Dev" folder of your VSO (Target End Point) in your Visual Studio Source Control Explorer, can you do right-click > Advanced (Properties) > Security. It will take you to the Permissions page. For the user in question "Pradeep Damodaran", please verify if he has proper permissions to do source control operations. The user being a part of the Administrators is not enough to outright access.
In the permissions, a Deny permission takes precedence over allow. So for example, suppose you are a member of Admin Users who have all the permissions. And also a member of Project Reader Users where explicitly some specific permission is denied. Then that deny permission would take precedence and your user wont be allowed to do that particular operation.
Verify that operation is being performed in the changeset which is giving you this error. And see if "Pradeep Damodaran" has permission to do that at the specified location.

Related

Team Services permissions - how to prevent dashboard access but allow GIT/Code access

is it possible to allow access to Team Services GIT repo but not allow
We have a Project X which we want to allow a user to access teh GIT repo but not see workitems etc
i have created a Team within Project X which is currently just inheriting from "Contributors" - i would like to lock this Team down so that it only has permission to the GIT repo and nothing else
is this possible?
Cheers
You could restrict access to resources that you manage in VSTS by setting the permission state to Deny through a security group/team.
You could deny the builds /Release and so on... For a comprehensive list of default groups and permissions, see Permission reference for Team Foundation Server.
For restricting users to see work items, you could deny the View work items in this node permission under an Area path:
View work items in this node
If you set the View work items in this node to Deny, the user will not
be able to see any work items in this area node. A Deny will
override any implicit allow, even for accounts that are members of
administrative groups such as Team Foundation Administrators.
More details please refer this link.

Which permission allows a user to create Task Groups in TFS 2017 Build?

When I try to create a task group from a task in my build definition in TFS 2017, I get an error that says
Access denied. (user name) needs Edit task group permissions to
perform the action. For more information, contact the Team Foundation
Server administrator.
I've checked the following documentation pages, but none of them seem to mention how to grant edit task group permission:
Task Groups
Permissions and groups in VSTS and TFS
Build and release permissions
I'd like to know the correct way to grant this permission.
Additional information:
My account is a member of a Builders group in the appropriate project, and that Builders group has Allow set for every permission listed at the above Build and release permissions link, except override check-in validation by build and Update build information which are both Not Set, and the documentation recommends leaving those permissions as they are.
There are three related permission Administer task group permissions, Delete task group, Edit task group for task groups configuration.
You could set it from Build&Release --Task Group--right click it in left pane--select security.
However just like some other permission settings, you could also directly add a user or TFS group here. After add a user, there should be a users list under TFS group list.
"Build Administrators", "Contributors","Project Administrators" or "Release Administrators" there are just four default groups here. You don't have to add your user account in these groups and set the permission for a specific group to grant related permission of "task group". For example, if you don't want to give all users in a group the correspondingly permission, you could simply give the permission for a user.
In your case, you could add your old "Builders" group here or just add your owner account either directly here or one of a default group.
The other answer is good, except that I have no Builders group... perhaps due to the upgrade path that had been followed on that server.
Go to Task Groups hub, e.g. http://{server}:8080/tfs/{collection}/{project}/_apps/hub/ms.vss-releaseManagement-web.hub-metatask, and hover on Task Groups in left pane, click Ellipsis and choose Security. By default, the old Builders group is not in there, but Build Administrators is. The permission Edit task group can be set here, if needed, but it looks like the correct thing to do is add the user to one of the groups Build Administrators, Project Administrators or Release Administrators.

In TFS Online, How do I share a code branch with our customer

We have an enterprise customer that we have delivered a system for. It is part of the agreement for us to supply them with the source code of the latest release. We are using TFVC on TFS online, and we thought it would be easiest to give them access to our Main branch. But I have difficulties with only allowing them to access the code and nothing else. The user I am testing with, can see too much: I.e. things like dashboard, current team members etc.
Is it possible for me to only expose code from the Main branch and nothing else to an external user?
Giving access to TFS Main Branch out of Organization (AD) is not advisable considering security.. Instead consider giving source code into zip format there are lot of large file sending (FTP sites) are available..
Still for your request of restricting access to user have a look over this
https://www.visualstudio.com/en-us/docs/setup-admin/restrict-access-tfs
you can consider replicating your part of source code into separate stream and give reader read only access to that stream.
Hope this helps... :)
Refer to these steps to set the permission:
Add user to your VSTS (Basic)
Remove this user from all group if you added
Go to admin page of a team project Version Control (Setting > Version Control)
Select a folder/branch
Click Add > Add User to add that user
Select the user that you added
Set Read permission to Allow
Go to Security page (click Security)
Click Create group to create a new group
Set View project-level information to Allow and deny other permissions for this group
Click Members of that new group
Click Add to add that user to this group
After that, this user can access the code (Just the folder/branch the user has the read permission) on web access (Code > Files).

TFS- MTM - Unable to successfully configure the test controller to communicate with TFS

I am trying to set up a system where I can run selenium automated test from MTM.
The issue I am facing is I am not able to configure Test Controller successfully. I believe this is due to some permission issue. Below is the set up I am using
The error I am getting while clicking on Apply Settings is below
E, 2016/08/22, 16:20:19.541, Failed to obtain the service account from the hosted TFS Team Project Collection https://xyz.visualstudio.com/DefaultCollection: Access Denied: Timothy Alex needs the following permission(s) to perform this action: Edit collection-level information
I, 2016/08/22, 16:20:19.542, Failed to connect to the tfs project collection https://xyz.visualstudio.com/DefaultCollection. Microsoft.VisualStudio.TestTools.ConfigCore.ConfigToolException: Failed to obtain the service account from the hosted TFS Team Project Collection https://xyz.visualstudio.com/DefaultCollection: Access Denied: Timothy Alex needs the following permission(s) to perform this action: Edit collection-level information
at Microsoft.VisualStudio.TestTools.ConfigCore.ControllerConfiguration.AttemptToAddServiceAccountToGroup(ControllerConfigurationUpdatePack updatePack, TfsTeamProjectCollection server, TfsServiceAccount account, DelegateStatusUpdate statusListener)
at Microsoft.VisualStudio.TestTools.ConfigCore.ControllerConfiguration.ChangeTfsRegistration(ControllerConfigurationUpdatePack updatePack, DelegateStatusUpdate statusListener)
E, 2016/08/22, 16:20:19.551, Failed to obtain the service account from the hosted TFS Team Project Collection https://xyz.visualstudio.com/DefaultCollection: Access Denied: Timothy Alex needs the following permission(s) to perform this action: Edit collection-level information
The log states that I need Edit collection-level information. I believe this is at the default collection level and I am afraid I will not get this persmission as this is something similar to super admin where I can have the power to delete/modify an existing project in the collection.
I believe this should not be provided to all the testers as this might lead to some accidental damages to the project.
Please correct me if I am wrong and advice as what I need to do next to make sure I am able to configure the test test controller successfully.
Thanks a lot for your help on this.
Your assumption regarding Edit collection-level information permission is wrong. It's not super admin. Please read https://msdn.microsoft.com/en-us/library/ms252587.aspx carefully.
Just ask your TFS admin
to add your account to project collection's Project Collection Test Service Accounts group or
to tell you an existing service account used for this purpose.

Deny read and browse source code on TFS 2012

I am trying to set permissions on TFS 2012 so as to deny read and browse of source code for some users/teams. Until now I have succeeded on denying read but I cannot deny a user from browsing it. That means, the user can easily see the full tree of files and folders. I would like the user not to be able even to browse it!
Found the solution!
I finally managed to totally hide source code from specific group of users (although I allow them to see work items) by setting "Edit collection-level information=>Not Set" on "Project Collection Valid Users" in "DefaultCollection Groups".
Of course I had to manually deny every permission on the root ($) of source but I suppose this could work for any path you like.
After that I created areas and allowed on this group specific areas and everything goes perfect!
Alex, thanks for your support on that!
I would try removing access to project level information on the Project Settings, if that doesn't do it you may have to remove access to the project as a whole.
One thing I would caution though is using Deny, especially on groups of users. Removing allow is better than specifically denying when having groups of users.
For instance: User A maybe a member of Administrators, but also a member of contributors. As a member of Administrators he should be able to do the action of the security setting in question, but we don't want contributors to do it. If we remove allow from contributors, than the allow in Administrators would still work. However, if we deny the contributors the deny overrides the allow in User A's Administrator group and User A cannot do the action of the security setting in question.

Resources