How to grant permission to a user to manage users and groups and prevent the same user to import and export work item types in TFS. if i added the user to project admin group the user would be able to do both of the mentioned tasks.
There is no any way to do it out of the box.
As you can see, "Project Admnistrators" group is hardcoded project group, which you cannot remove or manage it permissions. TFS system have no special permission to deny import/export workitem types. "Project Administrators" members can modify WITD by default.
But there is a workaround.
First of all you will need to create a custom group (for example: "PM"), grand the same permissions for it (like "Project Administrators" already have) and move all PM users from "Project Administrators" to the new group. After that, members of this group cannot modify the project templates.
Then you have to prevent the addition of any user to the "Project Administrators" group.
You can use this command for it:
TFSSecurity.exe /a+ Server FrameworkGlobalSecurity GenericRead n:"[PROJECT]\Project Administrators" DENY /collection:http://tfsserver:8080/tfs/DefaultCollection
Now each user in "[PROJECT]\Project Administrators" group will lose the whole access to the TFS Server.
Of course, you must inform the users about that.
Related
We have multiple projects but want to have single user to be able to see and work in just one project in Jira Software Cloud
It will be good to have new dedicated permission scheme. You may start by copy the default one:
Permissions can be based on Project Role or Group and depend on what will be your preference to manage.
If they are set on "Project role" as given on picture below if you is set to be in "Developer" role of certain project he will have browse permissions to it and each project that this permission scheme can be configured with users in certain roles and so these users will be the one granted with permissions
Target Project needs to be updated to use the new the new permission scheme .
It will be good to change default permission scheme to be more restrictive i.e. probably just user group admins to have access to projects that are using it.
Hope this helps!
The trick is to restrict access to all your projects apart from the one you want them to be able to see.
Then create a group that has permission to access the restricted projects.
Finally, add all your users to the group that has access apart from the single user that you want to restrict.
Create a new project role "Team member".
Copy the default permission scheme and replace "Application access - Any logged in user" with "Project role - Team Member".
Apply the new permission scheme to your project.
Add the user to the project under the role "Team Member".
Caveat: some permissions may be lost because of the "Any logged in user" permission removal which is sooo generic it hurts. So you need to check that existing users still have the access they expect. First step would be to add them to the project under the "Team Member" role.
is it possible to allow access to Team Services GIT repo but not allow
We have a Project X which we want to allow a user to access teh GIT repo but not see workitems etc
i have created a Team within Project X which is currently just inheriting from "Contributors" - i would like to lock this Team down so that it only has permission to the GIT repo and nothing else
is this possible?
Cheers
You could restrict access to resources that you manage in VSTS by setting the permission state to Deny through a security group/team.
You could deny the builds /Release and so on... For a comprehensive list of default groups and permissions, see Permission reference for Team Foundation Server.
For restricting users to see work items, you could deny the View work items in this node permission under an Area path:
View work items in this node
If you set the View work items in this node to Deny, the user will not
be able to see any work items in this area node. A Deny will
override any implicit allow, even for accounts that are members of
administrative groups such as Team Foundation Administrators.
More details please refer this link.
When I try to create a task group from a task in my build definition in TFS 2017, I get an error that says
Access denied. (user name) needs Edit task group permissions to
perform the action. For more information, contact the Team Foundation
Server administrator.
I've checked the following documentation pages, but none of them seem to mention how to grant edit task group permission:
Task Groups
Permissions and groups in VSTS and TFS
Build and release permissions
I'd like to know the correct way to grant this permission.
Additional information:
My account is a member of a Builders group in the appropriate project, and that Builders group has Allow set for every permission listed at the above Build and release permissions link, except override check-in validation by build and Update build information which are both Not Set, and the documentation recommends leaving those permissions as they are.
There are three related permission Administer task group permissions, Delete task group, Edit task group for task groups configuration.
You could set it from Build&Release --Task Group--right click it in left pane--select security.
However just like some other permission settings, you could also directly add a user or TFS group here. After add a user, there should be a users list under TFS group list.
"Build Administrators", "Contributors","Project Administrators" or "Release Administrators" there are just four default groups here. You don't have to add your user account in these groups and set the permission for a specific group to grant related permission of "task group". For example, if you don't want to give all users in a group the correspondingly permission, you could simply give the permission for a user.
In your case, you could add your old "Builders" group here or just add your owner account either directly here or one of a default group.
The other answer is good, except that I have no Builders group... perhaps due to the upgrade path that had been followed on that server.
Go to Task Groups hub, e.g. http://{server}:8080/tfs/{collection}/{project}/_apps/hub/ms.vss-releaseManagement-web.hub-metatask, and hover on Task Groups in left pane, click Ellipsis and choose Security. By default, the old Builders group is not in there, but Build Administrators is. The permission Edit task group can be set here, if needed, but it looks like the correct thing to do is add the user to one of the groups Build Administrators, Project Administrators or Release Administrators.
We had a person leave our company and their windows domain account for Active Directory was deleted. They have since come back but have been given a different windows domain account user name. Now when we attempt to assign them tasks it's always associated with the old account. I assume this is because the name is still the same and TFS is doing some kind of duplication check. I've tried removing cache and have verified that the Team Foundation Server Periodic Identity Synchronization job is running properly. I can also see the old active directory account show up when attempting to Add a windows user or group via the dialog along with the new Active Directory user.
What's strange is this user is not showing up as a member of any groups in TFS for any of the Team Project Collections. So why are they still showing up in the [Team Project Collection]\Project Collection Valid Users group?
Seems the main issue is deleted users still in "Assigned To" List. First try to throw down the issue.
If you are using VALIDUSER rule, it contains all valid users in TFS. You may check collection level Project Collection Valid Users group, you may need to check every group to delete the user. And use TFSSecurity /imx command to display information about that group, thn delete the user from right group.
After delete the old user, you need to try to let TFS sync with Active Directory, for detail steps, you can refer to:
Force TFS to sync with Active Directory
Active Directory Groups not Syncing with Team Foundation Server 2010
I am trying to set permissions on TFS 2012 so as to deny read and browse of source code for some users/teams. Until now I have succeeded on denying read but I cannot deny a user from browsing it. That means, the user can easily see the full tree of files and folders. I would like the user not to be able even to browse it!
Found the solution!
I finally managed to totally hide source code from specific group of users (although I allow them to see work items) by setting "Edit collection-level information=>Not Set" on "Project Collection Valid Users" in "DefaultCollection Groups".
Of course I had to manually deny every permission on the root ($) of source but I suppose this could work for any path you like.
After that I created areas and allowed on this group specific areas and everything goes perfect!
Alex, thanks for your support on that!
I would try removing access to project level information on the Project Settings, if that doesn't do it you may have to remove access to the project as a whole.
One thing I would caution though is using Deny, especially on groups of users. Removing allow is better than specifically denying when having groups of users.
For instance: User A maybe a member of Administrators, but also a member of contributors. As a member of Administrators he should be able to do the action of the security setting in question, but we don't want contributors to do it. If we remove allow from contributors, than the allow in Administrators would still work. However, if we deny the contributors the deny overrides the allow in User A's Administrator group and User A cannot do the action of the security setting in question.