TFS Permission for work item - tfs

I use TFS 2012 and want to set following permission to group of TFS users.
Allow create new issue item.
Deny create new task item.
Deny change his task item and can only change remind time, description and state of it. and cant change assigned user, priority and iteration of it.
can I set this permission.
Edit
in the area configuration exist following access:
Create Child nodes
Delete this node
Edit this node
Edit work items in this node
Manage test plans
View permissions for this node
View work items in this node
and in the iteration configuration exists following access :
Create child nodes
Delete this node
Edit this node
View permission for this node
Can I add my requested access to area and iteration security configuration.
thanks in advance

Best practise is to affect to yours members Contributor group, with this group permissions permit to work on project without administrator role.
You can set permission in security section on Web Portal
link : http://msdn.microsoft.com/en-us/library/ms252467(v=vs.80).aspx

Related

TFS: How to set permissions per Work Item in a project?

Is there a way in TFS that user have permission to add Issue in a project and should not have permission to add/edit other work Items like User Story etc ??
is there any extension or utility to do this on TFS ??
You cannot restrict the editing of specific work item types. Permissions are controlled at the area path level. A user with permissions to create work items under an area path can create any type of work item under that area path.
No, there is no such build-in configuration. It's also not able to use any extension or utility to do this on TFS.
Permissions for work items are based on the areas/iterations where they occur, and are set through the dialogue that defines areas and iterations.
In other words, you are not able to set any permission either to a specific work item or work item type.
You could submit a user voice here, our PM will kindly review your suggestion.
There is only one out-of-box way to do this: Create child nodes, modify work items under an area path. You may try the following:
Create new team and area path for Issues Team Add a team, move from one default team to several teams.
Edit Security for the Root Area Path and restrict edit work items for the Issues Team.
Edit Security for the Issues Team Area Path and allow to edit work items for the Issues Team.
In this case, your Issues Team can create and edit any work items under Issues Team Area Path, but can not edit any other work items.

Team Services permissions - how to prevent dashboard access but allow GIT/Code access

is it possible to allow access to Team Services GIT repo but not allow
We have a Project X which we want to allow a user to access teh GIT repo but not see workitems etc
i have created a Team within Project X which is currently just inheriting from "Contributors" - i would like to lock this Team down so that it only has permission to the GIT repo and nothing else
is this possible?
Cheers
You could restrict access to resources that you manage in VSTS by setting the permission state to Deny through a security group/team.
You could deny the builds /Release and so on... For a comprehensive list of default groups and permissions, see Permission reference for Team Foundation Server.
For restricting users to see work items, you could deny the View work items in this node permission under an Area path:
View work items in this node
If you set the View work items in this node to Deny, the user will not
be able to see any work items in this area node. A Deny will
override any implicit allow, even for accounts that are members of
administrative groups such as Team Foundation Administrators.
More details please refer this link.

Which permission allows a user to create Task Groups in TFS 2017 Build?

When I try to create a task group from a task in my build definition in TFS 2017, I get an error that says
Access denied. (user name) needs Edit task group permissions to
perform the action. For more information, contact the Team Foundation
Server administrator.
I've checked the following documentation pages, but none of them seem to mention how to grant edit task group permission:
Task Groups
Permissions and groups in VSTS and TFS
Build and release permissions
I'd like to know the correct way to grant this permission.
Additional information:
My account is a member of a Builders group in the appropriate project, and that Builders group has Allow set for every permission listed at the above Build and release permissions link, except override check-in validation by build and Update build information which are both Not Set, and the documentation recommends leaving those permissions as they are.
There are three related permission Administer task group permissions, Delete task group, Edit task group for task groups configuration.
You could set it from Build&Release --Task Group--right click it in left pane--select security.
However just like some other permission settings, you could also directly add a user or TFS group here. After add a user, there should be a users list under TFS group list.
"Build Administrators", "Contributors","Project Administrators" or "Release Administrators" there are just four default groups here. You don't have to add your user account in these groups and set the permission for a specific group to grant related permission of "task group". For example, if you don't want to give all users in a group the correspondingly permission, you could simply give the permission for a user.
In your case, you could add your old "Builders" group here or just add your owner account either directly here or one of a default group.
The other answer is good, except that I have no Builders group... perhaps due to the upgrade path that had been followed on that server.
Go to Task Groups hub, e.g. http://{server}:8080/tfs/{collection}/{project}/_apps/hub/ms.vss-releaseManagement-web.hub-metatask, and hover on Task Groups in left pane, click Ellipsis and choose Security. By default, the old Builders group is not in there, but Build Administrators is. The permission Edit task group can be set here, if needed, but it looks like the correct thing to do is add the user to one of the groups Build Administrators, Project Administrators or Release Administrators.

Assigned To field not showing user with the same name as a deleted user

We had a person leave our company and their windows domain account for Active Directory was deleted. They have since come back but have been given a different windows domain account user name. Now when we attempt to assign them tasks it's always associated with the old account. I assume this is because the name is still the same and TFS is doing some kind of duplication check. I've tried removing cache and have verified that the Team Foundation Server Periodic Identity Synchronization job is running properly. I can also see the old active directory account show up when attempting to Add a windows user or group via the dialog along with the new Active Directory user.
What's strange is this user is not showing up as a member of any groups in TFS for any of the Team Project Collections. So why are they still showing up in the [Team Project Collection]\Project Collection Valid Users group?
Seems the main issue is deleted users still in "Assigned To" List. First try to throw down the issue.
If you are using VALIDUSER rule, it contains all valid users in TFS. You may check collection level Project Collection Valid Users group, you may need to check every group to delete the user. And use TFSSecurity /imx command to display information about that group, thn delete the user from right group.
After delete the old user, you need to try to let TFS sync with Active Directory, for detail steps, you can refer to:
Force TFS to sync with Active Directory
Active Directory Groups not Syncing with Team Foundation Server 2010

TFS - Specialized Group has no access to Work Items

I created a tfs group that would work on a specific project located in a collection. Now we're using work items to track bugs etc, but that group doesn't have access to those work items via the Team Web Access portal. I don't want this group to have access to all the projects in the collection, just the one they are working on. But i need them to be able to access work items that come up.
Currently when they access the Team Web Access portal, they get message indicating there are no accessible team projects in this team project collection.
if they can access their code in the collection already, how come they can't see the work items, and how can i change that, but still limit what they see?
Ok, found what i was looking for after some time. for the benefit of the community here is where that hidden security setting is done.
For the new group, i needed to go under Team/Team Project Settings/Area and Iterations!!!!
Yes, this silly place to but a SECURITY button. If you go in there, click the security button on the bottom of the dialog, you will then see ALL the WORK ITEM related permissions.
EDIT work items in this node;
Manage Test plans;
View this node;
View work items in this node.
I needed to check all of these to ALLOW.
Again, seems like a stupid place to put these settings, than with all the other security settings via TEAM Project Settings. I hope they had a good reason for that.
They will need the View collection-level details permission added to their group (at the collection level). By default, the Project Collection Valid Users group has these permissions, so you can just add your group as a member of the valid users group.

Resources