I have one folder in TFS and I have given rights as Contributor that's mean they can do check outs/check in/locks etc. But I would disallow them to delete any file or subfolder belonging to main folder. Please let me know if you have any idea in this regard.
You cant, but on the other hand a delete of a file only hides the file. In order to 'permanently delete' a file you need to run tf destroy on the file , and that requires the user to be a part of the tfs administrator group .
Read more here
You can't. I think this is something you will have to manage by process and not technology I'm afraid.
Any operation (excluding a destroy) can be undone.
As was already said, this can't be done with permissions. If you absolutely need a way to prevent this (and rolling back the delete afterwards is not enough), you have two possibilities:
use a Checkin Policy to warn the user that he should not delete elements. This can be overridden by the user, so it's not an absolute, but they know they may only do this with your permission. If they still check in without permission, you can still roll back. Biggest drawback: You need to distribute a dll file to all client PCs everytime the policy is changed, because the checkin policy is executed on the client.
set up a serverside pre-Checkin check. You can write against TFS API to react to different events, such as pre-Checkin, post-Checkin etc. In those event handlers you may perform checks, e.g. "is a delete operation contained in the changes the user wants to check in?" and make the operation fail if that's the case. This cannot be overriden by the user, but is a lot more effort to implement and maintain imho.
That said, I would propose setting up "checkin conventions" the users are supposed to adhere to, and roll back any changesets where they don't. Possibly supported by variant 1. to remind the user that what he is doing is not permitted.
Related
I would like to check in code after a code review is approved. I came across this stack about creating code reviews and checking in, but my question is a little different.
My issue is that I want to create a code review; however, I do not want to check in the code until it is approved. That limits me from being able to start another code review with removing related work items. What I would like to do is create code reviews and check in from the code review tab in the Team Explorer
Is that possible? It is the same principle as creating a code review after the check in, but with Code reviews and checking in. I do not want to go to pending changes and check in there because I may have removed the related items. But I do want a check in to be tied to my code review.
Unfortunately, there is no "proper" way to do what you are trying to do. You could have your working directory on a shared drive and just notify your reviewer when you are ready for them to start their review process, but that side-steps the accountability by not having each development/review iteration officially logged within TFS. This means you should check in your work and let the reviewer do their job, then continue on in that fashion to make any changes requested by the reviewer, check in, and get another code-review.
For completeness I will mention my suggestion from my comments here as well.
My suggestion would be to create a self-contained, short-lived development branch where you will do your development and have your code reviewed. Then once the development and reviewing has been completed to satisfaction, that branch can be merged back up and destroyed. This provides a much cleaner and safer approach. 1) It reduces the clutter in the history within TFS. 2) It prevents multiple unnecessary automated builds/tests/etc... from being triggered.
In your comment you suggest that this changes the "structure of your branching methods". I don't see how doing this changes anything in any way that matters. Your merge would be just like your final development check-in except that by this time all reviews have been completed and you are performing a single, clean check-in. It will still contain all of your check-in and review information, however instead of a cluttered chain of check-ins, you will have a single collapsed node which contains every single thing that was done for that particular task.
I would check with your manager, your code reviewer and/or anyone you have that is in charge of TFS and creating/maintaining your TFS policy. This approach really doesn't change anything in regard to how the rest of your process works. You would have simply abstracted your development cycle to a self-contained environment. The second you perform your merge you are right back into your normal process as you have it now.
Okay, so for documentation purposes. I did not fully understand the shelving that TFS allow me to do. After reading Shelve and Unshelve Pending Changes, it makes more sense to me. I can shelve what I am working on, unshelve the code that I have done a code review for, then check in that code. That way I can create a code review and continue working until that code review is approved. Once approved, I can go unshelve the changes and check it in.
I am setting up a tfs 2013 environnement,
In a Scrum team project, we would like a few users to be able to create backlog items and tasks, but we would like that other users to only be able to change the task their are assigned. Or at least we would like that these users can modify existing tasks, while not being able to create new one, or move them to other sprints
at this time, with the security parameters i have found, i can only either allow a user to do everything (create and move a backlog items from a sprint to another, modify it, delete it...), or nothing (if you can't create or move, you also can't modify an existing one...)
any clue how i could proceed ?
We have custom work item types and we prevent users from creating certain work items by editing the WIT's xml and including this in the transition between nothing and the "New" state. [global]\TeamSystem-TaskCreation is a TFS security group with a limited set of members.
<TRANSITION from="" to="New" for="[global]\TeamSystem-TaskCreation">
There is no real way to do this I'm afraid. TFS does not have many fined grained access controls, the impression I get is that it is designed to empower people and not restrict them.
You should be able to ask people not to change tasks, if that is your way, and use the Work Item History and/or Alerting functionality to know when they have done something you don't want them to. For example, and task changes not by approved people sends and e-mail to the leads.
Does anyone know if it is possible to prevent a work item from being assigned to a specific user account in TFS?
After migrating a TFS from one domain to another, some of my team members have two user accounts, the original one from the old domain, and a new one from the new domain. I'd like to stop work items from being assigned to the old account.
Most process templates restrict username fields with the rule. (If yours doesn't, you should do so.) Then all you need to do is remove the invalid accounts from TFS Valid Users group.
Unfortunately, you can't do this directly -- TFS manages this group automatically based on ACLs found throughout the rest of the system. You have to hunt them down. See these threads for more details:
http://social.msdn.microsoft.com/Forums/en-US/tfsadmin/thread/6e5af2ab-1cbc-4d12-9078-454147926316
http://social.msdn.microsoft.com/forums/en-US/tfsadmin/thread/1ce8b5b0-9924-45ed-919b-49a6a61bb7c7
Once you find all instances where the old domain is being referenced, the general strategy for cleaning up orphans is to add a new ACL, wait for TFS to sync (or iisreset), then remove everything.
However, this may not be possible if you've taken the old domain offline, or there's no trust relationship between the two domains, etc etc. At some point it becomes easier to edit TfsIntegration manually. I usually don't recommend mucking in the TFS databases since it's unsupported and subject to change with every patch. For optimum safety, I'd still strongly suggest using stored procedures rather than trying to interpret the schema relationships (and make sure you hold the necessary locks, etc). prc_security_delete_identity is your best entry point: all you need to know is the old account's SID.
My application needs to read an option on startup to check if it should start in read-only mode. The option should not be allowed to be changed by the user.
I usually do this now using a value set in the HKLM\Software section of the system registry. The administrator sets the value and the users can't change it (they don't have rights to modify entries in HKLM).
The problem is that on a terminal server (or Citrix) machine this affects all users. I'd like to figure out a way to do this on a per-user basis. How do others handle this? Is there a section in the system registry for this kind of per user setting that the user can't change?
Thanks for any suggestions or comments!
This is essentially what the HKEY_CURRENT_USER\Software\Policies key is for, i.e. a key within the user-specific part of the registry that is by default read-only to the user himself.
By convention the key hierarchy should complement the one you already have under HKEY_CURRENT_USER\Software, e.g. if your regular user preferences are stored under HKEY_CURRENT_USER\Software\MyCompany\MyProgram then the protected user preferences (or "policies" in MS lingo) should be stored under HKEY_CURRENT_USER\Software\Policies\MyCompany\MyProgram
Note that it is recommended to only set values under this key via Group Policy Objects and never by direct registry access.
The concept of a per-user settings area that the user can't change doesn't really make sense - if they're user settings, "you" (the user) expect to be able to change them.
I can think of two alternatives:
Write your settings in HKLM, but have
a different setting for each user and a global fallback setting for users without the setting set
Write them in HKCU, but use the
registry security APIs to prevent
them writing to it. You will probably need
permissions greater than theirs to
prevent them undoing the permission
changes. I don't really like this
option, but if you want to follow it
you probably want to start with the
RegGetKeySecurity and
RegSetKeySecurity APIs. This
article might be interesting as
well.
Personally I think the first option would be the easiest, and also would involve less dodgy stuff in the user's registry tree. Hope that helps!
How about two settings?
1) Set a flag in HKLM specifying that read-only is the default behavior on this machine.
2) For any users that need full access, set a token in HKCU which enables full access.
The token could be a cryptographic hash of some salt plus the username, so it couldn't be copied to give permission to another user.
Why don't you store options in your own database? It seems reasonable and handy enough (at least to me 8) ) No problems with making "portable" version of your product. No users bothering any settings you don't want them to bother.
Whats wrong with HKCU instead of HKLM? This would be per-user. Unfortunately it could be changed by the user if the user knew how to edit the registry and find the key.
Take one of the files coming with your program, that should not be altered (at least not by the restricted user). If there is no such file, create one just for this purpose.
Let the administrator set read only rights to that file for those restricted users.
In the program check whether you have write access to that file.
You can limit "Check-In Policy" rules via the "Custom Paths" policy. But the "Check-in Notes" tab doesn't seem to fit in to the same system. Why isn't "Check-In notes" just another "Check-In policy"??
I'm using Team Foundation Server 2008 SP1
We had a similar problem some time ago. For some sub tree we wanted to require entering a code reviewer. I ended up implementing a custom policy and used the Custom Path Policy to restrict it to certain folders. That works well, except that you have to deploy your policy assembly and TFS has no built-in mechanism for that, yet.
That's an interesting question - the short answer is you cannot.
I have ran into the issue myself a lot where people get check-in notes and check-in policies confused because, while very different in implementation on the server, they often serve similar purposes.
Check-in notes are bits of structured meta-data that you want to collect on every check-in to a Team Project. They can be thinks like who was the code reviewer or a reference to a ticket in an external CRM system or something. You can make them required, or just have them defined for people to optionally fill out.
Check-in policies are bits of code that run on the client at the point of check-in that get a say if the check-in should be allowed or not. These are useful for checking things like you have associated a check-in with a work item, given it a comment or the code you are check-in in passes certain key static code analysis rules (such as basic checking for SQL injection attacks etc). If a check-in policy fails in the evaluation of the check-in then the user gets alerted and they get the ability to fix the problem or check-in anyway with a check-in policy override than can easily be reported on or alerted for by the TFS administrator.
Both check-in notes and check-in policies are defined and scoped at the Team Project level. However, Microsoft got feedback that some people would like check-in policies would like to be applied to specific paths in version control rather than just the Team Project and so the Custom Path Policy was invented.
The Custom Path Policy is a bit of a hack that allows you to wrap check-in policies inside the custom path policy. The custom path gets evaluated on every check-in and if it contains files inside the defined path then the wrapped check-in policies are evaluated for those files. The Custom Path Policy ships in the TFS Power Tools and is not part of the "Out The Box" TFS experience.
So, to answer your question a different way - I suspect the answer is "because that's the way it was designed and not enough people have asked for it to be changed".
If you wanted to leave feedback at http://connect.microsoft.com/VisualStudio I know they take customer feedback very seriously.