Users cannot access Shared documents in TFS projects - tfs

I have created several projects in TFS 2010 for which SharePoint sites are also created.
Users that have access to projects (are members of predefined Contributors security group on project level) complain that they cannot access Shared documents through Visual Studio. All users are domain members.
Is there anything else related to users permissions that needs to be done in order they to be able to open Shared documents from VS? Thanks in advance.

You have to grant needed permissions on specific SharePoint sites related to projects too.
I recommend you to create AD security groups for each project, and grant permissions for every group respectively. That should solve your issues – users will then be able to access Shared documents in TFS projects.

Related

TFS 2015 permissions required to create new project?

I have two users say user Ad and user Us, Ad has admin rights and is the account used to install and configure TFS 2015, user Us is an admin which has all permissions needed for an administrator.
Now when I tried to create a new project from Visual Studio 2015 the get the below error:
Error
The Project Creation Wizard encountered an error while creating reports to the SQL Server Reporting Services on
Interestingly, my Ad account does not have SYSDBA permission on the databases when i get the error. But if i provide the SYSDBA permission to the Ad account the project creation utility works.
I want to know how is this possible? and is there a way to create a new project in TFS 2015 without having the SYSDBA permission?
Help appriciated!!!
If you just create a new project, usually you only need to be the memeber of the Project Collection Administrators Group and have the Create new projects permission set to Allow.
However, if you have SQL Server Analysis Services and SQL Server Reporting Services been configured for the deployment or a SharePoint Web application been configured for your deployment, you also need to become a member of Team Foundation Content Managers group and get Full Control permissions on the server that hosts SharePoint Products.
Has SQL Server Analysis Services and SQL Server Reporting Services been configured for the deployment?
If so, ask your administrator to add you as a member of the Team
Foundation Content Managers group on the server that hosts SQL Server
Reporting Services. Without these permissions, you’ll be unable to
create a team project.
More detail info please refer the link from MSDN: Create a team project
Permissions for TFS Team project creation:
1. Add the user to TFS Admin console users or to Project collection Admin group
2. If sharepoint is available, Add user to sharepoint Farm admin and also site collection administrators
3. If Reporting is configured, Give user Team Foundation Content Manager role.
Still if team project creation fails then Depending on the error check if user is added to TfsReports Folder security and then in to specific collection level folder security.
4. If error is related to Datasources then check if user is available at both reportDS and OlapreportDS security.
If you can give the exact error message base on that recommendations can be made. The above information is the basic requirement.

deny read access to single project in a solution consisting of multiple projects

We use TFS as source control. In TFS we host a solution consisting of multiple Visual Studio projects. We do not want our contractors to see the source code of ONE of these projects (limited users should still see all compiled assemblies). What is the best way to achieve our objective without setting up two repositories and having to synchronize all code changes between them?
I would recommend that instead of just changing the permissions in place that you move the projects that you want to protect to a separate folder with its own solution. Secure that folder as above. You can then build it separately and deploy it to an internal nuget repository.
you can then reference that repository from within the Visual Studio package manager and it will be managed as an external dependency. If you update and publish the other solution then the other devs will be notified of updates..
You control access rights to a folder by selecting Advanced->Security from Source Control Explorer. From there, you can turn off security inheritance for the item(s) you need to protect. Then, create a TFS-specific group containing the 'limited users' only and only allow them access to the particular project folder. Alternatively, create a group for the contractors and deny them access.
This is based on VS/TFS 2012.
But my guess is that you will also need to create a specific solution for the contractors that doesn't have the particular project included.

How can I grant access to all Team Projects for a custom group

I have a custom group in TFS, and I would like to grant access to this group for every team project so we don't have to do this one by one.
It seems like the developers have access via Source Control Explorer, but cannot see these projects via 'Connect to Team Project'.
Any idea what is going wrong, or what permission is missing?
We are using TFS2012 on-premise.
The tfssecurity command line tool allows us to manage permissions for TFS groups and users. We could use it in a PowerShell script to grant access to projects that already exists. However I haven't found a way to use this command at the TFS collection level in order to grant permissions for future projects.
The approach I use is based on the fact that TFS permissions are inherited unless explicitly denied.
To create an user group that will automatically access all existent projects as well as the futures ones, follow those steps:
Create a new security group at the project collection level. From Visual Studio you can do it from the "Team / Team Project Collection Settings/Group Membership" menu. On TFS Online you can access to "Account Settings / Security" page.
Add the new group as a member of the "Project Collection Administrators" group. This will grant access to all projects in the collection, including the futures ones.
Deny the permissions of the new group, in order to limit the administrator permissions inherited by the group. You can use an existent TFS group as template, and deny all permissions except those explicity allowed to the group which behavior you want to copy. For example, if you want to create a group with the same permissions that has the default "Project Collection Valid Users" group, you can deny all permisisons except "Create a workspace", "View build resources" and "View collection-level information"
It is possible but you’ll need to give your users a log more privileges than they need to have. You can give them privileges that are similar to project collection administrators and they will have access to all projects but with elevated privileges.
It is possible do this but only for source control like you’ve already done but I’m not really sure about connecting to projects, working with workitems and such.

Team Foundation Server 2010 Project Collection and Project Permissions

I'm new to Team Foundation Server 2010 and I have a question about permissions.
Is it possible for a project to inherit permissions from a project collection? I want to setup a custom contributor group at the project collection level and add the developers to it. Each time they create a new project I want to inherit the permissions from the project collection. That means I don't have to explicitly add the developers to the project each time they create one.
Maybe there is some other way of doing this and not having to setup a custom contributors group? Any help would be appreciated!
I would recommend setting up some Active Directory Groups along the lines of:
TFS Contributors
TFS Administrators
TFS Project Managers
(You could also do this for specific projects. You get the idea.)
Give these AD groups the permissions you need, and simply add/remove the developers to the AD groups. If you can get the ability to manage the AD group, this will be much simpler that administering through the TFS admin tools.
Hopefully, you'll already have AD groups that fit these needs, saving you the trouble. Maybe a team-wide distribution list, for example?
You can create collection level roles (TFS Groups) and edit your process template to grant permissions to those roles so there are set by default in every new project.

TFS Team Project Portal permissions

I have added users to Contributor Group in Team Project, but they are not able access the Team Project Portal. What could be the problem?
You have to manage permissions to TFS, Sharepoint and Reporting Services separately. This means that adding people to TFS groups does not automatically add them to Sharepoint and reporting services groups.
Please check below MSDN library for information on how to add users to Share Point Portal:
http://msdn.microsoft.com/en-us/library/bb558971.aspx
You can also use TFS Administration tool, which provides the options to add users to TFS, Sharepoint and Reporting Services from single place.

Resources