What are the correct permissions/settings to allow an user to create/edit areas and iterations?
I have an user that is getting this message in the admin section of areas or iterations:
You do not have one or more permissions required to update the iterations for this team
The weird thing is that the user can indeed create/edit areas and iterations, this user is part of a TFS Group I created for the Project, the Security properties of this group are:
Create test runs - Allow
Delete team project - Not Set
Delete test runs - Allow
Edit project-level information - Not Set
Manage test configurations - Allow
Manage test environments - Allow
View project-level information - Allow
View test runs - Allow
The Security of Areas and Iterations have allow to everything.
This used to be enough in TFS 2010, but it don't know why the message appears in TFS 2012.
Another thing, If I change the Security Property of "Edit project-level information" to Allow the user does not get the message, but in TFS 2010 this setting allowed users to change the permissions of another users and I don't want that.
U can use TFS Sidekick to effectively see how a users inherited different permissions on the different area's in TFS. U can use this tool to check out other projects where the permissions work and see if the adjustments u made had the effect u wanted. I dont advice to change permissions by this tool but use the administrator console to give this permissions to the group u want to.
Tfs 2012 Sidekick
I don't know if its the correct answer, but i added my custom group to the Project "Team". I have to read more about this Teams thing in TFS2012.
You (as project admin) have to use security policies on Iteration and area nodes from project web portal. (ex: http://tfsxxxx:8080/tfs/<collection>/<project>/_admin/_iterations ..../_areas).
Select an iteration or area node, right-click and select Security in order to set right to:
Create child nodes
Delete this node
Edit this node
View permissions for this node
Related
I'm a TFS project administrator.
I'd like to add a member of the team to whatever group is needed so that they can manage test plans/export test suites and the like.
The simplest way is just adding the user to Contributors group for a team project, which will have the manage test plans and test suites task.
Note: Stakeholders cannot create or manage test plans. You must have at least Basic access.
If you don't want to add the user to default Contributors group in project, you could also directly assign permission to him or by creating a new group, permissions can be given at Project level and at Area path level(Manage test plans & suites permission).
More details please refer: Default manual testing permissions and access
Update
work- Areas- Right click area - select Security- Contributor
I'm working with TFS 2015 using the ALM Rangers Development & Release Isolation Branching Strategy and Team Foundation Version Control. I would like to keep developers from checking code into the Main branch and letting them only work in Dev and Release branches. I want to allow the Project Administrators and above to perform the merges and check ins to Main.
With Team Web Access:
I selected the drop-down next to my Main branch and selected
"Security".
Set Inheritance to "Off".
For Contributors, Set Check in and a few other permissions to "Deny".
Saved Changes.
For Project Administrators, set the same permissions to "Allow"
Saved Changes.
TFS changed the values of each of the Project Administrators permissions to "Inherited deny*"
I have heard that setting "deny" can cause problems. Now I understand why I was told that. Is there a way to achieve my stated goal above, through standard TFS permission settings?
Cann’t reproduce your problem with the same settings in my TFS2015.
According to TFS permission setting, most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
To achieve what you want, you can create a new group such as DenyMainGroup. Adding the developers to this group. Make sure your project administrator members don’t belong to it. For this group, set Check in and a few other permissions to “Deny”. For Contributors and Project Administrators, set the same permissions to”Allow”. Saved Changes.
Is it possible to create a TFS Group / role where users in that group can only manage work items but not check in code?
If so, how would you go about doing this and what permissions does this role need?
I want this for my Project Managers / Business Analysts.
To enable permissions to manage work items, please go to Settings in Team Explorer and select Work Item Areas and Work Item Iterations.
Then on the admin/_areas page (like http://servername:8080/tfs/DefaultCollection/Agile/_admin/_areas), right-click the Area and select Security. Set the Edit work items in this node and View work item in this node to be Allow. You then should do the similar settings to Iterations.
To disable permissions to access source control code: right click the project in Source Control Explorer and select Advanced -> Security to deny source control related permissions:
A developer has left our team. Whilst working with us, he was a member of our TFS2013 instance. I've removed him from every group within the Team Project and Team Project Collection, and checked that he is not in any groups on the TFS server directly. His account in active directory has in fact been deleted. However, I still see his name in two places;
1) On the drop down list for 'Assigned To' on tasks/backlog items on the Scrum board
2) On the Team Project Collection Users list, his user appears if you select 'Users' but he is not a member of any groups. There is no Remove option anywhere on the screen.
Is this simply because he has previously checked in code/had tasks assigned to him in the past? I realise it is easy to say 'yes' to this question as it seems perhaps obvious, but I would like to know if it is possible to completely remove his user from these 2 places.
1) First check if he isn't part of any teams and/or an admin of a team (under the team icon). If the Witd types are customized, it can also be that he was manualy added. Otherwise force a synchronisation of the active directory; https://mohamedradwan.wordpress.com/2013/12/29/force-synchronizing-tfs-2013-users-with-windows-accounts/
2) If the synchronisation didn't fix this as well, its possible there are explicit rights defined on his user account. You need to remove that specific right.
I have a custom group in TFS, and I would like to grant access to this group for every team project so we don't have to do this one by one.
It seems like the developers have access via Source Control Explorer, but cannot see these projects via 'Connect to Team Project'.
Any idea what is going wrong, or what permission is missing?
We are using TFS2012 on-premise.
The tfssecurity command line tool allows us to manage permissions for TFS groups and users. We could use it in a PowerShell script to grant access to projects that already exists. However I haven't found a way to use this command at the TFS collection level in order to grant permissions for future projects.
The approach I use is based on the fact that TFS permissions are inherited unless explicitly denied.
To create an user group that will automatically access all existent projects as well as the futures ones, follow those steps:
Create a new security group at the project collection level. From Visual Studio you can do it from the "Team / Team Project Collection Settings/Group Membership" menu. On TFS Online you can access to "Account Settings / Security" page.
Add the new group as a member of the "Project Collection Administrators" group. This will grant access to all projects in the collection, including the futures ones.
Deny the permissions of the new group, in order to limit the administrator permissions inherited by the group. You can use an existent TFS group as template, and deny all permissions except those explicity allowed to the group which behavior you want to copy. For example, if you want to create a group with the same permissions that has the default "Project Collection Valid Users" group, you can deny all permisisons except "Create a workspace", "View build resources" and "View collection-level information"
It is possible but you’ll need to give your users a log more privileges than they need to have. You can give them privileges that are similar to project collection administrators and they will have access to all projects but with elevated privileges.
It is possible do this but only for source control like you’ve already done but I’m not really sure about connecting to projects, working with workitems and such.