Let's say I am the administrator of some project on sf.net. I want to
add a new user as member of a project, and to grant him
rights to create files in some directory.
I added a user as member of a project, but it didn't have a
possibility to create/delete files/directories.
If someone has experience in a similar question, prompt to me please.
Thanks!
Your best bet would be to ask this question on either #sourceforge on irc.freenode.net, or create a support ticket at https://sourceforge.net/p/forge/site-support/new/ or email the support staff at sfnet_ops#geek.net
What you're describing shouldn't happen, so you need to report it as a problem. However, it could just take a little time for the necessary permissions to get applied, so it might depend on how close together the two events are.
Assuming you are on SourceForge's latest platform i.e Allura, here are the steps you can try.
1) Log in to SF
2) Click on Admin tab
3) Click on User Permissions
You should be able to add users, create group and manage permission for group.
Related
We have a project that has been running for a while and has some external clients. I'd like to configure TfS so that while the development team can see all the Work Items, the external clients / stakeholders can only see the work items which relate to their area and not any of the general development tasks or those relating to other stakeholders.
I tried to follow the Microsoft guidance for setting up multiple teams and areas (so will use their examples).
Areas are configured as follows
Fabrikam Fiber
-> Email
-> Web
Teams are configured as follows
Fabrikam Fiber (this team 'owns' the Fabrikam Fiber area and includes sub areas)
-> Email (this team 'owns' the Email area only)
-> Web (this team 'owns' the Web area only)
Teams have the following members
Fabrikam Fiber (whole development team)
-> Email (Adam only)
-> Web (Bill only)
So logging in as the following I would expect to see:
Development team. Can access whole project, both team projects and work items in any area
Adam. Can only access the Email team project and see work items in the Email area
Bill. Can only access the Web team project and see work items in the Web area
But what actually happens is that both Adam and Bill can see everything that the development team can (projects / work items).
What have I done wrong and how can I make this work as I would expect? I'm sure I tried this in the past and it worked fine but that project now also has the same issue. We're using TFS2017 On Premises.
Thanks!
Update 30/04/2018
Thanks for the responses!
Step 1 of Cece's answer didn't apply to me as it's a single code base but Step 2 does mean that I can prevent the user from seeing work items in the other area - hurrah!
However I'm still stuck on how to prevent the user from seeing that the other areas exists at all (so in my example I wouldn't want Email to see Web listed on the homepage - as these are client names). I had a better look at the Contributor group etc following Daniel's comment and having read the links Cece provided. Logically I would expect that I should remove the Email team from the Contributor's group as that is Project level (and then they would only have their area permissions) but then all I get is a message saying 'This project only contains a default team.' There is also a tantalising Permission called 'View project-level information' but this doesn't seem to be editable.
I seem to have hit a brick wall again so any further advice would be greatly appreciated!
You need to set both TFVC permission and area path permission:
Set permission for projects. Go the version control tab, select the project that you want to set permission, add the user, and grant Deny permission for Read.
Set permission for area path. Go to Work tab, select Security for the area path that you want to set permission, add the user, and grant Deny permission for View work items in this node.
I cant seem to find where to set read only rights for users within TFS when viewing test items/cases and plans. So if a test case is opened a user shouldn't be able to edit the case. Any idea? TIA
You control work item permissions at the area path level.
I've got an issue where users that are disabled in Active Directory are still appearing in a Team Project Collection in Team Foundation Server 2013. This is a problem because any projects that are within the collection have these users inherited and are visible when assigning work items, etc.
These users in the screenshot below are all disabled and none of which are a part of any group or groups on TFS.
Specifically these users:
Kumar
Carl
Mishra
Bertram
Shah
Rajendran
Arora
It would also be nice to hide these users:
Network Service
Sharepoint account
Local Server Account (******-DEV1$)
I have tried the following:
Removing [Built-In]\Administrators group as per instructions here: https://stackoverflow.com/a/15640409/559988
Clearing the TFS data cache and restarting IIS as per instructions here: https://social.msdn.microsoft.com/Forums/vstudio/en-US/31487b77-8a1a-4b1f-8cdb-8f3528a3a389/tfs-2013-user-management
Verified the users are disabled in Active Directory
Verified the disabled users are not apart of any groups in Active Directory
Verified Active Directory sync is working (added a new user and it appeared just fine).
Has anyone else had this issue with disabled users appearing in TFS 2013 or know how to resolve it?
Thank you
This phenomenon is correct. The disabled user in Active Directory will still appear in TFS. Since these users are imported from AD, and belong windows group, so you can't delete these from security page. TFS server will automatically sync from the AD.
You may need to manually delete the users instead of disable the users in Active Directory .
Update
You can't hide the user in security. If you are get annoyed with these users when assigning work items. You can filter the user which you want to display in work item drop list. Please see my answer in this question: TFS-2015 limiting user list for detailed step.
After trying everything in Patrick's post above I am unable to resolve this issue.
This issue also remains unresolved in a similar post here: How do I remove a user from tfs?
The only way I was able to partially-resolve this was by upgrading from TFS 2013 to TFS 2015. The users still appear in the Project Collection users group, but no longer appear in the Team Project as options for work items, etc.
It's unclear why this is the way it is.
I have a user who gets the following error when they attempt to create a New Team Project:
TF218027: The following reporting folder could not be created on the
server that is running SQL Server Reporting Services[...]
After several attempts to fix using feedback from this site as well as others, I have narrowed down the problem somewhat, but not sure what to do next.
The user is in the appropriate group in SSRS, with Content Manager and Team Foundation Content Manager roles. I have also broken the permission inheretance per This stackoverflow article.
The odd thing I have observed is that by putting the user into SSRS directly, it works. By being a member of a group instead, it does not work.
Any advise would be appreciated greatly.
Windows group memberships are only refreshed on log on. If you added the user to the group right now, the user might need to log off and log on again to get the new group membership into effect.
Can someone tell me how to set file permissions in Delphi 2006? I am using TINIFile.Create to create INI files in my application. The problem is that if I create the file while logged onto Windows as an administrator and then try to run the application as just a standard user and overwrite the INI file, I do not have permission to do so. I put the file in the AllUsers\ApplicationData\MyProduct folder. I'd like to set the permissions to this folder. I need AllUsers to have Full permissions to the MyProduct folder. If its possible to do this through a WindowsAPI that'd be great because I also need to do this in C++ and C#. I'd really appreciate any help. Thanks!
Although you can do all sorts of permission changes with the right code in Delphi (as admin) a better application structure is to NOT assume that your App has any privileges (you say you want it to run in user mode). Instead, use the installer that will install your App (e.g Inno Setup) to copy a suitable Ini file template into your required data folder. You can specify the permissions that you want using "Permissions: user-modify" on the file copy line.
You can use JEDI library for this. Here is a blog "Setting file security with JWSCL" from posted by Christian Wimmer
The correct answer on "how to do that" is "don't do it at all".
If you set "allow to write for anyone" for your MyProduct folder or ini-file - this will be violating security. Because now any user can affect other users - this is not what they should be allowed to do.
Any user must affect only his world. He should not affect worlds of other users. This power is reserved for administrators.
Why is this bad? Obsiosly.
That's why the correct way will be approx. like this:
Installer of your application MAY put an ini-file into AllUsers folder, but DO NOT alter file's permissions. This file will be default read-only options.
Your application should read settings from AllUsers folder and from current user folder. If it needs to save settings - it should write to user folder, not AllUsers. That way, each user will have their own preferences/settings.
If you want that "someone powerfull" should have ability to enforce settings for all users - he should be an administrator. He can edit file in AllUsers, thus affecting settings of all users.
Note, that you also need to decide, which setting have higher priority (global or local). So, you can have both at same time: (a) local settings for each user and (b) ability to enforce/override user's settings.
Most probably you create your ini file into the application folder, don't you? You should avoid such practice. Instead create ini files into users\YourUser\AppData\Roaming\YourProduct.
I am having a similar problem.
Since you need to do this also in other environments I have a suggestion for you.
Use an external installer to install your application. It has many benefits and one of them is that it will configure for you a File\Directory\Registry permissions during the installation. Of course you would have to run the installation on administrative account but then your users will have the permissions required by your application.
I can recommend you a great installer which is called Inno Setup.