We have a TFS 2010 with 14 collections. Each collection has its own team members (different Active Directory Accounts).
When a user logs into TFS, is seeing all the collections, he can enter the draft, create work items, see the source code, etc.. So he is not in the list of Team Member.
I made a program in c # to go by collection and project permits and no one is repeated.
How I can diagnose this behavior? There a tool to enter the user's name to show me why he has those permissions and how inherited (collection groups or groups of server).
I appreciate your input.
UPDATE:
Thanks you for the answers. We solved. it was a sync problem between Active Directory and TFS.
You could try http://tfsadmin.codeplex.com/ I don't believe it has the user lookup function but I've found it a lot easier to edit roles with than using TFS itself.
Related
How can I see who has accessed files in a team project in TFS? Normal View History only shows you check ins. And exporting the Audit Log from TFS doesn't show you this info. I am interested in knowing who has made a read/get latest access on a specific team project.
This needs to be documented for my QA department. Are there any TFS SQL scripts that can show this info?
Sorry, we do not have this kind record of User's each operation such as read/get latest on a specific team project.
As you have mentioned history command will only displays the revision history of one or more files or folders. It only related to each changeset(checked in files).
Audit logs basically display some modify operation in TFS will also not include any access info at present.
Dig into sql database to query such information maybe a solution. However, highly not recommend to do this, since it may cause some potential risks of your database. And it will also lose support from Microsoft.
This should be a feature quest, you could submit it here. Our PM will kindly review any suggestion.
Recently my team upgraded to TFS 2017 from TFS 2012. I am a TFS administrator on the box but when i attempt to install a gallery extension in a specific team project collection i get:
"Access Denied. {user} needs Manage permissions to perform the action.
For more information, contact the Team Foundation Server administrator."
that would be fine, except i am the server administrator...sigh. the steps i have taken so far are:
reapplied my Admin Console User access.
confirmed i am still a member of the "Project Collection Administrators".
made sure i was in the "Project Administrators" groups for all of the collections projects.
made sure i had allow on "edit/view project-level information" for all projects.
compared security rules between other team project collections and the issue collection.
used TFSSecurity to directly set permissions again.
When i found that none of these steps worked i went so far as to ask another admin to remove me and add me back, to no avail. i should also mention, i have the ability to add extensions in other team project collections, just not the main one we use for development.
Any thoughts would be greatly appreciated.
UPDATE:
We found a post about there being a bug in the RTM version of tfs 2017, we were skeptical that is the cause as we had already done the potential workaround without success. We have decided we are going to attempt to install update 1 to see if that resolves the issues. I will update with the result, but that will not happen until the next maint window.
UPDATE 2:
We installed TFS 2017 U2RC2, and it did indeed resolve the issue. I suspect that Update 1 was all the farther that would be needed, but there are a bunch of nice features with U2RC2.
I'm afraid your issue it's possibility not related to that bug in RTM TFS2017. The bug is more related to the security ACEs for collection admins at the team project level and thus, collection admins were unable to access and administer some team project resources.
To narrow down your issue, you could try below ways:
Use another Admin account to install the specific extension
Use your account to add some other extension
If this is a issue only related to your account, there must be something wrong with the security ACES. Double check and compare the different permission settings between your account and other admin's account. Check if you have any related deny permission under the project collection. In TFS deny trumps allow.
Moreover when you do the remove and add back operation , there maybe some identity synchronization problem in TFS. Waiting for sometime, you could try to install the gallery extension again.
Of course, you could also update your TFS server, which may do the trick. Suggest you directly update to TFS2017 update2 RC2, which will be the last “big” feature release for TFS 2017. Release Notes
A developer has left our team. Whilst working with us, he was a member of our TFS2013 instance. I've removed him from every group within the Team Project and Team Project Collection, and checked that he is not in any groups on the TFS server directly. His account in active directory has in fact been deleted. However, I still see his name in two places;
1) On the drop down list for 'Assigned To' on tasks/backlog items on the Scrum board
2) On the Team Project Collection Users list, his user appears if you select 'Users' but he is not a member of any groups. There is no Remove option anywhere on the screen.
Is this simply because he has previously checked in code/had tasks assigned to him in the past? I realise it is easy to say 'yes' to this question as it seems perhaps obvious, but I would like to know if it is possible to completely remove his user from these 2 places.
1) First check if he isn't part of any teams and/or an admin of a team (under the team icon). If the Witd types are customized, it can also be that he was manualy added. Otherwise force a synchronisation of the active directory; https://mohamedradwan.wordpress.com/2013/12/29/force-synchronizing-tfs-2013-users-with-windows-accounts/
2) If the synchronisation didn't fix this as well, its possible there are explicit rights defined on his user account. You need to remove that specific right.
I have a TFS 2010 Work Item Type with a custom field called "Requested By." This field can be populated with any name, but since most of the requests come from project developers throughout the organization, the SUGGESTEDVALUES property should populate the dropdown list with members of any TFS team project.
I have tried various values for SUGGESTEDVALUES, but both Collection\ Project Collection Valid Users and Server\ Team Foundation Valid Users seem to return every valid Active Directory account—well over 10,000 names.
I recognize that one option is to add an ALLOWEDVALUES item with multiple LISTITEM entries for Project\ Contributors for every team project, but with more than 150 team projects in the organization, this would be time-consuming initially and challenging to manage in the future.
Is there any easy way to populate the drop-down with TFS valid users who have actually been assigned to any team project in the collection, and exclude "Valid" users who exist in Active Directory but have never been assigned to a project?
What do you get if you use Project Collection Valid Users?
Project Collection Valid Users is the correct group to use, and I have entered it correctly.
However, one project team wanted to make their code available to the entire organization, and added ORG\Domain Users to the [Project]\Readers group. This was discovered by running a full audit with TFS Projects based on a hunch that something like that must have happened.
Having answered this question with "because a project team was doin' it wrong," I have posted a follow-up question to find out how to correctly grant all valid TFS users access to a specific project. See How can I grant Team Project access to all Project Collection Users? for the discussion on (hopefully) doing this "the right way."
I have a very strange situation.... After migrating from StarTeam to TFS (using TimlyMigration == awesome) there is one oddity.
When I look at any given file in the Source Control view, I see all the history that was migrated. However if anybody else on the project looks at the file, the don't see the history. it sounds like a permissions issue, but even if I change their group membership adding them to project administrators they still don't get the history.
So I'm wondering if there is perhaps a problem with the resposity, and if there is an internal consistency checker for TFS that I could be running.
Does the history include any renames/moves? TFS permissions are based on paths, so if people don't have rights to the "old" path then they won't see the history entries before the move.
One other thing to look into is the permissions in the source control (assuming you have given permissions to the project).
In the Source Control Explorer right click on the project and select properties. Then select the security tab. Users should not need to be added to this, but I have had to do it in some cases.
Vaccano