I want to make a TFS 2010 project read-only so users can view the info in work items but not add any details or new work items. I think I need to change the security permission on the project but it's not clear which permission I would change from the Contributors list.
In my opinion the right way is to alter the group memberships.
Remove all users from the constributors and higher groups and move them to the Readers group.
Two choices.
Choice 1: If this is a common pattern where the prevailing default is that folks are restricted, but some people have access (i.e. devs cannot change things but Tech Leads can), modify contributors and create a secondary group (for example, 'Tech Leads') that has the additional read rights. In this scenario, the Contributors group would contain tech leads, but only specific individuals with the extra rights would be in the Tech Leads group.
Choice 2: If the prevailing default is normal contributor access, but specific individuals (i.e. external contractors) need to be denied access, and you need to be 100% sure this goes through, regardless of any other group membership, then leave Contributors as is, and add a new group called (in this example) 'Contractors' and DENY specific access as needed.
Like before, everyone is a contrib, but contractors have some absolute limitations imposed on them, and the 'DENY' in the Contractors group overrides the 'Allow' from contrib. A use case for this would be cases where specific code has to be hidden from external vendors or some other sub-group and needs to be 100% rock solid - just be careful with denies as they will trump any number of allows you inherit from other groups.
Hope that helps!
Addendum: For restricting or changing rights on workitems, you need to do two things. First, set up appropriate group mempership (noted above), then in the project, under Team Project Settings -> Areas and Iterations, click the Security button to set this up on a node by node basis (or at the root if you want to do these restrictions project wide).
Related
I want to make it so certain users can view and/or comment on specific issues, but not all issues. I was reading that I can use Issue Security for this but I'm not understanding one thing.
My understanding:
Enable Issue Security to a project
Issue security scheme defined with who can view/comment on issues by specifying Jira groups in the Issue Security settings:
group ABC can view
group DEF can view + comment
People get added to those groups
But, what controls the issue they can access?
If Joe is added to group ABC, what says they can view issue 123 BUT NOT issue 456?
Every issue has a security level, which can be chosen among those that are available in the Issue Security Scheme associated to that project. I suppose you haven't created them yet: then you need to edit the Issue Security Scheme and add all the security levels that you need. More info on security levels here.
In your case, if you want a simple model you could call the security levels something like "Public" and "Restricted". Issue 123 is set to Public, issue 456 to Restricted, and to view restricted issues you must belong to group DEF, so those that are only in group ABC cannot see them.
If you want to manage multiple customers/suppliers and keep things separated, you can create a group for each company, and a security level for each: visible_by_company_A, visible_by_company_B, and so on. Then each security level is configured so that they are visible only be the right groups/roles, and then users must be assigned to the right groups or roles. A user could belong to both groups, or to just one (or to none).
The catch is that each issue can have only one security level, so if you need an issue to be visible by both company A and company B you must create a specific security level for that, like "visible_by_A_and_B", and this doesn't scale well. But in general this rarely happens (at least in my experience), and I've never needed to create too many levels.
One last thing: users who want to set the security level must have the "Set issue security" permission, make sure they have it.
I've got a TFS server in which team projects exists. These team projects have area paths below them. These area paths represents projects of certain customers. We want to give customers access to their area path.
The problem is when we do that they automatically gain access to all other area paths withing that team project. Is there a way of limiting access so the customers can only see their area path and nothing else?
No such a feature to limit users in team project level with the area path set.
Area path only restricts the users on work items:
Area paths allow you to group work items by team, product, or feature
area. Whereas, iteration paths allow you to group work into sprints,
milestones, or other event-specific or time-related period. Both these
fields allow you to define a hierarchy of paths.
Please see About area and iteration paths (aka sprints) for details.
So, if you don't want to the users see the specific team projects, then you just need to remove the users from the related TFS groups.
If you just want to restrict the users on manage the sources/files or source control on specific Repository/branches, then you can create teams or groups and set the permission accordingly. Please see below articles for details:
Add teams and team members
Permissions and groups in VSTS and TFS
As mentioned in this thread, by design a team can access other teams backlogs and work items.
To deny different teams access to other teams work items I used a workaround which might work for you as well.
The workaround is to use TFS security groups to limit teams access to area paths. By default, every team is created as a member of the default security group [project]\Contributors which gives the team access to all area paths.
Here are the steps I followed:
Create a new security group for every team
Make the new groups members of the Contributors default group
Add every team as a member of its new respective security group
Remove all teams from the Contributors group
In the project's areas admin screen, open each area's context menu and click the security option (check this article)
In the security view, add the newly created security groups
For each group, allow/deny the permissions based on your requirements
Please note, this workaround will not hide other area paths from the users in the not allowed groups. They still can navigate to backlogs of other groups but they will not view or edit the work items. This behavior is same for reports and dashboards as well
I am using TFS 2015. I make one user as Readers in project settings but still the user is able to create and update work-items/bugs. So, I am confused what I need to do in order to allow a user to just view the work-items/quires/stories but not add/edit any item.
The Readers group setting does not restrict ability to edit or create work items. You can do that in area path security settings Set permissions and access for work tracking. So you may create new group (in example Disallow Access Group). Then open security setting for the root area.
Deny needed permissions
In your case you have to enable View work items in this node
If you have the user only in the Readers TFS group of the given team project, the user will not be able to able to add/edit work items.
This can happen if you have altered the group membership, so that Readers are member of the Team (the team created by default or a new team), which is default a member of Contributors. This way readers TFS Group get inherited from Contributors permissions.
Verify the Readers group has below as permissions (default)
and it is not something like below
The other possibility is your user has collection level permissions so the project permissions are inherited to allow by default.
I use TFS 2013 with one team collection and I have a Project.
This project uses area paths to differentiate between teams.
So I have an area Path/Team lets call it "Inventing".
This Inventing team has a Product Owner who should only do what a product owner is supposed to do in scrum.
I can add this particular person to the area path and allow him the rights.
I want to say: he is the product owner of this AreaPath.
Do I need to create for every area path a TFS Group called "product owner inventing" and add/remove the persons for that TFS Group?
Or is there a better solution?
There is no way you can isolate a specific user role like this from the create wizard by default. So yes, you'll need to create a group for the product owner. Remember that work items have links to change sets, so it might be hard to isolate the product owner completely from viewing any code it's not a simple checkbox to tick.
BTW we often do trust external people with the code they're basically owner of. Non Disclosure Agreements and contracts can get a long way in legally closing that loop. I'd expect that the product owner will look over the shoulder of team members, will have opportunity once in a while to access developer workstations, no matter how hard you secure everything. Trust is important in Scrum and Agile, this is one aspect of trust.
If a user has access to multiple security groups, does TFS take the highest level group, or the lowest level group for access rights?
For example, if user John, belongs to the Read Group (can only read the source control but not edit) and then is added to the Developer Group (can read and edit source control) which group does TFS recognize?
Since he belongs to both groups can he still only Read since that is the lowest level or can he now edit since he is also part of the Developer Group and that is the highest level?
Permissions
It combines the permissions from all the users groups.
If the user is denied access to anything they still can't access it even if they are given access to it elsewhere.
If the user is given access to something in any group they will have access to it (unless of course something else denies them).
If there's no explicit allow or deny in any of the users groups, they will be denied access.
Access Levels
Access levels are done separately from group permissions - access can be set to limited, standard or full in the tfs 2012 admin area.
For TFS 2010 the only group that acted a bit weirdly was the work item only group, which afaik acted as a explicit deny on everything but editing your own work items. This functionality is replaced with access levels in tfs 2012.