I have a TFS 2010 Work Item Type with a custom field called "Requested By." This field can be populated with any name, but since most of the requests come from project developers throughout the organization, the SUGGESTEDVALUES property should populate the dropdown list with members of any TFS team project.
I have tried various values for SUGGESTEDVALUES, but both Collection\ Project Collection Valid Users and Server\ Team Foundation Valid Users seem to return every valid Active Directory account—well over 10,000 names.
I recognize that one option is to add an ALLOWEDVALUES item with multiple LISTITEM entries for Project\ Contributors for every team project, but with more than 150 team projects in the organization, this would be time-consuming initially and challenging to manage in the future.
Is there any easy way to populate the drop-down with TFS valid users who have actually been assigned to any team project in the collection, and exclude "Valid" users who exist in Active Directory but have never been assigned to a project?
What do you get if you use Project Collection Valid Users?
Project Collection Valid Users is the correct group to use, and I have entered it correctly.
However, one project team wanted to make their code available to the entire organization, and added ORG\Domain Users to the [Project]\Readers group. This was discovered by running a full audit with TFS Projects based on a hunch that something like that must have happened.
Having answered this question with "because a project team was doin' it wrong," I have posted a follow-up question to find out how to correctly grant all valid TFS users access to a specific project. See How can I grant Team Project access to all Project Collection Users? for the discussion on (hopefully) doing this "the right way."
Related
I just asked a similar question, but this time it's a bit different. I just tried to create a alert in TFS2013 for failed builds and in the query definition next to "Team Project = " there's a dropdown where I'm supposed to pick the project to notify when a checkin happens that breaks the build, but not all of my projects show up there. So where does this list come from? And how come not all of my projects are there?
This may due to you don't have related permission to create alert for some team projects.
Alert permissions
Members of the team project level Contributors group can subscribe to alerts for themselves.
Members of the Project Collection Administrators group, or users who have the Edit collection-level information can set
alerts in that collection for others or for a team.
Members of the Project Administrators group, or users who have the Edit project-level information can set alerts in that team
project for others or for a team.
You may lack of the corresponding permission for several team projects. So you could not select those in the dropdown list.
Note: There are no UI permissions associated with managing email notifications or alerts. Instead, they can be managed using the TFSSecurity command line tool.
More details about this you could refer this MSDN thread: Alert permissions
A developer has left our team. Whilst working with us, he was a member of our TFS2013 instance. I've removed him from every group within the Team Project and Team Project Collection, and checked that he is not in any groups on the TFS server directly. His account in active directory has in fact been deleted. However, I still see his name in two places;
1) On the drop down list for 'Assigned To' on tasks/backlog items on the Scrum board
2) On the Team Project Collection Users list, his user appears if you select 'Users' but he is not a member of any groups. There is no Remove option anywhere on the screen.
Is this simply because he has previously checked in code/had tasks assigned to him in the past? I realise it is easy to say 'yes' to this question as it seems perhaps obvious, but I would like to know if it is possible to completely remove his user from these 2 places.
1) First check if he isn't part of any teams and/or an admin of a team (under the team icon). If the Witd types are customized, it can also be that he was manualy added. Otherwise force a synchronisation of the active directory; https://mohamedradwan.wordpress.com/2013/12/29/force-synchronizing-tfs-2013-users-with-windows-accounts/
2) If the synchronisation didn't fix this as well, its possible there are explicit rights defined on his user account. You need to remove that specific right.
If I load up TFS Web Access and go to Security > Users, I only see the 3 people I've added to my team. However, when I try to assign a task to someone in Web Access or in Visual Studio, it lists a bunch of users from the domain (not all users, looks like all IT people). Where does this come from? How can I change it... without exporting, editing and importing files via command line?
update: I found this line in the MSDN documentation:
Team Foundation \Team Foundation Valid Users
Members of this group
have access to Team Foundation Server. This group automatically
contains all users and groups that have been added anywhere within
Team Foundation Server. You cannot modify the membership of this
group.
I really don't understand... this is our own team's server, a separate install from the main dev team. I have no idea how these other 30 or 40 users got in this group. Major bonus <3 for any help on this. MikeR's answer will allow me to set administrators as the only assigness which will technically fix the issue, but I'd rather be able to use the groups as they were intended if possible.
The problem was that [TEAM FOUNDATION]\Valid Users included [TEAM FOUNDATION]\Team Foundation Administrators which included [BUILT IN]\Administrators
In the TFS Server Administration Console I selected Application Tier and clicked Group Membership. I then double-clicked on [TEAM FOUNDATION]\Team Foundation Administrators and removed [BUILT IN]\Administrators.
Now I only see my team and not all the SQL admins and engineers that were local admins on the server. All without any command line or addons.
This list of possible assings is defined in the WorkItemTypeDefinition. Usually you would export and import this. If you have the TFS PowerTools (http://visualstudiogallery.msdn.microsoft.com/b1ef7eb2-e084-4cb8-9bc7-06c3bad9148f) installed, you can directly work with the WITD in Visual Studio.
To do this, open "Tools->Process Editor->Work Item Types->Open WIT from Server". Choose the TeamProjectCollection you want to connect to and than choose the TeamProject and WorkItemType you are having trouble with.
Check the rules for "AssignedTo" field. Default could be the "ValidUser" rule, which includes every permitted user in TFS. Remove that rule and add a new one "AllowedValues" rule with values like "[project]\Project Administrators", than only "Project Administrators" can be assigned to this Work Item.
If there is already a group defined and not all "ValidUser", remove users from the group set is set there.
We have a TFS 2010 with 14 collections. Each collection has its own team members (different Active Directory Accounts).
When a user logs into TFS, is seeing all the collections, he can enter the draft, create work items, see the source code, etc.. So he is not in the list of Team Member.
I made a program in c # to go by collection and project permits and no one is repeated.
How I can diagnose this behavior? There a tool to enter the user's name to show me why he has those permissions and how inherited (collection groups or groups of server).
I appreciate your input.
UPDATE:
Thanks you for the answers. We solved. it was a sync problem between Active Directory and TFS.
You could try http://tfsadmin.codeplex.com/ I don't believe it has the user lookup function but I've found it a lot easier to edit roles with than using TFS itself.
Can you prevent a user with project admin or project collection admin rights from updating a project's work item definition or its project template?
Basically we have a TFS instance with multiple projects and project collections. We want to ensure we have one template and work item definition across all of them so any updates should happen across all project\project collections.
thanks
p.s. we do this since we are interfacing with another system and if a new, required field is added it will cause issues.
Members of the "Project Collection Administrators" and "Project Administrators" group have hard-coded admin permissions. Even if you remove the "Edit Project-Level Information" permissions, they have the ability to give that permission to themselves again.
The only way to prevent members of these groups from modifying the work item definitions, is to remove them from the group. Some people create a new administrators group and give them the same permissions, except for the permission to modify work item types.