Team Foundation Server: granting Check-out Rights on a whole Collection - tfs

Is it possible to grant an Windows Group Rights "Reading Rights" to an whole Collection?
By "Reading Rights" I mean that anyone in this Group can get the Sources out of TFS but can not check-in something or Edit "Tasks" oder Launch Builds or anything else.
I found no such things in the Security Settings of the "Team Foundation Administration Console" on the Server.

There is actually a much easier way to do this. Open up Source Control Explorer for the Team Project Collection you would like to set this permission on. In the tree-view on the left, right-click the top-most node (which likely has your collection name in it) and select "Security". This will bring up the security options that take precedence over the whole collection.
From here, find the group that you would like to grant this permission to and select them. Next, in the permissions area, grant them the "Read" permission. This will allow everyone in that group to view and download the source in that Team Project Collection.
Let me know if you have any other questions.
-Taylor, TFS Version Control Development Lead

You can do this by customizing the process by changing the permission for the contributions group which I not recommended, or by adding new group which has your needed permissions, see the following image
Note: you can do this by Process Editor using TFPT (Team Foundation Power Tool) or by customizing the XML files directly.

Related

File Level Checkin Access in Team Foundation server 2013

I am new to TFS.
How to give file level Check in access to the user or user group in TFS 2013?
For example, my ASP.NET MVC project has around 50 .cs files and for the contributer "someone" I want to give the Check in access to only 10 files.
Is this possible in TFS?
For your question "is this possible?"
Yup it is very much possible in TFS to control the access rights at the file level. But it can be a painful process depending on how those 10 files are located within your folder structure. If you manage the access rights to TFS at individual user level (not using AD groups) then I would advice you to define new TFS groups and classify users based on their check-in rights and this way it will easier for you to manage.
Let me know if you need any clarification.
Edit: Screenshots added
Right click the file -> Advanced -> Security
Now within each group (Contributor, Builder etc), you can define the check-in/checkout rights.

Securing folders in source control

I would like to know how I can secure an Area (folder within project) - i.e. give access to external consultants for reading and writing.
But I do not want them to be able to access other folders within that Project.
I know how to assign access to the folder (defined Area), but I'm not sure how I can safely remove their rights on the Project without cutting off their access to the folder (Area).
Any help appreicated.
It depends wither you mean Area Paths or Source Control folders.
!!Source Control
In TFVC you can open the web access and go to the code tab. There you can right click on any folder and select permissions. Her you can use any fine grain you like and control inheritance.
In Git you can only control permission ls at the Repository and Branch level.
!!Work Item Tracking
If you open the web access and go to the administration section (cog on top right) and then the Area Path tab you can control the permission in the same way you can with source code. If you have VSTS or TFS 2015 Update 2 you can also control inheritance.
!!Real solution
However any sort of compartmentalisation comes with significant overhead of managing it. If you are a defence company or bank and there is that one folder that you don't want externals to have access then it's easy. Remove inheritance for that folder and only allow specific access.
Anything more and you run into complexity and friction for users. Ultimately you should trust everyone you give access to your Team Project. Ifnuoy don'ttrust them, then don'tgive them access...
Go to the Administer Server page and create a new TFS user group.
Add the users to the TFS user group.
Go to the Code screen, right click the folder and choose Security. Next add the TFS User Group you create and give them the rights you want:

How can I grant access to all Team Projects for a custom group

I have a custom group in TFS, and I would like to grant access to this group for every team project so we don't have to do this one by one.
It seems like the developers have access via Source Control Explorer, but cannot see these projects via 'Connect to Team Project'.
Any idea what is going wrong, or what permission is missing?
We are using TFS2012 on-premise.
The tfssecurity command line tool allows us to manage permissions for TFS groups and users. We could use it in a PowerShell script to grant access to projects that already exists. However I haven't found a way to use this command at the TFS collection level in order to grant permissions for future projects.
The approach I use is based on the fact that TFS permissions are inherited unless explicitly denied.
To create an user group that will automatically access all existent projects as well as the futures ones, follow those steps:
Create a new security group at the project collection level. From Visual Studio you can do it from the "Team / Team Project Collection Settings/Group Membership" menu. On TFS Online you can access to "Account Settings / Security" page.
Add the new group as a member of the "Project Collection Administrators" group. This will grant access to all projects in the collection, including the futures ones.
Deny the permissions of the new group, in order to limit the administrator permissions inherited by the group. You can use an existent TFS group as template, and deny all permissions except those explicity allowed to the group which behavior you want to copy. For example, if you want to create a group with the same permissions that has the default "Project Collection Valid Users" group, you can deny all permisisons except "Create a workspace", "View build resources" and "View collection-level information"
It is possible but you’ll need to give your users a log more privileges than they need to have. You can give them privileges that are similar to project collection administrators and they will have access to all projects but with elevated privileges.
It is possible do this but only for source control like you’ve already done but I’m not really sure about connecting to projects, working with workitems and such.

How can I share just the Product Backlog with a client using Team Foundation Service?

My team's project is hosted on the Team Foundation Service (TFS). How can I limit my client's access to the project to only the product backlog items?
The smallest set of rights seems to be 'View project-level information', but this still gives the user access to the code itself and I do not want this.
That is not possible today. We have heard that request more often, and it is tracked on user voice.
Feel free to vote for that suggestion. It helps us prioritize our work.
To deny all access to code you need to:
Open Source Control Explorer in VS2012
Right click you Team Project's Name ($/MyTeamProject).
Select "Advanced"
Select "Security..."
Select their TFS Group (i.e. Backlog Readers) on the Left Hand Side
Click the "inherit allow" (or "allow") permission on the Right Hand Side until it changes to "deny".
Then save the changes.

Developers can't see projects in Team Explorer/TFS 2010

For some reason our developers can only add projects that they've created to Team Explorer, even though they've all been given rights to the other projects. I created a top level group and added all of their AD users to it, and I assigned that group rights to access all of our projects.
They can see the projects in Source Control Explorer, and are able to do their work, but if they try to add a project to Team Explorer, the Connect to Team Project dialog box only shows their own projects.
Is there some other set of permissions?
If you want to make everyone can see and operate each others project, you need to put your team group into Project Collection Administrators in Collection level
If you don't want everyone have admin right,
you need to tell everyone to put the team group into Readers group in the team project they created.
Actually, I don't think there is a way to create a group in Collection level to access all team projects.
In fact, I think the best solution for you situation should be everyone use the same Team project and put everyone in the Reader group in that team project.
So everyone can create their own project under that team project instead of creating their own team project.
If you still want to let everyone create their own team project,
I suggest you use Team Foundation Server Administration Tool to manage group membership.
Permission right usually given on team project level basic. By "top level group" if you mean by giving permission at collection level. then i will suggest you try adding member at 'team project level' under any required group with necessary permission. if you cant add the member ask the admin of the team project to add separately.
you can directly access the security page through web access by.
[TFS web access url]/[Collection]/[team project]/_admin/_security
Under the "TeamExplorer - Connect" there is an option to "Select Team Projects..." When you click on this a box should pop-up titled "Connect to Team Foundation Server" that has a select dropbox, a "Team Project Collections" panel and a "Team Projects" panel. The latter has a list of projects in the collection and each has a checkbox next to them.
Make sure the projects you are interested in are in the list, and have the box checked. You can use the "Select All" checkbox to turn them all on at once.
HTH

Resources