For some reason our developers can only add projects that they've created to Team Explorer, even though they've all been given rights to the other projects. I created a top level group and added all of their AD users to it, and I assigned that group rights to access all of our projects.
They can see the projects in Source Control Explorer, and are able to do their work, but if they try to add a project to Team Explorer, the Connect to Team Project dialog box only shows their own projects.
Is there some other set of permissions?
If you want to make everyone can see and operate each others project, you need to put your team group into Project Collection Administrators in Collection level
If you don't want everyone have admin right,
you need to tell everyone to put the team group into Readers group in the team project they created.
Actually, I don't think there is a way to create a group in Collection level to access all team projects.
In fact, I think the best solution for you situation should be everyone use the same Team project and put everyone in the Reader group in that team project.
So everyone can create their own project under that team project instead of creating their own team project.
If you still want to let everyone create their own team project,
I suggest you use Team Foundation Server Administration Tool to manage group membership.
Permission right usually given on team project level basic. By "top level group" if you mean by giving permission at collection level. then i will suggest you try adding member at 'team project level' under any required group with necessary permission. if you cant add the member ask the admin of the team project to add separately.
you can directly access the security page through web access by.
[TFS web access url]/[Collection]/[team project]/_admin/_security
Under the "TeamExplorer - Connect" there is an option to "Select Team Projects..." When you click on this a box should pop-up titled "Connect to Team Foundation Server" that has a select dropbox, a "Team Project Collections" panel and a "Team Projects" panel. The latter has a list of projects in the collection and each has a checkbox next to them.
Make sure the projects you are interested in are in the list, and have the box checked. You can use the "Select All" checkbox to turn them all on at once.
HTH
Related
I know that this is possible for TFS projects, but I seem unable to take care of this. I've renamed TFS-hosted GIT projects with no issues, but I'm not able to see the drop-down menus or text-editing boxes on my TFS2015 Admin Site.
I've tried in multiple browsers, multiple systems. I am a Project COllection Manager, and have verified that I have full rights on all projects to be renamed.
Please provide some input as to how I can further diagnose.
Best,
Larry
You can go to team project admin page, and move your mouse to the Name of team project, the text-editing box will show up, then you can remove the team project:
Another way is go to team project collection admin page, right click the team project you want to rename, then select Rename:
I have a custom group in TFS, and I would like to grant access to this group for every team project so we don't have to do this one by one.
It seems like the developers have access via Source Control Explorer, but cannot see these projects via 'Connect to Team Project'.
Any idea what is going wrong, or what permission is missing?
We are using TFS2012 on-premise.
The tfssecurity command line tool allows us to manage permissions for TFS groups and users. We could use it in a PowerShell script to grant access to projects that already exists. However I haven't found a way to use this command at the TFS collection level in order to grant permissions for future projects.
The approach I use is based on the fact that TFS permissions are inherited unless explicitly denied.
To create an user group that will automatically access all existent projects as well as the futures ones, follow those steps:
Create a new security group at the project collection level. From Visual Studio you can do it from the "Team / Team Project Collection Settings/Group Membership" menu. On TFS Online you can access to "Account Settings / Security" page.
Add the new group as a member of the "Project Collection Administrators" group. This will grant access to all projects in the collection, including the futures ones.
Deny the permissions of the new group, in order to limit the administrator permissions inherited by the group. You can use an existent TFS group as template, and deny all permissions except those explicity allowed to the group which behavior you want to copy. For example, if you want to create a group with the same permissions that has the default "Project Collection Valid Users" group, you can deny all permisisons except "Create a workspace", "View build resources" and "View collection-level information"
It is possible but you’ll need to give your users a log more privileges than they need to have. You can give them privileges that are similar to project collection administrators and they will have access to all projects but with elevated privileges.
It is possible do this but only for source control like you’ve already done but I’m not really sure about connecting to projects, working with workitems and such.
If I load up TFS Web Access and go to Security > Users, I only see the 3 people I've added to my team. However, when I try to assign a task to someone in Web Access or in Visual Studio, it lists a bunch of users from the domain (not all users, looks like all IT people). Where does this come from? How can I change it... without exporting, editing and importing files via command line?
update: I found this line in the MSDN documentation:
Team Foundation \Team Foundation Valid Users
Members of this group
have access to Team Foundation Server. This group automatically
contains all users and groups that have been added anywhere within
Team Foundation Server. You cannot modify the membership of this
group.
I really don't understand... this is our own team's server, a separate install from the main dev team. I have no idea how these other 30 or 40 users got in this group. Major bonus <3 for any help on this. MikeR's answer will allow me to set administrators as the only assigness which will technically fix the issue, but I'd rather be able to use the groups as they were intended if possible.
The problem was that [TEAM FOUNDATION]\Valid Users included [TEAM FOUNDATION]\Team Foundation Administrators which included [BUILT IN]\Administrators
In the TFS Server Administration Console I selected Application Tier and clicked Group Membership. I then double-clicked on [TEAM FOUNDATION]\Team Foundation Administrators and removed [BUILT IN]\Administrators.
Now I only see my team and not all the SQL admins and engineers that were local admins on the server. All without any command line or addons.
This list of possible assings is defined in the WorkItemTypeDefinition. Usually you would export and import this. If you have the TFS PowerTools (http://visualstudiogallery.msdn.microsoft.com/b1ef7eb2-e084-4cb8-9bc7-06c3bad9148f) installed, you can directly work with the WITD in Visual Studio.
To do this, open "Tools->Process Editor->Work Item Types->Open WIT from Server". Choose the TeamProjectCollection you want to connect to and than choose the TeamProject and WorkItemType you are having trouble with.
Check the rules for "AssignedTo" field. Default could be the "ValidUser" rule, which includes every permitted user in TFS. Remove that rule and add a new one "AllowedValues" rule with values like "[project]\Project Administrators", than only "Project Administrators" can be assigned to this Work Item.
If there is already a group defined and not all "ValidUser", remove users from the group set is set there.
Is it possible to grant an Windows Group Rights "Reading Rights" to an whole Collection?
By "Reading Rights" I mean that anyone in this Group can get the Sources out of TFS but can not check-in something or Edit "Tasks" oder Launch Builds or anything else.
I found no such things in the Security Settings of the "Team Foundation Administration Console" on the Server.
There is actually a much easier way to do this. Open up Source Control Explorer for the Team Project Collection you would like to set this permission on. In the tree-view on the left, right-click the top-most node (which likely has your collection name in it) and select "Security". This will bring up the security options that take precedence over the whole collection.
From here, find the group that you would like to grant this permission to and select them. Next, in the permissions area, grant them the "Read" permission. This will allow everyone in that group to view and download the source in that Team Project Collection.
Let me know if you have any other questions.
-Taylor, TFS Version Control Development Lead
You can do this by customizing the process by changing the permission for the contributions group which I not recommended, or by adding new group which has your needed permissions, see the following image
Note: you can do this by Process Editor using TFPT (Team Foundation Power Tool) or by customizing the XML files directly.
We have a team that consists of a number of non-developers - for these non-developers to create and modify Work Items, would they need to have VS 2010 / Team Explorer installed on their machines? Or is it possible to create and modify Work Items through the project's SharePoint site or some other built-in means?
I've not yet installed a full test TFS 2010 instance, so I can't check it out myself.
You can also create or edit workitems using Team System Web Access portal which will be configured as part of TFS2010 Installation. You can access this portal using this URL: http://[TFSServer]:8080/tfs/web
You can also configure users to access the restricted version of this portal(Work Item Only View) which the users can connect without using CAL. In this version, the users can add or edit the workitems only created by them.
You can create and edit work items from the sharepoint site for a team project in TFS 2010. but the users will still need a Client Access Licence (CAL) to do more than very basic work item management. The url will be something like http://[tfsServer]/sites/[tfsCollection]/[tfsTeamproject]/Dashboards/ProjectDashboard_wss.aspx. If you right click on the Team Project in Team Explorer and select "show project portal" then it will open a browser in the correct location.
I think the licence basically says that users can create and modify their own work items without a CAL. If they need to view work items created by other users, or allocate work items to other users, then a CAL is required.