Using Visual SourceSafe - How to Manage Security

This article is a part of SourceSafe / VSS Tutorial


SourceSafe provides a tool, Visual SourceSafe Administrator, to manage the permission of the VSS users.

However, designed for trusted environment, SourceSafe offers very low security. Regardless of the VSS project level permission, all VSS users must have read & write permission of the whole VSS folder from the file system. This means even for a VSS user who only has read permission of a single file in VSS database, he/she can copy or even delete the whole VSS database from the file system

Furthermore, if we have remote SourceSafe users, we need to expose our whole VSS database folder from the file system level, which makes our source code vulnerable to outside hackers.

There is no easy way to solve this security vulnerability since VSS is designed that way. One possible option is to use an add-on tool to convert VSS from a file based system to a client/server architecture based system. A tool I developed, called SourceAnywhere for VSS, can do this job. The link for SourceAnywhere for VSS is:

The project level security mechanism in VSS can only prevent unintended changes. If you are still interested in learning more about how to set the project level securities in VSS, you can read more about it below. :)


Managing project level security

To manage the project rights for an individual command for each user, we can follow the steps below:

  1. Open Visual SourceSafe Administrator program.

  2. Check the Enable Rights and Assignments commands box in the Visual SourceSafe Administrator menu Tools -> Options -> Project Rights tab. In the New User Rights area of the Project Rights tab, we can deselect the project rights that do not apply to any database users.

SourceSafe Options (SourceSafe Options)

  1. Now there are 3 rights commands available on the Tools menu: Rights by Project, Rights Assignments for User and Copy User Rights.


To assign project rights from the project list:

  1. In Visual SourceSafe Administrator, click Tools -> Rights by Project.

  2. In the Project Rights dialog box, select a project and click Add User to attach the user for whom to assign project rights.

Project Rights (Project Rights)

  1. Select a user in the user list. Under User rights, specify the permissions.


To assign project rights from the user list:

  1. In Visual SourceSafe Administrator, select a user in the users list, and click Tool -> Rights Assignments for User.

  2. In the Assignments for dialog box, click Add Assignment.

![Assignments for ](./img/2008/12/security-assign-by-user.png) (Assignments for )

  1. Select a Visual SourceSafe project and then specify permissions for the user on the selected project. Please be advised that a user must have the Destroy project right to deploy a Web site.

![Add Assignment for ](./img/2008/12/security-assign-for-user.png) (Add Assignment for )

To copy one’s user rights to another user:

  1. In Visual SourceSafe Administrator, click the user whose project rights you want to modify in the users list.

  2. Click menu Tools -> Copy User Rights. The Copy Rights Assignments to dialog box prompts out.

Copy Rights Assignment to Test (Copy Rights Assignment to Test)

  1. Select a user from whom to copy rights, and then click Copy.


SourceAnywhere - the SQL Server-based SourceSafe Replacement

The SQL Server-based Source Control Software Designed to be a SourceSafe Replacement

SourceAnywhere for VSS - the Fastest SourceSafe Remote Access Tool Recommended by Microsoft

The Fastest SourceSafe Remote Access Tool Recommeded by Microsoft

Links: Previous article ««: How to manage users in SourceSafe / VSS Next article »»: SourceSafe How To series home page: VSS / SourceSafe Tutorial