How to Manage TFS Permissions

TFS has two types of permission management: Membership Management and Security Management.

Membership Management: It defines the relationship between different users and groups. Security Management: It manages the permissions for users and groups.

The above two management can be performed on three levels: Server Level, Collection Level and Project Level.

Server Level

You can configure the permissions like creating and deleting collections on the server level. The server level permission management can be configured through the TFS Administration Console. To do that, you can open the console, click Application Tier, and click Group Membership/Administer Security in the Application Tier Summary section.

Collection Level

You can configure the permissions, such as, creating/deleting projects and manage process template on the collection level, either by using the TFS Administration Console or TeamExplore. If you’d like to do it through the console, you can navigate to “server -> Application Tier -> Team Project Collections -><select the collection> -> Group Membership/ Administer Security in the General tab”. For TeamExplore, you can go to “Menu Team-> Team Project Collection Settings-> Group Membership/Security”.

Project Level

Usually, we can use TeamExplore to manage the permissions (such as manage test) on the project level. To do that, go to “Menu Team-> Team Project Collection Settings-> Group Membership/Security”.

After clicking Group Membership, you can do the following operations through the popup dialog box:

TFS Group Membership

  1. Create a new team foundation server group: After clicking New, you can enter the group name and description, and then click OK.
  2. Remove a group: Select the target group, and then click Remove. Afterwards, choose Yes on the Confirm page.
  3. Add Windows user or group: Select the target group, click on “Properties”. Then go to the “Add member” section and choose “Windows User or Group”. After clicking “Add”, you’ll be asked to enter the Windows user or group name. Note: Please make sure the same Windows user or group has been created on the machine hosting TFS Server. In addition, if you are using TeamExplore to do the operation, the Windows user or group should be available on the operated machine.For users of Dynamsoft TFS Hosted, you can log into your web portal and then go to “TFS Hosted -> User Management” to create the Windows user(s) on TFS Server. Currently, you are not allowed to add windows group.
  1. Add team foundation server group to another group: Select the target group, click on “Properties”. Then go to the “Add member” section and choose “Team Foundation Server Group”. Follow the prompts to finish the operation.
  2. Remove members from a group: Select the target group, click on “Properties”. In the Members tab, choose the users/groups and then click Remove and remove the members from the group.Note: Default groups of Server/Collection Level and Project Administrators cannot be deleted. And you are not allowed to modify members in Project Collection Valid Users and Team Foundation Valid Users.

After the management of Group Membership, you can configure group permissions through Security Management. After clicking Security, you can do the following operations through the popup dialog box:

TFS Group Permissions

  1. Add Windows user or group directly to the current permission level: In the Project Security dialog box, Choose “Windows User or Group” in the “Add users and groups” section. Then click “Add” to add the Windows user/group.
  2. Add group(s) to the current permission level: Choose “Team Foundation Server Group” in the “Add users and groups” section and then click “Add”.
  3. Remove members from the current permission level: In the “Users and Groups” section, select the target group or user and then click “Remove”.
  4. Manage Permissions for items: Select the item you want to edit in the “Users and Groups” section. You can then view and edit the permissions for this user or group in the “Permissions for [item]” section. Check “Allow” to grant authorization for user/group to do the operation. If Demy is checked, the user/group can’t do the corresponding operation, even when the user/group is in another group granted the same permission (except for Team Foundation Administrators, Project Collection Administrators and Project Administrators).

If neither “Allow” nor “Deny” is checked, the user/group doesn’t have the permission to do the corresponding operation, unless the permission is granted to another group containing the saying user/group.

Note: Permissions for Project Collection Administrators and Project Administrators are not editable.

For Dynamsoft TFS Hosted, you are not allowed to change the Memberships and Security on the server level. You can create users and add/remove users to/from the groups (see below) through web portal:

Project Collection Administrators
[Project]\ Readers
[Project]\ Project Administrators
[Project]\ Contributors
Groups created by yourself

Manage Version Control Permissions: Version control permissions are specific to source code files and projects/folders. To set the permissions, you can follow the steps below:

  1. Connect to your team project.
  2. Open Source Control Explorer (View -> Other Windows -> Source Control Explorer).
  3. Right-click the file or folder, and then click Properties -> Security.

Manage Build-Level Permissions: After opening the project in Team Explorer, you can right-click Builds and then click Security to manage the securities.