Export (0) Print
Expand All

Restrict access in TFS

Visual Studio 2013

Sometimes you don't want all users in your deployment to have visibility into all projects in that deployment. By default, users who have permissions to access one project within a collection can view other projects within that collection, even if they don't have permissions to modify work items or perform other actions in that project. If you want to restrict a particular group to just one project in the collection, you must take extra steps.

In Team Foundation Server, permissions explicitly set to Deny generally take precedence over permissions set to Allow. There are exceptions to this, but they generally don't apply to user groups (and you can read more about these exceptions in Team Foundation Server permissions). So if you want to restrict a particular group from viewing a particular project, you must(1) create a specific Team Foundation Server group in that project, (2) add that restricted group to that project-level group, and then (3) explicitly set the View project-level information permission to Deny for that Team Foundation Server group. In other words, you specifically create a group for the users you don't want to view a project, add that group to the project you don't want them to view, and then set permissions on that group to restrict the users in that group from viewing that project. It's a little counterintuitive, but it works!

  1. Open Team Web Access (TWA), change views to the administration context for the project by choosing the gear icon Settings icon, and choose the Security tab.

  2. On the Groups tab, create a TFS group.

    Create TFS Group link on Security admin page


  3. In Group Name, specify a name for this group, such as "Reviewers." Optionally, type a description for this group, and then choose OK.

    Create the Reviewers TFS group

    The group you just created appears in the list of TFS Groups. Make sure that it is highlighted in the list, and then choose the Members tab.

  4. Choose Add user.

    The ADD A WINDOWS USER OR GROUP window opens.

    Account names in Add a window or user group
  5. In Identities, specify the name of the group you want to add and save your changes.

    Add a group to the list of TFS Groups
  6. Choose the Permissions tab. In the permissions list, toggle the value of View project-level permission to deny, and then choose Save Changes.

A: From the Version Control tab in the TWA administration context, you can set permissions for a group or individual.

Permissions page for TF version control

For team projects that use Git for version control, you can set the following permissions.

Permissions page for Git project in admin context

For additional information, see Team Foundation Server permissions.

A: From the Build hub in TWA, you can set build permissions at the project level for a group or individual.

Security link in Actions menu on Build page

You can set permissions for the build operations shown in the following image.

Permissions page for TF version control

Also, you can set permissions by opening the Context Menu Icon context menu for a build definition.

For additional information, see Team Foundation Server permissions.

A: By setting permissions on an area path, you can deny a group or individual the ability to create or edit work items assigned under an area path.

A: You can restrict access in one of two ways:

  • By adding WITs to the Hidden Categories group, you can prevent the majority of project contributors from creating them. You can create a hyperlink to a template that opens the work item form and share that link with those team members who you do want to create them.

  • By adding a field rule to the workflow for the System.CreatedBy field, you can effectively restrict a group of users from creating a work item of a specific type. As the following example shows, the user who creates the work item must belong to the Allowed Group in order to save the work item.

    <TRANSITION from=" " to="New">
         <FIELD refname="System.CreatedBy">
             <VALIDUSER for="Allowed Group" not="Disallowed Group" />

For more information about how to customize WITs, see Add a field and change the layout of a work item type.

A: Set a condition field rule, a condition-based field rule or a combination of the two that applies to a group. You can restrict changes from being made to a field by specifying a qualifying rule and making it apply for a specific group. Conditional rules can include CANNOTLOSEVALUE, EMPTY, FROZEN, NOTSAMEAS, READONLY, and REQUIRED elements.

© 2014 Microsoft