Export (0) Print
Expand All
4 out of 4 rated this helpful - Rate this topic

Team Foundation Server Default Groups, Permissions, and Roles

Team Foundation Server includes default groups that help you manage users and permissions within the deployment. The product installation creates these groups for you automatically at the server and collection level. Similarly, when you create a project in Visual Studio Team Foundation Server, a number of groups are created for that project, at various levels:

  • Four groups in the project itself, at the project-level

  • A default team group, which by default is added to the project-level group Contributors

  • Area-level and iteration-level groups for the project

  • Build-level groups for the team project

If you add Lab Management to your deployment, groups for Lab Management are added.

To customize projects to better suit your business needs, it helps to understand what permissions are assigned to which users and groups, in addition to what permissions you might want to add to any users or groups that you might add at the server level, the collection level, and the project level. Additionally, if you want to closely align users with specific roles and responsibilities, you need to understand how to align those roles with the default groups that are already assigned to the project. As an alternative, you can create groups that associate directly with each of those roles, and you can assign those groups the permissions that are appropriate to the role.

In this topic

Whenever you create a project in Team Foundation Server, groups are created at the project level. By default, each of those groups has certain permissions assigned to them. You can add permissions to these default groups, in addition to any groups or users whom you want to add at the server, collection, or project level.

By default, the following groups exist at the server level when you install Team Foundation Server:

  • Team Foundation\Team Foundation Administrators   Members of this group can perform all operations for Team Foundation Server. This group should be restricted to the smallest possible number of users who need total administrative control over Team Foundation Server. By default, this group contains the Local Administrators group (BUILTIN\Administrators) for any server that hosts the application services for Team Foundation. This group also contains the members of the Server\Team Foundation Service Accounts group and the members of the \Project Server Integration Service Accounts group.

  • Team Foundation\Team Foundation Valid Users   Members of this group have access to Team Foundation Server. This group automatically contains all users and groups that have been added anywhere within Team Foundation Server. You cannot modify the membership of this group.

    Important noteImportant

    If you unset or set the View instance-level information permission to Deny for this group, no users will be able to access the deployment.

  • Team Foundation\Team Foundation Service Accounts   Members of this group have service-level permissions for Team Foundation Server. By default, this group contains the service account that was supplied during installation. This group should contain only service accounts and not user accounts or groups that contain user accounts. By default, this group is a member of Team Foundation Administrators.

  • Team Foundation\Project Server Integration Service Accounts   Members of this group have service-level permissions for the Project Server deployments that are configured for interoperation with Team Foundation Server. In addition, members of this group have some service-level permissions for Team Foundation Server. This group should contain only service accounts and not user accounts or groups that contain user accounts. By default, this group is a member of Team Foundation Administrators.

  • Team Foundation\SharePoint Web Application Services    Members of this group have service-level permissions for the SharePoint Web applications that are configured for use with Team Foundation Server, in addition to some service-level permissions for Team Foundation Server. This group should contain only service accounts and not user accounts or groups that contain user accounts. Unlike the Service Accounts group, this group is not a member of Team Foundation Administrators.

  • Team Foundation\Team Foundation Proxy Service Accounts   Members of this group have service-level permissions for Team Foundation Server Proxy, and have some service-level permissions for Team Foundation Server. This group should contain only service accounts and not user accounts or groups that contain user accounts.

By default, these groups have the permissions in the following table. Unless otherwise stated, the permission is set to Allow. For a full description of each permission, see Team Foundation Server Permissions.

Permission Name

By default, set for:

Consider adding to:

Administer warehouse

Team Foundation Administrators

Team Foundation Service Accounts

Manually added users or groups who might or must change warehouse settings through the WarehouseController.asmx Web service ChangeSetting Web method.

Create team project collection

Team Foundation Administrators

Team Foundation Service Accounts

Users or groups who are responsible for managing the overall health and resource availability for the deployment.

Delete team project collection

Team Foundation Administrators

Team Foundation Service Accounts

Users or groups who are responsible for managing the overall health and resource availability for the deployment.

Edit instance-level information

Team Foundation Administrators

Team Foundation Service Accounts

Users or groups who are responsible for managing the overall health and resource availability for the deployment.

Make requests on behalf of others

Team Foundation Service Accounts

SharePoint Web Application Services

This permission should be assigned only to service accounts and groups that contain only service accounts.

Trigger Events

Team Foundation Administrators

Team Foundation Service Accounts

Users or groups who are responsible for managing the overall health and resource availability for the deployment.

Use full Web Access features

Team Foundation Administrators

Team Foundation Valid Users

Users and groups who must utilize the full range of features that are available in Team Web Access. If you want to restrict users to a read-only view in Team Web Access, set this permission to Deny.

View instance-level information

Team Foundation Administrators

Team Foundation Service Accounts

SharePoint Web Application Services

Team Foundation Valid Users

All users or groups who interact with Team Foundation Server.

By default, the following groups exist at the collection level when you install Team Foundation Server:

  • TeamProjectCollectionName\Project Collection Administrators   Members of this group can perform all operations for the team project collection. This group should be restricted to the smallest possible number of users who need total administrative control over the collection. By default, this group contains the Local Administrators group (BUILTIN\Administrators) for the server where the application-tier services for Team Foundation have been installed. This group also contains the members of the TeamProjectCollectionName\Service Accounts group.

  • TeamProjectCollectionName\Project Collection Valid Users   Members of this group have access to the team project collection in Team Foundation Server. This group automatically contains all users and groups that have been added anywhere within the team project collection. You cannot modify the membership of this group.

    Important noteImportant

    Do not unset or set the View collection-level information permission to Deny for this group.

  • TeamProjectCollectionName\Project Collection Service Accounts   Members of this group have service-level permissions for the collection and for Team Foundation Server. By default, this group contains the service account that was supplied during installation. This group should contain only service accounts and groups that contain only service accounts. By default, this group is a member of Team Foundation Administrators and Team Foundation Service Accounts.

  • TeamProjectCollectionName\Project Collection Build Administrators    Members of this group have build administration permissions for the collection. This group should be restricted to the smallest possible number of users who need total administrative control over build servers and services for this collection.

  • TeamProjectCollectionName\Project Collection Build Service Accounts    Members of this group have build service permissions for the collection. This group should contain only service accounts and groups that contain only service accounts.

  • TeamProjectCollectionName\Project Collection Proxy Service Accounts   Members of this group have proxy service permissions for the collection. This group should contain only service accounts and groups that contain only service accounts.

  • TeamProjectCollectionName\Project Collection Test Service Accounts   Members of this group have test service permissions for the collection. This group should contain only service accounts and groups that contain only service accounts.

By default, these groups have the permissions in the following table. For a full description of each permission, see Team Foundation Server Permissions.

Permission Name

By default, set for:

Consider adding to:

Administer build resource permissions

Project Collection Administrators

Project Collection Build Administrators

Project Collection Service Accounts

Build administrators who regularly administer build servers and resources for the collection.

Administer Project Server integration

Project Collection Administrators

Project Collection Service Accounts

None.

Administer shelved changes

Project Collection Administrators

Project Collection Service Accounts

Project Collection Build Service Accounts

Build administrators who delete shelvesets created by other users.

Administer workspaces

Project Collection Administrators

Project Collection Service Accounts

Build administrators who create workspaces for other users and delete workspaces created by other users.

Alter trace settings

Project Collection Administrators

Other server administrators who might or must change the trace settings for gathering more detailed diagnostic information about Web services for Team Foundation Server.

Create a workspace

Project Collection Administrators

Project Collection Build Administrators

Project Collection Build Service Accounts

Project Collection Contributors

Project Collection Proxy Service Accounts

Project Collection Service Accounts

Project Collection Test Service Accounts

Project Collection Valid Users

None. All users have this permission as part of being members of the Project Collection Valid Users group.

Create new projects

Project Collection Administrators

Project administrators who will regularly create projects.

Delete team project

Project Collection Administrators

Users or groups who are responsible for managing the overall health and resource availability for the deployment.

Edit collection-level information

Project Collection Administrators

Project Collection Service Accounts

None.

Make requests on behalf of others

Project Collection Administrators

Project Collection Service Accounts

SharePoint Web Application Services

None.

Manage build resources

Project Collection Administrators

Project Collection Build Administrators

Project Collection Build Service Accounts

Project Administrators

ProjectName\Build Administrators

Manually added users or groups who might or must administer and schedule builds on the build resources in the collection.

Manage process template

Project Collection Administrators

Project administrators and any manually added users or groups, such as process specialists, who might or must create, edit, download, and upload process templates to Team Foundation Server.

Manage test controllers

Project Collection Administrators

Project Collection Test Service Accounts

None.

Manage work item link types

Project Collection Administrators

None.

Trigger Events

Project Collection Administrators

Project Collection Service Accounts

None. Adding this permission to other users has the potential to allow denial-of-service attacks.

Use build resources

Project Collection Administrators

Project Collection Build Service Accounts

Manually added users or groups who might or must queue new builds or browse completed builds in the collection.

View build resources

Project Collection Administrators

Project Collection Build Administrators

Project Collection Build Service Accounts

Project Collection Valid Users

None.

View collection-level information

Project Collection Administrators

Project Collection Build Administrators

Project Collection Build Service Accounts

Project Collection Service Accounts

Project Collection Test Service Accounts

Project Collection Valid Users

SharePoint Web Application Services

Project Collection Proxy Service Accounts

None.

View system synchronization information

Project Collection Administrators

None.

By default, the following groups exist at the project level:

  • ProjectName\Project Administrators   Members of this group can administer all aspects of the team project, although they cannot create projects.

  • ProjectName\Contributors   Members of this group can contribute to the project, such as by adding, modifying, and deleting code, and by creating and modifying work items. By default, the team group created when you create a team project is added to this group, and any user you add to the team will be a member of this group. In addition, any team you create for a team project will be added to this group by default, unless you choose a different group from the list.

  • ProjectName\Readers   Members of this group can view the project but not modify it.

  • ProjectName\Build Administrators   Members of this group have build permissions for the project. Members can manage test environments, create test runs, and manage builds.

  • ProjectName\TeamNameTeam    Members of this group can contribute to the project in multiple ways, such as adding, modifying, and deleting code and creating and modifying work items. The default Team group is created when you create a team project, and by default is added to the Contributors group for the team project. Any new teams you create will also have a group created for them and added to the Contributors group.

Besides these project-level groups, two collection-level groups also appear in every project in Team Foundation Server:

  • TeamProjectCollectionName\Project Collection Administrators

    NoteNote

    You cannot change the permissions for this collection-level group.

  • TeamProjectCollectionName\Project Collection Build Service Accounts

    Important noteImportant

    Do not remove or set the View project-level information permission to Deny for this group.

By default, these groups have the permissions in the following table. For a full description of each permission, see Team Foundation Server Permissions.

Permission Name

By default, set for:

Consider adding to:

Create test runs

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Build Service Accounts, Project Collection Test Service Accounts, TeamName Team

None.

Delete team project

Project Administrators, Project Collection Administrators

None.

Delete test runs

Project Administrators, Team Foundation Administrators, Contributors, TeamName Team

Manually added users or groups that might or must terminate test runs that are in progress or delete old test runs.

Edit project-level information

Project Administrators, Project Collection Administrators

None.

Manage test configurations

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Build Service Accounts, Project Collection Test Service Accounts, TeamName Team

None.

Manage test environments

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Build Service Accounts, Project Collection Test Service Accounts, TeamName Team

None.

View project-level information

Project Administrators, Contributors, Readers, Builders, Project Collection Administrators, Project Collection Build Service Accounts, TeamName Team

All manually added users or groups that require access to this project.

View test runs

Project Administrators, Contributors, Readers, Builders, Project Collection Build Service Accounts, Project Collection Administrators, TeamName Team

All manually added users or groups that require access to this project.

By default, the following groups exist at the area level:

  • ProjectName\Project Administrators

  • ProjectName\Contributors

  • ProjectName\Readers

  • ProjectName\Builders

  • ProjectName\TeamName Team

  • TeamProjectCollectionName\Project Collection Administrators

  • TeamProjectCollectionName\Project Collection Build Service Accounts

  • TeamProjectCollectionName\Project Collection Test Service Accounts

By default, these groups have the permissions in the following table. For a full description of each permission, see Team Foundation Server Permissions.

Permission Name

By default, set for:

Consider adding to:

Create child nodes

Project Administrators, Project Collection Administrators

None.

Delete this node

Project Administrators, Project Collection Administrators

Any manually added users or groups that might or must delete area nodes.

Edit this node

Project Administrators, Project Collection Administrators

Any manually added users or groups that might or must rename area nodes.

Edit work items in this node

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Build Service Accounts, TeamName Team

Any manually added users or groups that might or must edit work items in this area node.

Manage Test Plans

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Build Service Accounts, TeamName Team

Any manually added users or groups that might or must manage test plans in this area node.

View permissions for this node

Project Administrators, Contributors, Readers, Builders, Project Collection Administrators, Project Collection Build Service Accounts, Project Collection Test Service Accounts, TeamName Team

Any manually added users or groups that might require access to work items in this area node.

View work items in this node

Project Administrators, Contributors, Readers, Builders, Project Collection Administrators, Project Collection Build Service Accounts, Project Collection Test Service Accounts, TeamName Team

Any manually added users or groups that might or must view, but not edit or change, work items in this area node.

By default, the following groups exist at the iteration level:

  • ProjectName\Project Administrators

  • TeamProjectCollectionName\Project Collection Administrators

By default, these groups have the permissions in the following table. For a full description of each permission, see Team Foundation Server Permissions.

Permission Name

By default, set for:

Consider adding to:

Create child nodes

Project Administrators, Project Collection Administrators

None.

Delete this node

Project Administrators, Project Collection Administrators

Any manually added users or groups that might or must delete iteration nodes.

Edit this node

Project Administrators, Project Collection Administrators

Any manually added users or groups that might or must rename iteration nodes.

View permissions for this node

Project Administrators, Project Collection Administrators

Any manually added users or groups that might or must view iteration nodes.

By default, the following groups exist at the version-control level:

  • ProjectName\Project Administrators

  • ProjectName\Contributors

  • ProjectName\Readers

  • ProjectName\Builders

  • TeamProjectCollectionName\Project Collection Administrators

  • TeamProjectCollectionName\Project Collection Service Accounts

  • TeamProjectCollectionName\Project Collection Build Service Accounts

By default, these groups have the permissions in the following table. For a full description of each permission, see Team Foundation Server Permissions.

Permission Name

By default, set for:

Consider adding to:

Read

Project Administrators, Contributors, Readers, Builders, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts

Any user or group that contributes to the development of this project; any users that should be able to read the contents of a file or folder.

Check Out

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts

Any user or group that contributes to the development of this project; any users that should be able to check out or make a pending change to items in a folder.

Check In

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts

Any user or group that contributes to the development of this project; any users that should be able to check in items or revise any committed changeset comments.

Label

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts

Any manually added users or groups that might or must label items.

Lock

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts

Any manually added users or groups that might or must lock or unlock folders or files.

Revise other user's changes

Project Administrators, Project Collection Administrators, Project Collection Service Accounts

Manually added users or groups that are responsible for supervising or monitoring the project that might or must change the comments on checked-in files, even if another user checked in the file.

Unlock other user's changes

Project Administrators, Project Collection Administrators, Project Collection Service Accounts

Manually added users or groups that supervise or monitor the project and that must be able to unlock files locked by other users.

Undo other user's changes

Project Administrators, Project Collection Administrators, Project Collection Service Accounts

Manually added users or groups that supervise or monitor the project and that must be able to undo a pending change made by another user.

Administer labels

Project Administrators, Project Collection Administrators, Project Collection Service Accounts

Manually added users or groups that are supervise or monitor the project and that must be able to edit or delete labels created by another user.

Manage permissions

Project Administrators, Project Collection Administrators, Project Collection Service Accounts

None.

Check In Other User's Changes

Project Administrators, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts

None.

Merge

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts

Most users or groups that contribute to the development of this project and that must be able to merge source files, unless the project is under more restrictive development practices.

Manage branch

Project Administrators, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts

Any user or group that contributes to the development of this project and that must be able to create private branches, unless the project is under more restrictive development practices.

By default, the following groups exist at the build level:

  • ProjectName\Project Administrators

  • ProjectName\Contributors

  • ProjectName\Readers

  • ProjectName\Builders

  • TeamProjectCollectionName\Project Collection Administrators

  • TeamProjectCollectionName\Project Collection Build Service Accounts

By default, these groups have the permissions in the following table. For a full description of each permission, see Team Foundation Server Permissions.

Permission Name

By default, set for:

Consider adding to:

Administer build permissions

Project Collection Administrators, Project Administrators, Project Collection Build Administrators, Build Administrators,

Any user or group that administers the build servers.

View builds

Project Administrators, Contributors, Readers, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Most manually added users or groups; any that might or must view builds.

Edit build quality

Project Administrators, Contributors, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

Retain indefinitely

Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

Delete builds

Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

Manage build qualities

Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

Destroy builds

Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

Update build information

Project Collection Build Service Accounts

None.

Queue build

Project Administrators, Contributors, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

Manage build queue

Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

Stop builds

Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

View build definition

Project Administrators, Contributors, Readers, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Most manually added users or groups; any that might or must view build definitions.

Edit build definition

Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

Delete build definition

Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

Override check-in validation by build

Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

By default, the following groups exist at the lab management level:

  • ProjectName\Project Administrators

  • ProjectName\Contributors

  • ProjectName\Readers

  • TeamProjectCollectionName\Project Collection Administrators

  • TeamProjectCollectionName\Project Collection Build Service accounts

  • Server\Team Foundation Administrators

By default, these groups have the permissions in the following table. In addition, the creator of an object in Lab Management is automatically granted all permissions on that object. For a full description of each permission, see Team Foundation Server Permissions.

Permission Name

By default, set for:

Consider adding to:

View Lab Resources

Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Readers, Project Collection Build Service accounts

All manually-added users or groups that need to view Lab resources

Manage Lab Locations

Team Foundation Administrators, Project Collection Administrators, Project Administrators (limited to only project-level locations, that is, project host group and project library share)

Most manually added users or groups; any that might or must administer Lab assets

Delete Lab Locations

Team Foundation Administrators, Project Collection Administrators

Project Administrators (limited to project-level locations such as project host groups and project library shares)

Most manually added users or groups; any that might or must administer Lab assets

Write Environment and Virtual Machine

Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts

Most manually added users or groups; any that might or must operate on Lab environments

Edit Environment and Virtual Machine

Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts

Most manually added users or groups; any that might or must operate on Lab environments

Delete Environment and Virtual Machine

Team Foundation Administrators, Project Collection Administrators,

Project Administrators

Most manually added users or groups; any that might or must operate on Lab environments

Import Virtual Machine

Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors

Most manually added users or groups; any that might or must operate on Lab environments

Environment Operations

Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts

Most manually added users or groups; any that might or must operate on Lab environments

Manage Permissions

Team Foundation Administrators, Project Collection Administrators

Administrators who must administer Lab assets

Manage Child Permissions

Team Foundation Administrators, Project Collection Administrators, Project Administrators (limited to only project level locations, that is, project host group and project library share)

Administrators who must administer Lab assets

Start

Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts

Most manually added users or groups; any that might or must operate on Lab environments

Stop

Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts

Most manually added users or groups; any that might or must operate on Lab environments

Pause

Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts

Most manually added users or groups; any that might or must operate on Lab environments

Manage snapshots

Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts

Most manually added users or groups; any that might or must operate on Lab environments

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.