Export (0) Print
Expand All
1 out of 1 rated this helpful - Rate this topic

Team Foundation Server default groups, permissions, and roles

Team Foundation Server (TFS) includes default groups that help you manage users and permissions within the deployment. The product installation creates these groups for you automatically at the server and collection level. Similarly, when you create a project in TFS, a number of groups are created for that project, at various levels:

  • Four groups in the project itself, at the project-level

  • A default team group, which by default is added to the project-level group Contributors. Each new team you create also has a team group created for it.

  • Area-level and iteration-level groups for the project

  • Build-level groups for the team project

If you add Lab Management to your deployment, groups for Lab Management are added.

If you add Release Management to your deployment, you can manage permissions using groups that you define in Release Management, TFS, or Active Directory.

To customize projects to better suit your business needs, it helps to understand what permissions are assigned to which users and groups, in addition to what permissions you might want to add to any users or groups that you might add at the server level, the collection level, and the project level. Additionally, if you want to closely align users with specific roles and responsibilities, you need to understand how to align those roles with the default groups that are already assigned to the project. As an alternative, you can create groups that associate directly with each of those roles, and you can assign those groups the permissions that are appropriate to the role.

In this topic

Whenever you create a project in TFS, groups are created at the project level. By default, each of those groups has certain permissions assigned to them. You can add permissions to these default groups, in addition to any groups or users whom you want to add at the server, collection, or project level.

By default, the following groups exist at the server level when you install TFS:

  • Team Foundation \Team Foundation Administrators   Members of this group can perform all operations for TFS. This group should be restricted to the smallest possible number of users who need total administrative control over TFS. By default, this group contains the Local Administrators group (BUILTIN\Administrators) for any server that hosts the application services for Team Foundation. This group also contains the members of the Server\Team Foundation Service Accounts group and the members of the \Project Server Integration Service Accounts group.

  • Team Foundation \Team Foundation Valid Users   Members of this group have access to TFS. This group automatically contains all users and groups that have been added anywhere within TFS. You cannot modify the membership of this group.

    Important note Important

    If you unset or set the View instance-level information permission to Deny for this group, no users will be able to access the deployment.

  • Team Foundation \Team Foundation Service Accounts   Members of this group have service-level permissions for TFS. By default, this group contains the service account that was supplied during installation. This group should contain only service accounts and not user accounts or groups that contain user accounts. By default, this group is a member of Team Foundation Administrators.

  • Team Foundation \Project Server Integration Service Accounts   Members of this group have service-level permissions for the Project Server deployments that are configured for interoperation with Team Foundation Server. In addition, members of this group have some service-level permissions for Team Foundation Server. This group should contain only service accounts and not user accounts or groups that contain user accounts. By default, this group is a member of Team Foundation Administrators.

  • Team Foundation \SharePoint Web Application Services    Members of this group have service-level permissions for the SharePoint Web applications that are configured for use with TFS, in addition to some service-level permissions for TFS. This group should contain only service accounts and not user accounts or groups that contain user accounts. Unlike the Service Accounts group, this group is not a member of Team Foundation Administrators.

  • Team Foundation \Team Foundation Proxy Service Accounts   Members of this group have service-level permissions for Team Foundation Server Proxy, and have some service-level permissions for Team Foundation Server. This group should contain only service accounts and not user accounts or groups that contain user accounts.

By default, these groups have the permissions in the following table. Unless otherwise stated, the permission is set to Allow. For a full description of each permission, see Team Foundation Server permissions.

Permission Name

By default, set for:

Consider adding to:

Administer warehouse

Team Foundation Administrators

Team Foundation Service Accounts

Manually added users or groups who might or must change warehouse settings through the WarehouseController.asmx Web service ChangeSetting Web method.

Create team project collection

Team Foundation Administrators

Team Foundation Service Accounts

Users or groups who are responsible for managing the overall health and resource availability for the deployment.

Delete team project collection

Team Foundation Administrators

Team Foundation Service Accounts

Users or groups who are responsible for managing the overall health and resource availability for the deployment.

Edit instance-level information

Team Foundation Administrators

Team Foundation Service Accounts

Users or groups who are responsible for managing the overall health and resource availability for the deployment.

Make requests on behalf of others

Team Foundation Service Accounts

SharePoint Web Application Services

This permission should be assigned only to service accounts and groups that contain only service accounts.

Trigger Events

Team Foundation Administrators

Team Foundation Service Accounts

Users or groups who are responsible for managing the overall health and resource availability for the deployment.

Use full Web Access features

Team Foundation Administrators

Team Foundation Valid Users

Users and groups who must use the full range of features that are available in Team Web Access. If you want to restrict users to a read-only view in Team Web Access, set this permission to Deny.

View instance-level information

Team Foundation Administrators

Team Foundation Service Accounts

SharePoint Web Application Services

Team Foundation Valid Users

All users or groups who interact with TFS.

By default, the following groups exist at the collection level when you install TFS:

  • TeamProjectCollectionName \Project Collection Administrators   Members of this group can perform all operations for the team project collection. This group should be restricted to the smallest possible number of users who need total administrative control over the collection. By default, this group contains the Local Administrators group (BUILTIN\Administrators) for the server where the application-tier services for Team Foundation have been installed. This group also contains the members of the TeamProjectCollectionName\Service Accounts group.

  • TeamProjectCollectionName \Project Collection Valid Users   Members of this group have access to the team project collection in TFS. This group automatically contains all users and groups that have been added anywhere within the team project collection. You cannot modify the membership of this group.

    Important note Important

    Do not unset or set the View collection-level information permission to Deny for this group.

  • TeamProjectCollectionName \Project Collection Service Accounts   Members of this group have service-level permissions for the collection and for TFS. By default, this group contains the service account that was supplied during installation. This group should contain only service accounts and groups that contain only service accounts. By default, this group is a member of Team Foundation Administrators and Team Foundation Service Accounts.

  • TeamProjectCollectionName \Project Collection Build Administrators    Members of this group have build administration permissions for the collection. This group should be restricted to the smallest possible number of users who need total administrative control over build servers and services for this collection.

  • TeamProjectCollectionName \Project Collection Build Service Accounts    Members of this group have build service permissions for the collection. This group should contain only service accounts and groups that contain only service accounts.

  • TeamProjectCollectionName \Project Collection Proxy Service Accounts   Members of this group have proxy service permissions for the collection. This group should contain only service accounts and groups that contain only service accounts.

  • TeamProjectCollectionName \Project Collection Test Service Accounts   Members of this group have test service permissions for the collection. This group should contain only service accounts and groups that contain only service accounts.

By default, these groups have the permissions in the following table. For a full description of each permission, see Team Foundation Server permissions.

Permission Name

By default, set for:

Consider adding to:

Administer build resource permissions

Project Collection Administrators

Project Collection Build Administrators

Project Collection Service Accounts

Build administrators who regularly administer build servers and resources for the collection.

Administer Project Server integration

Project Collection Administrators

Project Collection Service Accounts

None.

Administer shelved changes

Project Collection Administrators

Project Collection Service Accounts

Project Collection Build Service Accounts

Build administrators who delete shelvesets created by other users.

Administer workspaces

Project Collection Administrators

Project Collection Service Accounts

Build administrators who create workspaces for other users and delete workspaces created by other users.

Alter trace settings

Project Collection Administrators

Other server administrators who might or must change the trace settings for gathering more detailed diagnostic information about Web services for TFS.

Create a workspace

Project Collection Administrators

Project Collection Build Administrators

Project Collection Build Service Accounts

Project Collection Contributors

Project Collection Proxy Service Accounts

Project Collection Service Accounts

Project Collection Test Service Accounts

Project Collection Valid Users

None. All users have this permission as part of being members of the Project Collection Valid Users group.

Create new projects

Project Collection Administrators

Project administrators who will regularly create projects.

Delete team project

Project Collection Administrators

Users or groups who are responsible for managing the overall health and resource availability for the deployment.

Edit collection-level information

Project Collection Administrators

Project Collection Service Accounts

None.

Make requests on behalf of others

Project Collection Administrators

Project Collection Service Accounts

SharePoint Web Application Services

None.

Manage build resources

Project Collection Administrators

Project Collection Build Administrators

Project Collection Build Service Accounts

Project Administrators

ProjectName\Build Administrators

Manually added users or groups who might or must administer and schedule builds on the build resources in the collection.

Manage process template

Project Collection Administrators

Project administrators and any manually added users or groups, such as process specialists, who might or must create, edit, download, and upload process templates to TFS.

Manage test controllers

Project Collection Administrators

Project Collection Test Service Accounts

None.

Manage work item link types

Project Collection Administrators

None.

Trigger Events

Project Collection Administrators

Project Collection Service Accounts

None. Adding this permission to other users has the potential to allow denial-of-service attacks.

Use build resources

Project Collection Administrators

Project Collection Build Service Accounts

Manually added users or groups who might or must queue new builds or browse completed builds in the collection.

View build resources

Project Collection Administrators

Project Collection Build Administrators

Project Collection Build Service Accounts

Project Collection Valid Users

None.

View collection-level information

Project Collection Administrators

Project Collection Build Administrators

Project Collection Build Service Accounts

Project Collection Service Accounts

Project Collection Test Service Accounts

Project Collection Valid Users

SharePoint Web Application Services

Project Collection Proxy Service Accounts

None.

View system synchronization information

Project Collection Administrators

None.

By default, the following groups exist at the project level:

  • ProjectName \Project Administrators   Members of this group can administer all aspects of the team project, although they cannot create projects.

  • ProjectName \Contributors   Members of this group can contribute to the project, such as by adding, modifying, and deleting code, and by creating and modifying work items. By default, the team group created when you create a team project is added to this group, and any user you add to the team will be a member of this group. In addition, any team you create for a team project will be added to this group by default, unless you choose a different group from the list.

  • ProjectName \Readers   Members of this group can view the project but not modify it.

  • ProjectName \Build Administrators   Members of this group have build permissions for the project. Members can manage test environments, create test runs, and manage builds.

  • ProjectName\TeamNameTeam    Members of this group can contribute to the project in multiple ways, such as adding, modifying, and deleting code and creating and modifying work items. The default Team group is created when you create a team project, and by default is added to the Contributors group for the team project. Any new teams you create will also have a group created for them and added to the Contributors group.

Besides these project-level groups, two collection-level groups also appear in every project in TFS:

  • TeamProjectCollectionName \Project Collection Administrators

    Note Note

    You cannot change the permissions for this collection-level group.

  • TeamProjectCollectionName \Project Collection Build Service Accounts

    Important note Important

    Do not remove or set the View project-level information permission to Deny for this group.

By default, these groups have the permissions in the following tables. For a full description of each permission, see Team Foundation Server permissions.

Project

Permission Name

By default, set for:

Consider adding to:

Create test runs

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Build Service Accounts, Project Collection Test Service Accounts, TeamName Team

None.

Delete team project

Project Administrators, Project Collection Administrators

None.

Delete test runs

Project Administrators, Team Foundation Administrators, Contributors, TeamName Team

Manually added users or groups that might or must terminate test runs that are in progress or delete old test runs.

Edit project-level information

Project Administrators, Project Collection Administrators

None.

Manage test configurations

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Build Service Accounts, Project Collection Test Service Accounts, TeamName Team

None.

Manage test environments

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Build Service Accounts, Project Collection Test Service Accounts, TeamName Team

None.

View project-level information

Project Administrators, Contributors, Readers, Builders, Project Collection Administrators, Project Collection Build Service Accounts, TeamName Team

All manually added users or groups that require access to this project.

View test runs

Project Administrators, Contributors, Readers, Builders, Project Collection Build Service Accounts, Project Collection Administrators, TeamName Team

All manually added users or groups that require access to this project.

Work item query

Permission Name

By default, set for:

Consider adding to:

Contribute

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Build Service Accounts, TeamName Team

Any manually added users or groups that require the ability to create and share work item queries for the project.

Delete

Project Administrators, Project Collection Administrators

None.

Manage Permissions

Project Administrators, Project Collection Administrators

None.

Read

Project Administrators, Contributors, Readers, Builders, Project Collection Administrators, Project Collection Build Service Accounts, TeamName Team

Any manually added users or groups that require access to work item queries.

Tagging

Permission Name

By default, set for:

Consider adding to:

Create tag definition

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Build Service Accounts, Project Collection Test Service Accounts, TeamName Team

None.

Delete tag definition

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Build Service Accounts, Project Collection Test Service Accounts, TeamName Team

None.

Enumerate tag definition

Project Administrators, Contributors, Readers, Builders, Project Collection Administrators, Project Collection Build Service Accounts, Project Collection Test Service Accounts, TeamName Team

None.

Update tag definition

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Build Service Accounts, Project Collection Test Service Accounts, TeamName Team

None.

By default, the following groups exist at the area level:

  • ProjectName \Project Administrators

  • ProjectName \Contributors

  • ProjectName \Readers

  • ProjectName \Builders

  • ProjectName \ TeamName Team

  • TeamProjectCollectionName \Project Collection Administrators

  • TeamProjectCollectionName \Project Collection Build Service Accounts

  • TeamProjectCollectionName \Project Collection Test Service Accounts

By default, these groups have the permissions in the following table. For a full description of each permission, see Team Foundation Server permissions.

Permission Name

By default, set for:

Consider adding to:

Create child nodes

Project Administrators, Project Collection Administrators

None.

Delete this node

Project Administrators, Project Collection Administrators

Any manually added users or groups that might or must delete area nodes.

Edit this node

Project Administrators, Project Collection Administrators

Any manually added users or groups that might or must rename area nodes.

Edit work items in this node

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Build Service Accounts, TeamName Team

Any manually added users or groups that might or must edit work items in this area node.

Manage Test Plans

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Build Service Accounts, TeamName Team

Any manually added users or groups that might or must manage test plans in this area node.

View permissions for this node

Project Administrators, Contributors, Readers, Builders, Project Collection Administrators, Project Collection Build Service Accounts, Project Collection Test Service Accounts, TeamName Team

Any manually added users or groups that might require access to work items in this area node.

View work items in this node

Project Administrators, Contributors, Readers, Builders, Project Collection Administrators, Project Collection Build Service Accounts, Project Collection Test Service Accounts, TeamName Team

Any manually added users or groups that might or must view, but not edit or change, work items in this area node.

By default, the following groups exist at the iteration level:

  • ProjectName \Project Administrators

  • TeamProjectCollectionName \Project Collection Administrators

By default, these groups have the permissions in the following table. For a full description of each permission, see Team Foundation Server permissions.

Permission Name

By default, set for:

Consider adding to:

Create child nodes

Project Administrators, Project Collection Administrators

None.

Delete this node

Project Administrators, Project Collection Administrators

Any manually added users or groups that might or must delete iteration nodes.

Edit this node

Project Administrators, Project Collection Administrators

Any manually added users or groups that might or must rename iteration nodes.

View permissions for this node

Project Administrators, Project Collection Administrators

Any manually added users or groups that might or must view iteration nodes.

By default, the following groups exist at the version-control level:

  • ProjectName \Project Administrators

  • ProjectName \Contributors

  • ProjectName \Readers

  • ProjectName \Builders

  • TeamProjectCollectionName \Project Collection Administrators

  • TeamProjectCollectionName \Project Collection Service Accounts

  • TeamProjectCollectionName \Project Collection Build Service Accounts

By default, these groups have the permissions in the following table. For a full description of each permission, see Team Foundation Server permissions.

Permission Name

By default, set for:

Consider adding to:

Read

Project Administrators, Contributors, Readers, Builders, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts

Any user or group that contributes to the development of this project; any users who should be able to read the contents of a file or folder.

Check Out

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts

Any user or group that contributes to the development of this project; any users who should be able to check out or make a pending change to items in a folder.

Check In

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts

Any user or group that contributes to the development of this project; any users who should be able to check in items or revise any committed changeset comments.

Label

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts

Any manually added users or groups that might or must label items.

Lock

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts

Any manually added users or groups that might or must lock or unlock folders or files.

Revise other user's changes

Project Administrators, Project Collection Administrators, Project Collection Service Accounts

Manually added users or groups that are responsible for supervising or monitoring the project and that might or must change the comments on checked-in files, even if another user checked in the file.

Unlock other user's changes

Project Administrators, Project Collection Administrators, Project Collection Service Accounts

Manually added users or groups that supervise or monitor the project and that must be able to unlock files locked by other users.

Undo other user's changes

Project Administrators, Project Collection Administrators, Project Collection Service Accounts

Manually added users or groups that supervise or monitor the project and that must be able to undo a pending change made by another user.

Administer labels

Project Administrators, Project Collection Administrators, Project Collection Service Accounts

Manually added users or groups that supervise or monitor the project and that must be able to edit or delete labels created by another user.

Manage permissions

Project Administrators, Project Collection Administrators, Project Collection Service Accounts

None.

Check In Other User's Changes

Project Administrators, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts

None.

Merge

Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts

Most users or groups that contribute to the development of this project and that must be able to merge source files, unless the project is under more restrictive development practices.

Manage branch

Project Administrators, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts

Any user or group that contributes to the development of this project and that must be able to create private branches, unless the project is under more restrictive development practices.

By default, the following groups exist at the build level:

  • ProjectName \Project Administrators

  • ProjectName \Contributors

  • ProjectName \Readers

  • ProjectName \Builders

  • TeamProjectCollectionName \Project Collection Administrators

  • TeamProjectCollectionName \Project Collection Build Service Accounts

By default, these groups have the permissions in the following table. For a full description of each permission, see Team Foundation Server permissions.

Permission Name

By default, set for:

Consider adding to:

Administer build permissions

Project Collection Administrators, Project Administrators, Project Collection Build Administrators, Build Administrators,

Any user or group that administers the build servers.

View builds

Project Administrators, Contributors, Readers, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Most manually added users or groups; any that might or must view builds.

Edit build quality

Project Administrators, Contributors, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

Retain indefinitely

Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

Delete builds

Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

Manage build qualities

Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

Destroy builds

Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

Update build information

Project Collection Build Service Accounts

None.

Queue build

Project Administrators, Contributors, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

Manage build queue

Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

Stop builds

Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

View build definition

Project Administrators, Contributors, Readers, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Most manually added users or groups; any that might or must view build definitions.

Edit build definition

Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

Delete build definition

Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

Override check-in validation by build

Project Collection Build Service Accounts, Project Collection Administrators

Any user or group that administers builds.

By default, the following groups exist at the lab management level:

  • ProjectName \Project Administrators

  • ProjectName \Contributors

  • ProjectName \Readers

  • TeamProjectCollectionName \Project Collection Administrators

  • TeamProjectCollectionName \Project Collection Build Service accounts

  • Server \Team Foundation Administrators

By default, these groups have the permissions in the following table. In addition, the creator of an object in Lab Management is automatically granted all permissions on that object. For a full description of each permission, see Team Foundation Server permissions.

Permission Name

By default, set for:

Consider adding to:

View Lab Resources

Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Readers, Project Collection Build Service accounts

All manually-added users or groups that need to view Lab resources

Manage Lab Locations

Team Foundation Administrators, Project Collection Administrators, Project Administrators (limited to only project-level locations, that is, project host group and project library share)

Most manually added users or groups; any that might or must administer Lab assets

Delete Lab Locations

Team Foundation Administrators, Project Collection Administrators

Project Administrators (limited to project-level locations such as project host groups and project library shares)

Most manually added users or groups; any that might or must administer Lab assets

Write Environment and Virtual Machine

Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts

Most manually added users or groups; any that might or must operate on Lab environments

Edit Environment and Virtual Machine

Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts

Most manually added users or groups; any that might or must operate on Lab environments

Delete Environment and Virtual Machine

Team Foundation Administrators, Project Collection Administrators,

Project Administrators

Most manually added users or groups; any that might or must operate on Lab environments

Import Virtual Machine

Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors

Most manually added users or groups; any that might or must operate on Lab environments

Environment Operations

Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts

Most manually added users or groups; any that might or must operate on Lab environments

Manage Permissions

Team Foundation Administrators, Project Collection Administrators

Administrators who must administer Lab assets

Manage Child Permissions

Team Foundation Administrators, Project Collection Administrators, Project Administrators (limited to only project level locations, that is, project host group and project library share)

Administrators who must administer Lab assets

Start

Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts

Most manually added users or groups; any that might or must operate on Lab environments

Stop

Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts

Most manually added users or groups; any that might or must operate on Lab environments

Pause

Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts

Most manually added users or groups; any that might or must operate on Lab environments

Manage snapshots

Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts

Most manually added users or groups; any that might or must operate on Lab environments

Release Management defines a single default group, Everyone, to which all accounts that you add to Release Management belong. In addition, specific permissions are allocated to the Release Manager and Service User roles.

For a full description of each permission, see Team Foundation Server permissions.

Permission name or user role

By default set for:

Consider adding to:

Can Create Release Template

Everyone

Users or groups that need to create, start, or approve a release.

Can Create Release Path

Everyone

Users or groups who need to manage the release configuration used in deploying applications.

Can Manage Environment

Everyone

Users or groups who need to manage the servers and environments used to define the release paths.

Can Manage Server

Everyone

Users or groups who will define the release paths for deploying applications in your system. This permission supports access to defining the servers used to deploy applications to test, stage, and production servers.

Can Manage Inventory

Everyone

Users or groups who will define custom tools or actions for deploying applications in your system. With this permission they can view, edit, and create actions and tools used in deploying applications.

Can Release

Everyone

Users or groups who will initiate a release. With this permission, you can specify which users can initiate a release from those release templates that they can view.

Can Use Custom Tool in Actions and Components

Everyone

Users or groups who will define release paths or release templates or who will initiate releases. This allows them to edit the Command and Arguments fields when No Tool is selected.

Edit

Everyone

Users or groups who need to edit specific release templates or release paths.

Edit Values and Target Servers

Everyone

Users or groups who will define release paths or release templates or who will initiate releases. This allows them to edit deployment sequence and configuration variables for specific releases or stages.

Edit Approvals and Environment

Everyone

Users or groups who will define release paths or release templates. This allows them to edit approvals and environments for a specific stage.Without this permission, stage information is read-only.

Manage Security

Everyone

Users or groups who will manage which groups have permissions to view, edit, or manage release templates or release paths. With this permission, creators of release templates and release paths can control who can view, edit, or release specific templates or paths.

Release Manager

Release Manager role

Users who will administer the Release Management server. The permissions assigned to this role allow users to manage the connection between TFS and Release Management. Also, they can manage the following objects:

  • Release paths and stage information defined in a release path.

  • Release templates, including adding custom tools and actions and adding deployment sequence and configuration variables. This applies to all stages defined in a release template.

  • Security for all functional areas.

Service User

Service User role

Service account identities assigned to run server application pools, deployment agent’s Windows Service, and Release Management monitoring of Windows Services.

View

Everyone

Users or groups who need to view specific release templates or release paths, but not edit them.

In Release Management, you can assign permissions based on the role assigned to a user, explicit functional permissions assigned to groups, or permissions assigned to specific instances of a release object. In addition, you can assign approvers and validators to specific stages within a release path to ensure that the applications being deployed meet quality standards.

  • Role based: The two roles are Release Manager and Service User. Release Managers can manage all functions, regardless of the groups they are linked to. Service User corresponds to a service account role. To limit a user’s access, do not assign them to any role. Instead, have them inherit the permissions assigned to the group they are linked to.

  • Group: To restrict access to specific functional areas, you assign the permissions allowed by that group. Members of that group inherit the permissions assigned to the group. Restricting access requires that you change the permissions granted to the Everyone group, which by default has all permissions.

  • Object: In addition to roles and groups, you can restrict access to edit, view, and manage security of release paths and release templates. You do this through the Security tab on the release path and through the Properties page for a release template.

  • Approvers and Validators: Approvers and validators must sign off at each step or stage of a release. You assign approvers and validators when you configure a release path. All approvers and validators must be added as users or a member of a group in Release Management.

To learn how to set permissions, see Add users and groups and control access to Release Management.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.