Set Administrator Permissions for Team Foundation Server

  • Article

You can grant administrator permissions to users in Visual Studio Team Foundation Server by adding them to the Team Foundation Administrators group in Team Foundation Server. If your deployment uses resources in SQL Server Reporting Services, you must also grant those users permissions in that program. Unlike previous versions of Team Foundation Server, you do not have to grant administrators of Team Foundation permissions in SharePoint Products. The permissions that are required for SharePoint Products interoperability are granted to the service account for Team Foundation Server. However, for optimum interoperability and ease of use, you might want to grant members of the Team Foundation Administrators group membership in certain groups in SharePoint Products.

Administrators maintain at least one server that is running Team Foundation Server, and they administer permissions and security for other roles at the server level and at the level of team project collections. Members of the Team Foundation Administrators group have the highest set of permissions of any users in Team Foundation Server. For most organizations that use Team Foundation Server, administrators create and manage team project collections, in addition to performing any operations that are required to maintain the server.

For information about how to set permissions for other members of the team, see Add Users to Team Projects and Set Administrator Permissions for Team Project Collections.

An administrator for Team Foundation Server must be a member of the following groups or have the following permissions:

  • Team Foundation Server: Team Foundation Administrators or have the appropriate server-level permissions set to Allow. For more information, see Team Foundation Server Default Groups, Permissions, and Roles.

  • Windows: Administrators group on the server that is running the administration console for Team Foundation. The administration console requires administrative permissions to operate correctly.

  • SharePoint Products: the appropriate groups or permissions in SharePoint Central Administration. Depending on your deployment configuration and security requirements, you might not need to add the user to any groups in SharePoint Products. For optimum interoperability, consider adding them to the following SharePoint Products groups:

    • Farm Administrators

    • Site Collection Administrators group for all site collections that are used by the deployment of Team Foundation Server.

    For more information, see Interactions Between SharePoint Products and Team Foundation Server and Service Accounts and Dependencies in Team Foundation Server.

  • Reporting Services: Team Foundation Content Manager and either sysadmin or the db_owner group membership for the configuration database, the reporting and analysis databases, and the databases for team project collections.

  • SQL Server: serveradmin and sysadmin for all TFS databases.

Note

Even users who have appropriate permissions might not be able to view team project portals or reports correctly until they add the sites to their Trusted Sites in Internet Explorer. For more information, see this topic on the Microsoft Web site: User Account Control.

You can grant administrative permissions for Team Foundation Server in two ways: from the administrative console or directly through each program for which you want to grant permissions. Granting permissions through the administrative console is simpler but has some requirements. Consider using the administrative console when all of the following conditions are true:

  • Your deployment of Team Foundation Server is in a trusted environment where the service account for Team Foundation Server has permissions in SharePoint Products and SQL Server Reporting Services.

  • All programs are running on the same computer (a single-server deployment).

  • The security requirements for your deployment do not restrict granting one or more of the permissions in the next bulleted list.

By default, adding users from the administration console grants them membership in the following groups in a single-server deployment of Team Foundation Server:

  • Team Foundation Administrators group in Team Foundation Server

  • The IIS_IUSRS and TFS_APPTIER_SERVICE_WPG groups in Internet Information Services (IIS)

  • The Content Manager role in SQL Server Reporting Services, if reporting is configured

  • The Farm Administrators group in SharePoint Products, if the deployment is configured to use SharePT

  • The DBO role and TFSExecRole for all databases that Team Foundation Server uses, including collection databases

Important

You cannot add a user to the local Administrators group by adding that user's account as a console user. You must manually add the user to that group before that user will have all the permissions that are required to open and use the console. In addition, if you want the user to have sufficient permissions to create a database as part of creating a team project collection, you must grant that user membership in the serveradmin role in SQL Server.

Granting permissions directly in each program in your deployment of Team Foundation Server is more time-consuming, but you can precisely configure the exact permissions that you want to grant to a user. Consider granting permissions directly in each program when any of the following conditions are true:

  • Your deployment of Team Foundation Server is a multiple-server deployment.

  • Your deployment is in an environment that has security restrictions between Team Foundation Server and the servers that are running SQL Server and SharePoint Products. 

  • You want to configure different group memberships and permissions levels in SharePoint Products, SQL Server Reporting Services, and Team Foundation Server than those that are automatically granted from the administrative console. 

Required Permissions

To perform these procedures, you must belong to the following groups or have the following permissions:

  • Team Foundation Administrators group or have the View instance-level information and Edit instance-level information permissions set to Allow.

  • If you want to add permissions for SQL Server Reporting Services, the Team Foundation Content Managers group or the System Administrators group.

  • If you want to add permissions for SharePoint Products, the Farm Administrators group, the administrators group for the Web application that supports Team Foundation Server, or the SharePoint Administration group. Group membership will depend on the security architecture of your deployment and the group or groups to which you want to add the user.

  • If you want to add role membership for SQL Server, the sysadmin role on each server that hosts databases for Team Foundation Server

Important

To perform administrative tasks such as creating team project collections, your user account requires administrative permissions, and the service account that the Team Foundation Background Job Agent uses also must have certain permissions granted to it. For more information, see Service Accounts and Dependencies in Team Foundation Server and Team Foundation Background Job Agent.

For more information about permissions, see Team Foundation Server Permissions.

To grant administrative permissions in a trusted environment from the administration console for Team Foundation

  1. Open the administration console for Team Foundation.

    For more information, see Open the Team Foundation Administration Console.

  2. Expand the server, and then choose Application Tier.

  3. In the Administrative Console Users section, choose Add.

  4. In Add Team Foundation Server Administration Console User, specify the user account that you want to add as a member of Team Foundation Administrators.

    If you are not sure of the alias, choose Search. You can also expand the Advanced Features section and modify the selections for Add required permissions to create collections and Add required permissions to change service accounts as best suits your operational needs and the security requirements for the user whom you are adding.

  5. When you are satisfied with your selections, choose OK.

  6. Review the progress information in the Add Administration Console User window.

  7. (Optional)When the process completes, choose the link to open the log file.

  8. Choose Close to return to the administration console.

    Important

    You cannot add a user to the local Administrators group by adding that user's account as a console user. You must manually add the user to that group before that user will have all the permissions required to open and use the console. In addition, if you want the user to have permissions sufficient to create a database as part of creating a team project collection, you must grant that user membership in the serveradmin role in SQL Server.

To grant administrative permissions in Team Foundation Server

  1. Open the administration console for Team Foundation.

    For more information, see Open the Team Foundation Administration Console.

  2. Expand the server, and then choose Application Tier.

  3. In the Administrative Console Users section, choose Add.

  4. In Add Team Foundation Server Administration Console User, specify the user account that you want to add as a member of Team Foundation Administrators.

    If you are not sure of the alias, choose Search.

    You can also expand the Advanced Features section and modify the selections for Add required permissions to create collections and Add required permissions to change service accounts as best suits your operational needs and the security requirements for the user whom you are adding. By default, leave these check boxes selected.

  5. When you are satisfied with your selections, choose OK.

  6. Review the progress information in the Add Administration Console User window.

  7. (Optional) When the process completes, choose the link to open the log file.

  8. Choose Close to return to the administration console.

    Important

    You cannot add a user to the local Administrators group by adding that user's account as a console user. You must manually add the user to that group before that user will have all the permissions required to open and use the console. In addition, if you want the user to have permissions sufficient to create a database as part of creating a team project collection, you must grant that user membership in the serveradmin role in SQL Server.

To grant administrative permissions in SharePoint Foundation 2010

  1. On the server that is running SharePoint Products, open SharePoint Central Administration.

    For more information, see Access Site Administration or Central Administration for SharePoint Products.

  2. Grant permissions that are appropriate for this user at the farm or the Web application level, depending on your security needs.

    For more information, see Windows SharePoint Services Roles and the following page on the Microsoft Web site: SharePoint Products Tech Center. For optimum interoperability, consider adding users of the Team Foundation Administrators group to the following groups in SharePoint Products:

    • Farm Administrators

    • Site Collection Administrators group for all site collections that the deployment of Team Foundation Server uses

To grant administrative permissions in Reporting Services

  1. Start Internet Explorer.

    Note

    Even if you are logged on with administrative credentials, you must start Internet Explorer as an administrator to perform this function on a computer that is running Windows Server 2008 or Windows Vista. To start Internet Explorer as an administrator, choose Start, choose All Programs, open the sub-menu for Internet Explorer, and then choose Run as administrator. For more information, see this topic on the Microsoft Web site: User Account Control.

  2. In the Address bar, specify the following URL, where ReportServer is the name of the server that is running Reporting Services: http://ReportServer/Reports/Pages/Folder.aspx

    Important

    If you are using a named instance, you must include its name in the path of the reports. You use the following syntax, where ReportServer is the name of the report server for Team Foundation and InstanceName is the name of the instance of SQL Server: http://ReportServer/Reports_InstanceName/Pages/Folder.aspx

  3. On the Home page, choose Folder Settings.

  4. On the Security page, choose New Role Assignment.

  5. On the New Role Assignment page, in Group or user name, specify the account name of the user or group to whom you want grant administrative permissions.

  6. In Role, select the Team Foundation Content Manager check box, and then choose OK.

See Also

Tasks

Add Users to Team Projects

Concepts

Team Foundation Server Permissions

Team Foundation Server Default Groups, Permissions, and Roles

Configuring Users, Groups, and Permissions