Transition Security

  • Article

You can control who can change the state of work items by defining who is explicitly allowed or not allowed to make a specific transition. For example, you can specify that only testers can change the state of bugs from Resolved to Closed.

Note

You must specify all valid transitions between two states. If you do not specify a transition from one state to another, team members cannot change the work item from the first state to the second state.

You enforce transition security by using the attributes for and not in the TRANSITION element of the workflow definition. You use these attributes to specify who can and cannot perform a transition. By default, any team member who has access to the team project can modify the work item. If you specify each of these attributes for different groups that contain one or more of the same members, not takes precedence over for.

In the following example, only members of the AllTesters group can change the status of a work item from Resolved to Completed. In contrast, members of the NewTesters group cannot make that kind of change. Both of these groups are custom security groups in Team Foundation, and they are specific to a team project. For information about how to create custom security groups, see Walkthrough: Setting up Groups and Permissions.

<TRANSITION from="Resolved" to="Completed" for="[project]\AllTesters" not="[project]\NewTesters">
. . .
</TRANSITION>

When testers join the team, they are assigned to both groups. After a period of time, testers are removed from the NewTesters group to lift the restriction against specifying that a work item has been completed.

You can enforce transition security for multiple groups of users if you create a parent security group and then specify it in the TRANSITION element.

See Also

Concepts

Designing the Workflow

Other Resources

Defining Work Item Workflow

Change History

Date

History

Reason

July 2010

Clarified that the example references custom security groups. You cannot use this example if you do not define the same custom security groups in Team Foundation.

Customer feedback.