This documentation is archived and is not being maintained.

Team Foundation Server Security for Users and Groups

Team Foundation security is based on users and groups. You can help ensure the security of your Team Foundation Server deployment by correctly assigning permissions to users and groups, and by making sure that you only add users to groups if they truly need the permissions associated with that group. These permissions let users access only the data and functionality that they require for their jobs based on their roles and responsibilities on your team, and help you protect data to which access must be limited. The default groups that are created when you install Team Foundation Server are designed to meet the security needs of most organizations. If your organization has specific or specialized security needs, you might have to modify existing or create new security groups.

Generally, you should avoid adding users directly to Team Foundation Server. Managing the permissions for a large number of individual users is time-consuming and can lead to management and security problems. Consider creating specific groups for common roles within your business and projects, and adding users to those groups as needed.

Default Roles and Security

Although the names of pre-installed groups will vary depending on the process template you choose to implement, Team Foundation Server users generally can be classified into three default groups. You must determine which users should belong to which group, depending on the role each user will perform in a project. The roles and their required permissions are described in the following list:

  • Team Foundation Administrator   Can install and maintain a Team Foundation Server, in addition to administer permissions and security for other roles. Members of this group are the only ones who can create new projects on an Team Foundation Server. Can also customize process guidance. This is the most privileged group, and should be restricted to as few users as possible.

  • Team Project Administrator    Also known as a project manager or a project lead, this role can maintain a team project work item database and project portal. Can administer permissions and security for the team project. This is the second most privileged group, and should be restricted to as few users as possible.

  • Team Project Contributor   Can access, read, and write work items, view the team project Web site, and view process guidance for a team project. This is the group that most users will belong to.

The following table summarizes the permissions that are required for each example role.

Role Must Be a Member of: Team Foundation Server Administrator Role Team Project Administrator Role Team Project Contributor Role

Application-tier and data tier-computer groups

Windows Administrators



Team Foundation Server default groups

Team Foundation Administrators

Project Administrators


Windows SharePoint Services groups

Site Administrator

Project site-level Administrator

Project site-level Contributors

Reporting Services groups

Content Manager,

Site Administrator

Project site-level Content Manager

Project site-level Browser

See Also