Team Foundation Server Security for Users and Groups
Team Foundation security is based on users and groups. You can help ensure the security of your Team Foundation Server deployment by correctly assigning permissions to users and groups. You should be sure to add only those users who truly need the permissions associated with that group. These permissions should enable users to access only the data and functionality that they require to do their jobs. Access should be based on their roles and responsibilities on your team. By restricting access, you can help protect your data. The default groups that are created when you install Team Foundation Server are designed to meet the security needs of most organizations. If your organization has specific or specialized security needs, you might have to modify existing security groups or create new ones.
Generally, you should avoid adding users directly to Team Foundation Server. Managing the permissions for a large number of individual users is time-consuming. It can lead to management and security problems. Consider creating specific groups for common roles within your business and projects. You can add users to those groups as needed. For more information about synchronizing users and groups, see Synchronizing Administrator Accounts and Managing Users and Groups.
Although the names of pre-installed groups will vary depending on the process template you choose to implement, Team Foundation Server users generally can be classified into four default groups. You must determine which users belong to which group. It depends on the role each user will perform in a project. The following list describes the roles and the required permissions:
Team Foundation Administrator Can install and maintain a Team Foundation Server, in addition to administer permissions and security for other roles. Members of this group are the only ones who can create new projects on an Team Foundation Server. Members of this group can also customize process guidance. This is the most privileged group. It should be restricted to as few users as possible.
Team Project Administrator Can maintain a team project work item database and project portal. Members of this group can administer permissions and security for the team project. This is the second most privileged group. It should be restricted to as few users as possible. This role is also known as a project manager or a project lead.
Team Project Contributor Can access, read, and write work items, view the team project Web site, and view process guidance for a team project. This is the group to which most users will belong.
Team Project Reader Can see the status of a particular project, but has no specific deliverables to that project. This group contains persons with no work items associated with the project.
The following table summarizes the permissions that are required for each example role.
Role Must Be a Member of:
Team Foundation Server Administrator Role
Team Project Administrator Role
Team Project Contributor Role
Team Project Reader Role
Application-tier and data tier-computer groups
Team Foundation Server default groups
Team Foundation Administrators
Windows SharePoint Services groups
SharePoint Central Administration group in SharePoint Central Administration
Reporting Services groups
In addition to configuring group membership and permissions, you might also need to configure permissions for version control. For more information, see How to: Control Access to Team Foundation Version Control.