This documentation is archived and is not being maintained.

Team Foundation Server Security for Users and Groups

Team Foundation security is based on users and groups. You can help ensure the security of your Team Foundation Server deployment by correctly assigning permissions to users and groups. You should be sure to add only those users who truly need the permissions associated with that group. These permissions should enable users to access only the data and functionality that they require to do their jobs. Access should be based on their roles and responsibilities on your team. By restricting access, you can help protect your data. The default groups that are created when you install Team Foundation Server are designed to meet the security needs of most organizations. If your organization has specific or specialized security needs, you might have to modify existing security groups or create new ones.

Generally, you should avoid adding users directly to Team Foundation Server. Managing the permissions for a large number of individual users is time-consuming. It can lead to management and security problems. Consider creating specific groups for common roles within your business and projects. You can add users to those groups as needed. For more information about synchronizing users and groups, see Synchronizing Administrator Accounts and Managing Users and Groups.

Although the names of pre-installed groups will vary depending on the process template you choose to implement, Team Foundation Server users generally can be classified into four default groups. You must determine which users belong to which group. It depends on the role each user will perform in a project. The following list describes the roles and the required permissions:

  • Team Foundation Administrator   Can install and maintain a Team Foundation Server, in addition to administer permissions and security for other roles. Members of this group are the only ones who can create new projects on an Team Foundation Server. Members of this group can also customize process guidance. This is the most privileged group. It should be restricted to as few users as possible.

  • Team Project Administrator   Can maintain a team project work item database and project portal. Members of this group can administer permissions and security for the team project. This is the second most privileged group. It should be restricted to as few users as possible. This role is also known as a project manager or a project lead.

  • Team Project Contributor   Can access, read, and write work items, view the team project Web site, and view process guidance for a team project. This is the group to which most users will belong.

  • Team Project Reader   Can see the status of a particular project, but has no specific deliverables to that project. This group contains persons with no work items associated with the project.

The following table summarizes the permissions that are required for each example role.

Role Must Be a Member of:

Team Foundation Server Administrator Role

Team Project Administrator Role

Team Project Contributor Role

Team Project Reader Role

Application-tier and data tier-computer groups

Windows Administrators




Team Foundation Server default groups

Team Foundation Administrators

Project Administrators



Windows SharePoint Services groups

SharePoint Central Administration group in SharePoint Central Administration

Site Administrators



Reporting Services groups

Content Manager,

System Administrators

Content Manager




In addition to configuring group membership and permissions, you might also need to configure permissions for version control. For more information, see How to: Control Access to Team Foundation Version Control.