When you add a user or group to Visual Studio Team Foundation Server, you might also need to add that user or group to two other components on which your deployment might depend: SharePoint Products and SQL Server Reporting Services. If your deployment is configured with these resources, you must add users and groups to those programs and grant the appropriate permissions for those users or groups before all operations will function correctly in Team Foundation Server.
Because of this complexity, it can be difficult to manage individual users and their associated permissions in deployments of Team Foundation Server. It is much simpler to use Active Directory to organize users into role-based groups and then add each group to Team Foundation Server, SharePoint Products, and Reporting Services with the appropriate permissions. By taking this approach, you must manage only a few groups across these three programs, instead of many individual users. You can add users to Active Directory groups as needed without having to change that group membership or permissions within those three programs.
As an administrator, you control what tasks users can perform by specifying group membership and permissions. To simplify this task, Team Foundation provides default groups and permissions settings. You can use the default groups and settings as they are, customize them, or create your own. The topics in this section provide details about permissions.