When you add a user or group to Visual Studio Team System Team Foundation Server, that user or group is not automatically added to two components on which Team Foundation Server depends: Windows SharePoint Services and SQL Server Reporting Services. You must add users and groups to those programs and grant the appropriate permissions before permissions for those users or groups will function correctly across all Team Foundation Server operations.
Because of this complexity, it is difficult to manage individual users and their associated permissions in deployments of Team Foundation Server. It is much simpler to use Active Directory to organize users into role-based groups and then add each group to Team Foundation Server, Windows SharePoint Services, and Reporting Services with the appropriate permissions. In this way, you are managing only a few groups across these three programs, instead of many individual users. You can add users to Active Directory groups as needed without having to change that group membership or permissions within those three programs.
As an administrator, you control what users are allowed to do by specifying group membership and permissions. To simplify this task, Team Foundation provides default groups and permissions settings. You can also customize these default settings or create your own. The topics in this section provide you with the details about permissions.