Team Foundation Server Default Groups, Permissions, and Roles
When you create a project in Visual Studio Team Foundation Server, project-level groups are created for that project, and they are assigned permissions to access resources that are appropriate to that group. To customize projects to better suit your business needs, you must understand what permissions are assigned to which users and groups, in addition to what permissions you might want to add to any users or groups that you might add at the servel level, the collection level, and the project level. Additionally, if you want to closely align users with the roles that are described for MSF for Agile Software Development or MSF for CMMI Process Improvement, you must understand how to align those roles with the default groups that are already assigned to the project. As an alternative, you can create groups that associate directly with each of those roles, and you can assign those groups the permissions that are appropriate to the role.
Default Groups and Permissions
Whenever you create a project in Team Foundation Server, groups are created at the project level. By default, each of those groups has certain permissions assigned to them. You can add permissions to these default groups, in addition to any groups or users whom you want to add at the server, collection, or project level.
Server-Level Groups and Permissions
By default, the following groups exist at the server level when you install Team Foundation Server:
Server**\Team Foundation Administrators** Members of this group can perform all operations for Team Foundation Server. This group should be restricted to the smallest possible number of users who need total administrative control over Team Foundation Server. By default, this group contains the Local Administrators group (BUILTIN\Administrators) for any server that hosts the application services for Team Foundation. This group also contains the members of the Server**\Service Accounts** group.
Server**\Team Foundation Valid Users** Members of this group have access to Team Foundation Server. This group automatically contains all users and groups that have been added anywhere within Team Foundation Server. You cannot modify the membership of this group.
Important
If you unset or set the View instance-level information permission to Deny for this group, no users will be able to access the deployment.
Server**\Service Accounts** Members of this group have service-level permissions for Team Foundation Server. By default, this group contains the service account that was supplied during installation. This group should contain only service accounts and not user accounts or groups that contain user accounts. By default, this group is a member of Team Foundation Administrators.
Server**\Work Item Only View Users **Members of this group are restricted from using the full range of features that are provided when users view projects and collections in Team Web Access. Membership in this group is appropriate for those users who do not have a client access license for your deployment of Team Foundation Server.
Server**\SharePoint Web Application Services** Members of this group have service-level permissions for the SharePoint Web applications that are configured for use with Team Foundation Server, in addition to some service-level permissions for Team Foundation Server. This group should contain only service accounts and not user accounts or groups that contain user accounts. Unlike the Service Accounts group, this group is not a member of Team Foundation Administrators.
By default, these groups have the permissions in the following table. Unless otherwise stated, the permission is set to Allow. For a full description of each permission, see Team Foundation Server Permissions.
Permission Name |
By default, set for: |
Consider adding to: |
|---|---|---|
Administer warehouse |
Team Foundation Administrators Team Foundation Service Accounts |
Manually added users or groups who might or must change warehouse settings through the WarehouseController.asmx Web service ChangeSetting Web method. |
Create team project collection |
Team Foundation Administrators Team Foundation Service Accounts |
Users or groups who are responsible for managing the overall health and resource availability for the deployment. |
Delete team project collection |
Team Foundation Administrators Team Foundation Service Accounts |
Users or groups who are responsible for managing the overall health and resource availability for the deployment. |
Edit instance-level information |
Team Foundation Administrators Team Foundation Service Accounts |
Users or groups who are responsible for managing the overall health and resource availability for the deployment. |
Make requests on behalf of others |
Team Foundation Service Accounts SharePoint Web Application Services |
This permission should be assigned only to service accounts and groups that contain only service accounts. |
Trigger Events |
Team Foundation Administrators Team Foundation Service Accounts |
Users or groups who are responsible for managing the overall health and resource availability for the deployment. |
Use full Web Access features |
Team Foundation Administrators Team Foundation Valid Users Work Item Only View Users (DENY) |
Users and groups who must utilize the full range of features that are available in Team Web Access. If you want to restrict users to a read-only view in Team Web Access, set this permission to Deny, or add the users to the Work Item Only View Users group at the server level. |
View instance-level information |
Team Foundation Administrators Team Foundation Service Accounts SharePoint Web Application Services Team Foundation Valid Users |
All users or groups who interact with Team Foundation Server. |
Collection-Level Groups and Permissions
By default, the following groups exist at the collection level when you install Team Foundation Server:
TeamProjectCollectionName**\Project Collection Administrators** Members of this group can perform all operations for the team project collection. This group should be restricted to the smallest possible number of users who need total administrative control over the collection. By default, this group contains the Local Administrators group (BUILTIN\Administrators) for the server where the application-tier services for Team Foundation have been installed. This group also contains the members of the TeamProjectCollectionName**\Service Accounts** group.
TeamProjectCollectionName**\Project Collection Valid Users** Members of this group have access to the team project collection in Team Foundation Server. This group automatically contains all users and groups that have been added anywhere within the team project collection. You cannot modify the membership of this group.
Important
Do not unset or set the View collection-level information permission to Deny for this group.
TeamProjectCollectionName**\Project Collection Service Accounts** Members of this group have service-level permissions for the collection and for Team Foundation Server. By default, this group contains the service account that was supplied during installation. This group should contain only service accounts and groups that contain only service accounts. By default, this group is a member of Team Foundation Administrators and Team Foundation Service Accounts.
TeamProjectCollectionName**\Project Collection Build Service Accounts** Members of this group have build service permissions for the collection. This group should contain only service accounts and groups that contain only service accounts.
TeamProjectCollectionName**\ Collection Proxy Service Accounts** Members of this group have proxy service permissions for the collection. This group should contain only service accounts and groups that contain only service accounts.
TeamProjectCollectionName**\Project Collection Test Service Accounts** Members of this group have test service permissions for the collection. This group should contain only service accounts and groups that contain only service accounts.
By default, these groups have the permissions in the following table. For a full description of each permission, see Team Foundation Server Permissions.
Permission Name |
By default, set for: |
Consider adding to: |
|---|---|---|
Administer shelved changes |
Project Collection Administrators Project Collection Service Accounts Project Collection Build Service Accounts |
Manually added users or groups who might or must delete shelvesets created by other users. |
Administer workspaces |
Project Collection Administrators Project Collection Service Accounts |
Manually added users or groups who might or must create workspaces for other users and delete workspaces created by other users. |
Alter trace settings |
Project Collection Administrators |
Other server administrators who might or must change the trace settings for gathering more detailed diagnostic information about Web services for Team Foundation Server. |
Create a workspace |
Project Collection Administrators Project Collection Service Accounts Project Collection Valid Users |
None. All users have this permission as part of being members of the Project Collection Valid Users group. |
Create new projects |
Project Collection Administrators |
Project administrators who will regularly create projects. |
Delete team project |
Project Collection Administrators |
Users or groups who are responsible for managing the overall health and resource availability for the deployment. |
Delete team project collection |
Project Collection Administrators |
Users or groups who are responsible for managing the overall health and resource availability for the deployment. |
Edit collection-level information |
Project Collection Administrators Project Collection Service Accounts |
None. |
Make requests on behalf of others |
Project Collection Administrators Project Collection Service Accounts SharePoint Web Application Services |
None. |
Manage build resources |
Project Collection Administrators Project Collection Build Administrators Project Collection Build Service Accounts Project Administrators Builders |
Manually added users or groups who might or must administer and schedule builds on the build resources in the collection. |
Manage process template |
Project Collection Administrators |
Project administrators and any manually added users or groups, such as process specialists, who might or must create, edit, download, and upload process templates to Team Foundation Server. |
Manage test controllers |
Project Collection Administrators Project Collection Test Service Accounts |
None. |
Manage work item link types |
Project Collection Administrators |
None. |
Trigger Events |
Project Collection Administrators Project Collection Service Accounts |
None. Adding this permission to other users has the potential to allow denial-of-service attacks. |
Use build resources |
Project Collection Administrators Project Collection Build Service Accounts |
Manually added users or groups who might or must queue new builds or browse completed builds in the collection. |
View build resources |
Project Collection Administrators Project Collection Build Administrators Project Collection Build Service Accounts Project Collection Valid Users |
None. |
View collection-level information |
Project Collection Administrators Project Collection Build Administrators Project Collection Build Service Accounts Project Collection Service Accounts Project Collection Test Service Accounts Project Collection Valid Users SharePoint Web Application Services Collection Proxy Service Accounts |
None. |
View system synchronization information |
Project Collection Administrators |
None. |
Project-Level Groups and Permissions
By default, the following groups exist at the project level:
ProjectName**\Project Administrators** Members of this group can administer all aspects of the team project, although they cannot create projects.
ProjectName**\Contributors** Members of this group can contribute to the project in multiple ways, such as adding, modifying, and deleting code and creating and modifying work items.
ProjectName**\Readers** Members of this group can view the project but not modify it.
ProjectName**\Builders** Members of this group have build permissions for the project. Members can manage test environments, create test runs, and manage builds.
Besides these project-level groups, two collection-level groups also appear in every project in Team Foundation Server:
TeamProjectCollectionName**\Project Collection Administrators**
Note
You cannot change the permissions for this collection-level group.
TeamProjectCollectionName**\Project Collection Build Service Accounts**
Important
Do not remove or set the View project-level information permission to Deny for this group.
By default, these groups have the permissions in the following table. For a full description of each permission, see Team Foundation Server Permissions.
Note
You can add project-level groups to server-level groups by using the TFSSecurity command-line tool.
Permission Name |
By default, set for: |
Consider adding to: |
|---|---|---|
Create test runs |
Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Build Service Accounts, Project Collection Test Service Accounts |
None. |
Delete team project |
Project Administrators, Project Collection Administrators |
None. |
Delete test runs |
Project Administrators, Team Foundation Administrators |
Manually added users or groups that might or must terminate test runs that are in progress or delete old test runs. |
Edit project-level information |
Project Administrators, Project Collection Administrators |
None. |
Manage test configurations |
Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Build Service Accounts, Project Collection Test Service Accounts |
None. |
Manage test environments |
Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Build Service Accounts, Project Collection Test Service Accounts |
None. |
View project-level information |
Project Administrators, Contributors, Readers, Builders, Project Collection Administrators, Project Collection Build Service Accounts |
All manually added users or groups that require access to this project. |
View test runs |
Project Administrators, Contributors, Readers, Builders, Project Collection Build Service Accounts, Project Collection Administrators |
All manually added users or groups that require access to this project. |
Area-Level Groups and Permissions
By default, the following groups exist at the area level:
ProjectName**\Project Administrators**
ProjectName**\Contributors**
ProjectName**\Readers**
ProjectName**\Builders**
TeamProjectCollectionName**\Project Collection Administrators**
TeamProjectCollectionName**\Project Collection Build Service Accounts**
By default, these groups have the permissions in the following table. For a full description of each permission, see Team Foundation Server Permissions.
Permission Name |
By default, set for: |
Consider adding to: |
|---|---|---|
Create and order child nodes |
Project Administrators, Project Collection Administrators |
None. |
Delete this node |
Project Administrators, Project Collection Administrators |
Any manually added users or groups that might or must delete area nodes. |
Edit this node |
Project Administrators, Project Collection Administrators |
Any manually added users or groups that might or must rename area nodes. |
Edit work items in this node |
Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Build Service Accounts |
Any manually added users or groups that might or must edit work items in this area node. |
View this node |
Project Administrators, Contributors, Readers, Builders, Project Collection Administrators, Project Collection Build Service Accounts, Project Collection Test Service Accounts |
Any manually added users or groups that might require access to work items in this area node. |
View work items in this node |
Project Administrators, Contributors, Readers, Builders, Project Collection Administrators, Project Collection Build Service Accounts, Project Collection Test Service Accounts |
Any manually added users or groups that might or must view, but not edit or change, work items in this area node. |
Iteration-Level Groups and Permissions
By default, the following groups exist at the iteration level:
ProjectName**\Project Administrators**
TeamProjectCollectionName**\Project Collection Administrators**
By default, these groups have the permissions in the following table. For a full description of each permission, see Team Foundation Server Permissions.
Permission Name |
By default, set for: |
Consider adding to: |
|---|---|---|
Create and order child nodes |
Project Administrators, Project Collection Administrators |
None. |
Delete this node |
Project Administrators, Project Collection Administrators |
Any manually added users or groups that might or must delete iteration nodes. |
Edit this node |
Project Administrators, Project Collection Administrators |
Any manually added users or groups that might or must rename iteration nodes. |
View this node |
Project Administrators, Project Collection Administrators |
Any manually added users or groups that might or must view iteration nodes. |
Version Control Groups and Permissions
By default, the following groups exist at the version-control level:
ProjectName**\Project Administrators**
ProjectName**\Contributors**
ProjectName**\Readers**
ProjectName**\Builders**
TeamProjectCollectionName**\Project Collection Administrators**
TeamProjectCollectionName**\Project Collection Service Accounts**
TeamProjectCollectionName**\Project Collection Build Service Accounts**
By default, these groups have the permissions in the following table. For a full description of each permission, see Team Foundation Server Permissions.
Permission Name |
By default, set for: |
Consider adding to: |
|---|---|---|
Read |
Project Administrators, Contributors, Readers, Builders, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts |
Most manually added users or groups; any that might or must read the contents of a file or folder. |
Check Out |
Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts |
Any manually added users or groups who might or must check out or make a pending change to items in a folder. |
Check In |
Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts |
Any manually added users or groups that might or must check in items or revise any committed changeset comments. |
Label |
Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts |
Any manually added users or groups that might or must label items. |
Lock |
Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts |
Any manually added users or groups that might or must lock or unlock folders or files. |
Revise other user's changes |
Project Administrators, Project Collection Administrators, Project Collection Service Accounts |
Manually added users or groups that are responsible for supervising or monitoring the project that might or must change the comments on checked-in files, even if another user checked in the file. |
Unlock other user's changes |
Project Administrators, Project Collection Administrators, Project Collection Service Accounts |
Manually added users or groups that might or must unlock files locked by other users. |
Undo other user's changes |
Project Administrators, Project Collection Administrators, Project Collection Service Accounts |
Manually added users or groups that might or must undo a pending change made by another user. |
Administer labels |
Project Administrators, Project Collection Administrators, Project Collection Service Accounts |
Manually added users or groups that might or must edit or delete labels created by another user. |
Manage permissions |
Project Administrators, Project Collection Administrators, Project Collection Service Accounts |
None. |
Check In Other User's Changes |
Project Administrators, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts |
None. |
Merge |
Project Administrators, Contributors, Builders, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts |
Manually added users or groups that might or must merge source files. |
Manage branch |
Project Administrators, Project Collection Administrators, Project Collection Service Accounts, Project Collection Build Service Accounts |
Manually added users or groups that might or must create private branches. |
Build-Level Permissions
By default, the following groups exist at the build level:
ProjectName**\Project Administrators**
ProjectName**\Contributors**
ProjectName**\Readers**
ProjectName**\Builders**
TeamProjectCollectionName**\Project Collection Administrators**
TeamProjectCollectionName**\Project Collection Build Service Accounts**
By default, these groups have the permissions in the following table. For a full description of each permission, see Team Foundation Server Permissions.
Permission Name |
By default, set for: |
Consider adding to: |
|---|---|---|
View builds |
Project Administrators, Contributors, Readers, Builders, Project Collection Build Service Accounts, Project Collection Administrators |
Most manually added users or groups; any that might or must view builds. |
Edit build quality |
Project Administrators, Contributors, Builders, Project Collection Build Service Accounts, Project Collection Administrators |
|
Retain indefinitely |
Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators |
|
Delete builds |
Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators |
|
Manage build qualities |
Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators |
|
Destroy builds |
Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators |
|
Update build information |
Project Collection Build Service Accounts |
|
Queue build |
Project Administrators, Contributors, Builders, Project Collection Build Service Accounts, Project Collection Administrators |
|
Manage build queue |
Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators |
|
Stop builds |
Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators |
|
View build definition |
Project Administrators, Contributors, Readers, Builders, Project Collection Build Service Accounts, Project Collection Administrators |
Most manually added users or groups; any that might or must view build definitions. |
Edit build definition |
Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators |
|
Delete build definition |
Project Administrators, Builders, Project Collection Build Service Accounts, Project Collection Administrators |
|
Override check-in validation by build |
Project Collection Build Service Accounts, Project Collection Administrators |
Lab Management Groups and Permissions
By default, the following groups exist at the lab management level:
ProjectName**\Project Administrators**
ProjectName**\Contributors**
ProjectName**\Readers**
TeamProjectCollectionName**\Project Collection Administrators**
TeamProjectCollectionName\Project Collection Build Service accounts
Server**\Team Foundation Administrators**
By default, these groups have the permissions in the following table. In addition, the creator of an object in Lab Management is automatically granted all permissions on that object. For a full description of each permission, see Team Foundation Server Permissions.
Permission Name |
By default, set for: |
Consider adding to: |
View Lab Resources |
Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Readers, Project Collection Build Service accounts |
|
Manage Lab Locations |
Team Foundation Administrators, Project Collection Administrators, Project Administrators (limited to only project-level locations, that is, project host group and project library share) |
|
Delete Lab Locations |
Team Foundation Administrators, Project Collection Administrators Project Administrators (limited to project-level locations such as project host groups and project library shares) |
|
Write Environment and Virtual Machine |
Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts |
|
Edit Environment and Virtual Machine |
Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts |
|
Delete Environment and Virtual Machine |
Team Foundation Administrators, Project Collection Administrators, Project Administrators |
|
Import Virtual Machine |
Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors |
|
Environment Operations |
Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts |
|
Manage Permissions |
Team Foundation Administrators, Project Collection Administrators |
|
Manage Child Permissions |
Team Foundation Administrators, Project Collection Administrators, Project Administrators (limited to only project level locations, that is, project host group and project library share) |
|
Start |
Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts |
|
Stop |
Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts |
|
Pause |
Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts |
|
Manage snapshots |
Team Foundation Administrators, Project Collection Administrators, Project Administrators, Contributors, Project Collection Build Service accounts |
See Also
Tasks
Set Administrator Permissions for Team Foundation Server
Create a Collection-Level Group
Change Permissions for a Group or User
Concepts
Adding and Removing Users To and From Groups
Team Foundation Server Permissions