Configuring Users, Groups, and Permissions
Team Foundation security is based on users and groups. You can use the default groups in Visual Studio Team Foundation Server to manage users and groups as part of implementing a security model for your organization. Default groups exist at the server level, at the collection level, and at the project level. You can also create custom groups at any of these levels with specific permissions to better fit your security model. Using a group-based security model enables users to access the data that they require without requiring the granting of specific permissions to each user account. This strategy helps protect confidential information while reducing the administrative overhead of managing user access to the deployment.
For each role in your business, you must determine what group memberships users require to accomplish their tasks. Team Foundation Server, SharePoint Products, and SQL Server Reporting Services all maintain their own information about groups, users, and permissions. You must carefully plan how you want to manage users and permissions. This planning applies not only across individual projects in Team Foundation Server but also across Team Foundation Server itself, the Windows operating system, and if configured for your deployment, SharePoint Products and SQL Server Reporting Services. Within Team Foundation Server, you can allow or deny permissions at many levels, such as for work items, access to version control, access to a project or project collection, and access to Team Foundation Server itself.
In specific cases, you might want to add a user directly to a team project or team project collection, instead of adding the user to a group at the project level or collection level. In that case, you must grant permissions directly to the user account for that user.
Add users or groups of users: You can quickly add users to team projects, team project collections, or Team Foundation Server itself by adding them to the appropriate default groups for their roles.
Change or modify default groups: You can change the membership of default groups. You can also modify the default permissions that are granted to some of these groups to better meet your security needs.
Create custom groups: You can create groups for team projects, team project collections, and for Team Foundation Server with specific permissions to better meet the security requirements of your organization.
Add users directly to team projects or team project collections: You can add a user account directly to a project or collection instead of adding them to a group within that project or collection.
Understand and manage permissions: You can review all individually configurable permissions within Team Foundation Server, learn what permissions are assigned by default, and view the permissions for specific groups or users.
Understand and manage dependencies in related components: If you have configured your deployment of Team Foundation Server with reporting or with a SharePoint Web application, you might need to add users and groups to SQL Server Reporting Services and SharePoint Products.
Understand service accounts and groups: In addition to managing permissions for your users, you must also manage the permissions that are required by the service accounts upon which Team Foundation Server depends.