Share via


TFSSecurity Identity and Output Specifiers

The input and output for the TFSSecurity command-line utility follows a standard format. The tables later in this topic describe valid identity and output specifiers for this command. These specifiers apply to all of the TFSSecurity command-line utilities.

Note

Even if you are logged on with administrative credentials, you must open an elevated Command Prompt to perform this function.

Note

The examples are for illustration only and are fictitious. No real association is intended or inferred.

Identity Specifiers

You can reference an identity by using one of the notations in the following table.

Identity specifier

Description

Example

sid:Sid.

References the identity that has the specified security identifier (SID).

sid:S-1-5-21-2127521184-1604012920-1887927527-588340

n:[Domain\]Name

References the identity that has the specified name. For Windows, Name is the account name. If the referenced identity is in a domain, the domain name is required. For application groups, Name is the group display name, and Domain is the URI or GUID of the containing project. In this context, if Domain is omitted, the scope is assumed to be at the collection level.

To reference the identity of the user "John Peoples" in the domain "Datum1" at the fictitious company "A. Datum Corporation:"

n:DATUM1\jpeoples

To reference application groups:

n:"Full-time Employees"

n:00a10d23-7d45-4439-981b-d3b3e0b0b1ee\Vendors

adm:[Scope]

References the administrative application group for the scope, such as "Team Foundation Administrators" for the server level or "Project Collection Administrators" at the collection level. The optional parameter Scope is a project URI or URL, including its GUID and connection string. If scope is omitted, the server or collection scope is assumed based on whether the /instance or /server parameter is used. In either case, the colon is still required.

adm:vstfs:///Classification/TeamProject/GUID

srv:

References the application group for service accounts.

Not applicable

all:

References all groups and identities.

Not applicable

String

References an unqualified string. If String starts with S-1-, it is identified as a SID. If String starts with CN= or LDAP:// it is identified as a distinguished name. Otherwise, String is identified as a name.

"Team testers"

Type Markers

Identity Type Markers

The following table lists identity type markers that are used in output messages.

Identity type marker

Description

U

Windows user.

G

Windows group.

A

Team Foundation Server (TFS) application group.

a [A]

Administrative application group.

s [A]

Service account application group.

X

Identity is not valid.

?

Identity is unknown.

Access Control Entry Markers

The following table lists access control entry markers that are used in output messages.

Access control entry marker

Description

+

ALLOW access control entry.

-

DENY access control entry.

* []

Inherited access control entry.

See Also

Other Resources

Changing Groups and Permissions with TFSSecurity