Streamline TFS Permissions Management
Use a Windows User Group to manage permissions across the Team Project, the project's SharePoint Portal, and its SQL Server Reporting Services site.
by Benjamin Day and Richard Hale Shaw
July 24, 2006
Team Foundation Server (TFS), like other server applications, requires that you grant specific permissions to new users (such as new Team Project users). Unfortunately, with TFS, this means granting permissions for the Team Project itself, the project's SharePoint Portal, and its SQL Server Reporting Services site. Plus, TFS doesn't give you a unified, easy way to do it.
A good way to handle this problem is to use a Windows User Group to manage permissions across all three pieces at once. Instead of granting permissions directly to each user, you assign permissions to the Group; then you can grant access to the project simply by adding the new user to the Group.
Create the Windows User Group on your domain or on your TFS machine (call it "TFS Users"), and take these steps to grant permissions to the Group. First open Visual Studio and connect to TFS using Team Explorer.
Add the Group to your Team Project:
- Right-click on your Team Project. Select Team Foundation Server Settings and then Group Membership. You should now see the Project Groups dialog (see Figure 1).
- Select the Contributors group and click on the Properties button to edit the members of this group.
- Select the Windows User or Group radio button and click on Add. Use the Windows dialogs to select "TFS Users." When you're finished choosing the group, you should see it appear on the Members tab (see Figure 2). Click on OK to exit this dialog.
The group now has permissions to access the project though Team Explorer.
Next, set up permissions for the Group in the Team Project's SharePoint site.
- On the Team Project's Project Groups dialog, click on the Windows SharePoint Services Site Administration link.
- When the SharePoint Top-level Site Administration page appears, click on the Manage Users link.
- From the Manage Users page, click on the Add Users button. On the Add Users screen, type the fully qualified name of the Group in the Users box (for example, "Domain Name\TFS Users"). Under Choose Site Groups, select Reader (see Figure 3).
- Click on Next and then Finish to save these permissions.
Finally, assign permissions for the Group in the Team Project's SQL Server Reporting Services site:
- From the Team Project's Project Groups dialog, click on the SQL Server Reporting Services link to get to the SQL Server Reporting Services administrator (see Figure 4).
- Click on your project name, then select the Properties tab, and then click on the Security link in the left bar to navigate to the security editor for your project (see Figure 5).
- Click on the Edit Item Security button. You'll get a message box asking if you want to override settings from the parent item. Click on OK.
- Click on the New Role Assignment button. Type the fully qualified name of the TFS Users group into the "Group or user name" box, then check the Browser and Report Builder checkboxes. The Browser role lets you view a TFS report and the Report Builder role lets you modify the report definition and the report parameters (see Figure 6).
- Click on OK to save these permissions.
You've just set up centralized permissions administration for TFS. Now all you have to do is start adding users to the Group. Note: You might notice a delay of a few minutes between when you add a user to the Group and when the user becomes available in a work item's "Assigned to" list. Updating this list is one of the operations that TFS does on a schedule. If you're feeling impatient, you can force this list to refresh by recycling the IIS process on the TFS machine.
About the Authors
Benjamin Day is an independent consultant specializing in the design and development of Web and Windows applications using Microsoft .NET technologies. Ben also provides consulting and training on Visual Studio Team System and Team Foundation Server through The Richard Hale Shaw Group. He is a Microsoft MVP for C#, speaker at VSLive! and other conferences, and the leader of the Beantown.NET INETA User Group in Boston. When not developing software, Ben plays piano with a Boston-based jazz trio and is an enthusiastic restaurant, food, beer, and wine buff. Contact him through www.benday.com.
Richard Hale Shaw is the founder of The Richard Hale Shaw Group, which has consulted and trained software developers since 1993. He's created and chaired numerous technical conferences, including VSLive!. You can reach him at www.RichardHaleShawGroup.com.
Back to top