0202 Microsoft Team System Roles And Security

YES: Implicit Allow

NO

Contributor

Team Project Administrator

YES

Team Project Permission Area?

Reader

Permission Name

Administer shelved changes Administer w arehouse

NO

TFS Administration Tool (widget) is an excellent tool to configure default TFS security profiles!

ALLOW

+

DENY

Project-Level Groups & Permissions

YES: Implicit Allow

Effective TFS user profile and permissions

Any DENY?

Build-Level Permissions NO

ALLOW?

YES

TFSSecurity Utility

NO

YES

ü

ALLOW

· ·

û

DENY

·

Used to create, modify, and delete Team Foundation Server groups and users as well as permissions for users and groups. The command-line utility is located in :\Program Files\Microsoft Visual Studio 9.0 Team Foundation Server\Tools on the Team Foundation Server application tier and :\Program Files\Microsoft Visual Studio 9.0\Common7\IDE on the client, with Team Explorer installed.

Area-Level Groups & Permissions

·

How TFF evaluates effective permissions ...

Go to http://widgets.accentient.com for details on this and other administrative widgets for Team Foundation Server.

TF Command-line utility ·

Administer w orkspaces

AdminWorkspaces

Create a w orkspace

CreateWorkspace

Create new projects

CREATE_PROJECTS

Edit server-level information

GENERIC_WRITE AdminConfiguration

Modifies the user access control list (ACL) and displays authorization settings for an item under version control. Note that the /global switch changes global VC settings Use the Permission command of the tf command-line utility for source control to set the permissions. tf permission [/allow:(* |perm1[,perm2,…]] [/deny:(* |perm1[,perm2,…])] [/remove:(* |perm1[,perm2,…])] [/inherit:yes|no] [/user:username1[,username2,…]] [/group:groupname1[,groupname2,…]] [/server:servername] [/recursive] itemspec [/global]

·

Example to display the ACL information that relates to the group "developers" for the teamserver2 Team Foundation Server tf permission /group:[teamproject]\developers /server:teamserver2

·

Example to display the Team Foundation access control lists (ACLs) for 314.cs tf permission 314.cs@@@@

V1.1 2008-07-17

Contributors: · Eugene Zakhareyev (MVP) · Willy-Peter Schaub (MVP) References: · http://msdn.microsoft.com

Alter trace settings

DIAGNOSTIC_TRACE

Trigger Events

TRIGGER_EVENT

Manage process template

MANAGE_TEMPLATE

View server-level information

GENERIC_READ

View system synchronization information

SYNCHRONIZE_READ

Delete this project

DELETE

Edit project-level information

GENERIC_WRITE

Publish test results

PUBLISH_TEST_RESULTS

View project-level information

GENERIC_READ

Administer a build

ADMINISTER_BUILD

Edit build quality

EDIT_BUILD_STATUS

Start a build

START_BUILD

Write to build operational store

UPDATE_BUILD

Create and order child nodes

CREATE_CHILDREN

Delete this node

DELETE

Edit this node

GENERIC_WRITE

Edit w ork items in this node

WORK_ITEM_WRITE

View this node

GENERIC_READ

View w ork items in this node

WORK_ITEM_READ

Create and order child nodes

CREATE_CHILDREN

Delete this node

DELETE

Edit this node

GENERIC_WRITE

View this node

GENERIC_READ

X X X X X X X X X X X X X X X

X X X

X X X

X X X X X

X X X X X X

X X X X

X X X X

X X

X X

X X X X X X X X X X X X X X X X X

X X X

X X X X X

X X X X X X

X

X X X X X X X X X X X

X X X X X X X X X X X

Example to Display the identity information for the "TR Administrators" group: tfssecurity /i "Team Foundation Administrators" /server:MyATServer

·

ADMINISTER_WAREHOUSE

AdminConnections

Evaluate effective TFS permissions

+

TF Command-line Utility

AdminShelvesets

Server-Level Groups & Permissions

NO

UNSET

TFSecurity Utility

Build Services

Area

Service Accounts

Project Lead

TF Administrator

Readers

Administrator

Contributors

Gather TFS Security Evidence for User

Permission GroupsAdministrators Team Foundation SharePoint Administration SharePoint Central Administration SQL Server Reporting Services Content Manager Team Foundation Server Project Administrators Windows SharePoint Services Site Administrators SQL Server Reporting Services Content Manager Team Foundation Project Contributor Windows SharePoint Services Contributor SQL Server Repoorting Services Browser Team Foundation Project Readers Windows SharePoint Services Reader SQL Server Reporting Services Browser

Project Administrator

Role

DEFAULT GROUPS & PERMISSIONS TF Valid users

DEFAULT TFS SECURITY PROFILES

TF Administrators

DENY or ALLOW … who wins?

Commands /i Display identity information (no membership). /im Display identity information (direct membership only). /imx Display identity information (expanded membership). /g [scope] List application groups within a project scope. 'scope' is a project uniform resource identifier (URI); if 'scope' is omitted the global application groups are displayed. /gcg [group description] Create a global application group. /gc <scope> [group description] Create an app group within a project scope, which is a project uniform resource identifier (URI). /gun Rename an application group. /gud Change an application group's description. /gd Delete an application group. /g+ <member identity> Add a user or a group to an application group. /g- <member identity> Remove a member from an application group. /m [member identity] Check group membership. If 'member identity' is omitted the current user context is used. Both direct and expanded memberships are checked. /a+