May 27th, 2005

Setting Permissions in Team Foundation

Summary

This preliminary technical article describes how to set up permissions for the security scenarios supported by Visual Studio Team System Beta 2.

Applies To

Visual Studio Team System Beta 2

Important   This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release.  This document is provided for informational purposes only (“AS-IS”) and Microsoft makes no warranties, either express or implied, in this document.  Information in this document, including URL and other Internet Web site references, is subject to change without notice.  The entire risk of the use or the results from the use of this document remains with the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Introduction

This technical article describes how to set up permissions for the security scenarios supported by Visual Studio Team System Beta 2. Required permissions for the following roles are described below:

  • Team Foundation Server Administrator   Can install and maintain a Team Foundation Server, as well as administer permissions and security for other roles. Can also customize process guidance.
  • Team Project Lead   Can create and maintain a team project work item database and web site. Can administer permissions and security for the team project.
  • Team Project Contributor   Can access, read, and write work items, Web site, and process guidance for a team project.

Caution   The TFS Everyone group should never be modified directly. When setting permissions in Team Foundation Server, do not modify the membership or permissions of the TFS Everyone group. Doing so might cause significant problems with user permissions and Team Foundation Server operations. If you have modified the TFS Everyone group, be sure to undo your changes.

The following table summarizes the permissions required for each role. The following sections describe how to set these permissions in detail.

Role Needs to be a Member of:

Team Foundation Server Administrator Role

Team Project Manager Role

Team Project Contributor Role

Application Tier and Data Tier Computer Groups

Windows Administrators

n/a

n/a

Team Foundation Server Groups

Namespace Administrators

Project Administrators

Contributors

Windows SharePoint Services Groups

Site Administrator

Project-level Administrator

Project-level Contributors

Reporting Services Groups

Content Manager, Site Administrator

Project-level Content Manager

Project-level Browser

Setting Role Permissions

Team Foundation Server Administrator

The people on your team who are acting as the Team Foundation Server administrators need the following permissions. For most organizations using Visual Studio Team System Beta 2, this same individual will be responsible for creating projects, managing projects, and customizing process guidance. A Team Foundation Server administrator needs to be a member of the following groups:

  • Administrators on both the application and the data tier servers.

  • Team Foundation Server Administrators.

  • Windows SharePoint Services Administrators.

  • SQL Server Reporting Services Content Manager

  • SQL Server Reporting Services System Administrator.

To add a member to the Administrators group

  1. On the application tier computer, click Start, click Administrative Tools, and click Computer Management.

  2. In the navigation pane, click Local Users and Groups, and then click Groups.

  3. Right-click Administrators, and click Add.

  4. Add the alias for the person for whom you want to grant permissions.

  5. Click OK.

  6. Repeat all steps on the data tier computer.

To add a member to the Team Foundation Administrators group

  1. In Visual Studio, open Team Explorer, and connect to the Team Foundation Server for which you are setting permissions.

  2. Right-click the Team Foundation Server, point to Team Foundation Server Settings, and then click Groups.

  3. Select Global\Team Foundation Administrators and click Properties.

  4. In Add member, select Windows User or Group and click Add.

  5. Add the alias for the person to group for whom you want to grant permissions.

  6. Click OK.

To add a member to the Windows SharePoint Services Administrator group for the top-level site

  1. Open Internet Explorer.

  2. Enter the server name of the application tier server to go to the top-level Windows SharePoint Services site.

  3. Click Site Settings, click Go to Site Administration, and then click Manage Users.

  4. Click Add Users.

  5. In Step 1: Choose Users, add the alias for the person to whom you want to grant site-wide administration permissions.

  6. In Step 2: Choose Site Groups, select Administrator.

  7. Click Next.

  8. In Step 3: Confirm Users, add the e-mail address of the user.

  9. In Step 4: Send E-Mail, choose whether to automatically send the user an e-mail.

  10. Click Finish.

To add a member to the Reporting Services Content Manager and System Administrator roles

  1. Open Internet Explorer.

  2. Type the following in the Address bar:

http://data-tier/Reports/Pages/Folder.aspx

where data-tier is the name of the Team Foundation Server data tier report server. You can find the name of the report server by opening Team Explorer, expanding the Reports node, and viewing the properties of a report.

  1. Click the Properties tab, and click New Role Assignment.

  2. In Group or User Name, add the alias for the person to whom you want to grant Content Manager permissions.

  3. In Role, select Content Manager, and then click OK.

  4. Click Site Settings, and then click Configure site wide security.

  5. Click New Role Assignment.

  6. In Group or User Name, add the alias for the person to whom you want to grant System Administrator permissions.

  7. In Role, select System Administrator.

  8. Click OK.

Team Project Lead

The person who creates a new team project is automatically granted project management rights.  In some cases, a backup project manager might need to be added. A team project lead needs to be a member of the following groups:

  • Team Foundation Server Project Administrators.

  • Windows SharePoint Services Administrators.

  • SQL Server Reporting Services Content Manager

To add a member to the Project Administrators group

  1. In Visual Studio, open Team Explorer and connect to a Team Foundation Server.

  2. Right-click the team project node, point to Team Project Settings, and then click Groups.

  3. Select Project_Name\Project Administrators, and click Properties.

  4. In Add member, select Windows User or Group, and click Add.

  5. Add the alias for the person to group for whom you want to grant permissions.

  6. Click OK.

To add a member to the Windows SharePoint Services Administrator group for the project site

  1. In Visual Studio, open Team Explorer and connect to a Team Foundation Server.

  2. Right-click the team project node, and click Show Project Portal.

  3. Click Site Settings, click Go to Site Administration, and then click Manage Users.

  4. Click Add Users.

  5. In Step 1: Choose Users, add the alias for the person to whom you want to grant site-wide administration permissions.

  6. In Step 2: Choose Site Groups, select Administrator.

  7. Click Next.

  8. In Step 3: Confirm Users, add the e-mail address of the user.

  9. In Step 4: Send E-Mail, choose whether to automatically send the user an e-mail.

  10. Click Finish.

To add a member to the Reporting Services Content Manager role

  1. Open Internet Explorer.

  2. Type the following in the Address bar:

http://data-tier/Reports/Pages/Folder.aspx

where data-tier is the name of the Team Foundation Server data tier report server. You can find the name of the report server by opening Team Explorer, expanding the Reports node, and viewing the properties of a report.

  1. Click the Properties tab, and click New Role Assignment.

  2. In Group or User Name, add the alias for the person to whom you want to grant Content Manager permissions.

  3. In Role, select Content Manager, and then click OK.

Team Project Contributor

The user who creates a new team project is automatically added as a project contributor.  If you want to grant access to other users, you need to add them as project contributors. A team project contributor needs to be a member of the following groups:

  • Team Foundation Server Project Contributor.

  • Windows SharePoint Services Contributor.

  • SQL Server Reporting Services Browser.

To add a member to the Contributor group

  1. In Visual Studio, open Team Explorer and connect to a Team Foundation Server.

  2. Right-click the team project node, point to Team Project Settings, and then click Groups.

  3. Select Project_Name\Contributor, and click Properties.

  4. In Add member, select Windows User or Group, and click Add.

  5. Add the alias for the person to group for whom you want to grant permissions.

  6. Click OK.

To add a member to the Windows SharePoint Services Contributor group

  1. Start Visual Studio and in Team Explorer, connect to a Team Foundation Server.

  2. Right-click the team project node, and click Show Project Portal.

  3. Click Site Settings, and then click Manage Users.

  4. Click Add Users.

  5. In Step 1: Choose Users, add the alias for the person to whom you want to grant site-wide administration permissions.

  6. In Step 2: Choose Site Groups, select Contributor.

  7. Click Next.

  8. In Step 3: Confirm Users, add the e-mail address of the user.

  9. In Step 4: Send E-Mail, choose whether to automatically send the user an e-mail.

  10. Click Finish.

To add a member to the Reporting Services Browser group

  1. Open Internet Explorer.

  2. Type the following in the Address bar:

http://data-tier/Reports/Pages/Folder.aspx

where data-tier is the name of the Team Foundation Server data tier report server. You can find the name of the report server by opening Team Explorer, expanding the Reports node, and viewing the properties of a report.

  1. Click the Properties tab, and click New Role Assignment.

  2. In Group or User Name, add the alias for the person to whom you want to grant Browser permissions.

  3. In Role, select Browser, and then click OK.

Conclusion

For security purposes, grant team members the lowest permission role required for them to achieve their project goals.

Category
DevOps

Author

0 comments

Discussion are closed.