Summary
This preliminary technical article describes how to set up permissions for the security scenarios supported by Visual Studio Team System Beta 2.
Applies To
Visual Studio Team System Beta 2
Important This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release. This document is provided for informational purposes only (“AS-IS”) and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Introduction
This technical article describes how to set up permissions for the security scenarios supported by Visual Studio Team System Beta 2. Required permissions for the following roles are described below:
- Team Foundation Server Administrator Can install and maintain a Team Foundation Server, as well as administer permissions and security for other roles. Can also customize process guidance.
- Team Project Lead Can create and maintain a team project work item database and web site. Can administer permissions and security for the team project.
- Team Project Contributor Can access, read, and write work items, Web site, and process guidance for a team project.
Caution The TFS Everyone group should never be modified directly. When setting permissions in Team Foundation Server, do not modify the membership or permissions of the TFS Everyone group. Doing so might cause significant problems with user permissions and Team Foundation Server operations. If you have modified the TFS Everyone group, be sure to undo your changes.
The following table summarizes the permissions required for each role. The following sections describe how to set these permissions in detail.
Role Needs to be a Member of: |
Team Foundation Server Administrator Role |
Team Project Manager Role |
Team Project Contributor Role |
Application Tier and Data Tier Computer Groups |
Windows Administrators |
n/a |
n/a |
Team Foundation Server Groups |
Namespace Administrators |
Project Administrators |
Contributors |
Windows SharePoint Services Groups |
Site Administrator |
Project-level Administrator |
Project-level Contributors |
Reporting Services Groups |
Content Manager, Site Administrator |
Project-level Content Manager |
Project-level Browser |
Setting Role Permissions
Team Foundation Server Administrator
The people on your team who are acting as the Team Foundation Server administrators need the following permissions. For most organizations using Visual Studio Team System Beta 2, this same individual will be responsible for creating projects, managing projects, and customizing process guidance. A Team Foundation Server administrator needs to be a member of the following groups:
-
Administrators on both the application and the data tier servers.
-
Team Foundation Server Administrators.
-
Windows SharePoint Services Administrators.
-
SQL Server Reporting Services Content Manager
-
SQL Server Reporting Services System Administrator.
To add a member to the Administrators group
-
On the application tier computer, click Start, click Administrative Tools, and click Computer Management.
-
In the navigation pane, click Local Users and Groups, and then click Groups.
-
Right-click Administrators, and click Add.
-
Add the alias for the person for whom you want to grant permissions.
-
Click OK.
-
Repeat all steps on the data tier computer.
To add a member to the Team Foundation Administrators group
-
In Visual Studio, open Team Explorer, and connect to the Team Foundation Server for which you are setting permissions.
-
Right-click the Team Foundation Server, point to Team Foundation Server Settings, and then click Groups.
-
Select Global\Team Foundation Administrators and click Properties.
-
In Add member, select Windows User or Group and click Add.
-
Add the alias for the person to group for whom you want to grant permissions.
-
Click OK.
To add a member to the Windows SharePoint Services Administrator group for the top-level site
-
Open Internet Explorer.
-
Enter the server name of the application tier server to go to the top-level Windows SharePoint Services site.
-
Click Site Settings, click Go to Site Administration, and then click Manage Users.
-
Click Add Users.
-
In Step 1: Choose Users, add the alias for the person to whom you want to grant site-wide administration permissions.
-
In Step 2: Choose Site Groups, select Administrator.
-
Click Next.
-
In Step 3: Confirm Users, add the e-mail address of the user.
-
In Step 4: Send E-Mail, choose whether to automatically send the user an e-mail.
-
Click Finish.
To add a member to the Reporting Services Content Manager and System Administrator roles
-
Open Internet Explorer.
-
Type the following in the Address bar:
http://data-tier/Reports/Pages/Folder.aspxwhere data-tier is the name of the Team Foundation Server data tier report server. You can find the name of the report server by opening Team Explorer, expanding the Reports node, and viewing the properties of a report.
-
Click the Properties tab, and click New Role Assignment.
-
In Group or User Name, add the alias for the person to whom you want to grant Content Manager permissions.
-
In Role, select Content Manager, and then click OK.
-
Click Site Settings, and then click Configure site wide security.
-
Click New Role Assignment.
-
In Group or User Name, add the alias for the person to whom you want to grant System Administrator permissions.
-
In Role, select System Administrator.
-
Click OK.
Team Project Lead
The person who creates a new team project is automatically granted project management rights. In some cases, a backup project manager might need to be added. A team project lead needs to be a member of the following groups:
-
Team Foundation Server Project Administrators.
-
Windows SharePoint Services Administrators.
-
SQL Server Reporting Services Content Manager
To add a member to the Project Administrators group
-
In Visual Studio, open Team Explorer and connect to a Team Foundation Server.
-
Right-click the team project node, point to Team Project Settings, and then click Groups.
-
Select Project_Name\Project Administrators, and click Properties.
-
In Add member, select Windows User or Group, and click Add.
-
Add the alias for the person to group for whom you want to grant permissions.
-
Click OK.
To add a member to the Windows SharePoint Services Administrator group for the project site
-
In Visual Studio, open Team Explorer and connect to a Team Foundation Server.
-
Right-click the team project node, and click Show Project Portal.
-
Click Site Settings, click Go to Site Administration, and then click Manage Users.
-
Click Add Users.
-
In Step 1: Choose Users, add the alias for the person to whom you want to grant site-wide administration permissions.
-
In Step 2: Choose Site Groups, select Administrator.
-
Click Next.
-
In Step 3: Confirm Users, add the e-mail address of the user.
-
In Step 4: Send E-Mail, choose whether to automatically send the user an e-mail.
-
Click Finish.
To add a member to the Reporting Services Content Manager role
-
Open Internet Explorer.
-
Type the following in the Address bar:
http://data-tier/Reports/Pages/Folder.aspxwhere data-tier is the name of the Team Foundation Server data tier report server. You can find the name of the report server by opening Team Explorer, expanding the Reports node, and viewing the properties of a report.
-
Click the Properties tab, and click New Role Assignment.
-
In Group or User Name, add the alias for the person to whom you want to grant Content Manager permissions.
-
In Role, select Content Manager, and then click OK.
Team Project Contributor
The user who creates a new team project is automatically added as a project contributor. If you want to grant access to other users, you need to add them as project contributors. A team project contributor needs to be a member of the following groups:
-
Team Foundation Server Project Contributor.
-
Windows SharePoint Services Contributor.
-
SQL Server Reporting Services Browser.
To add a member to the Contributor group
-
In Visual Studio, open Team Explorer and connect to a Team Foundation Server.
-
Right-click the team project node, point to Team Project Settings, and then click Groups.
-
Select Project_Name\Contributor, and click Properties.
-
In Add member, select Windows User or Group, and click Add.
-
Add the alias for the person to group for whom you want to grant permissions.
-
Click OK.
To add a member to the Windows SharePoint Services Contributor group
-
Start Visual Studio and in Team Explorer, connect to a Team Foundation Server.
-
Right-click the team project node, and click Show Project Portal.
-
Click Site Settings, and then click Manage Users.
-
Click Add Users.
-
In Step 1: Choose Users, add the alias for the person to whom you want to grant site-wide administration permissions.
-
In Step 2: Choose Site Groups, select Contributor.
-
Click Next.
-
In Step 3: Confirm Users, add the e-mail address of the user.
-
In Step 4: Send E-Mail, choose whether to automatically send the user an e-mail.
-
Click Finish.
To add a member to the Reporting Services Browser group
-
Open Internet Explorer.
-
Type the following in the Address bar:
http://data-tier/Reports/Pages/Folder.aspxwhere data-tier is the name of the Team Foundation Server data tier report server. You can find the name of the report server by opening Team Explorer, expanding the Reports node, and viewing the properties of a report.
-
Click the Properties tab, and click New Role Assignment.
-
In Group or User Name, add the alias for the person to whom you want to grant Browser permissions.
-
In Role, select Browser, and then click OK.
Conclusion
For security purposes, grant team members the lowest permission role required for them to achieve their project goals.
0 comments