3

I was wondering whether I should post this here or not, but then I saw other similar posts on TFS here and they did not solve my problem so I decided to go ahead and post it.

I am trying to fix a TFS box set up by an ex colleague. I have not used TFS in any other capacity other than checking files in'/out from it till date.For the purpose of this exercise I have created a simple winforms project with only one form and a hello world alert on form load which I am attempting to check-in into TFS. We have gated check-in enabled and we also disallow users from bypassing build validations as it can be seen highlighted in the red box here below.

Gated check-in dialog

Now the problem is all gated check-in attempts fail with an error:

Access Denied: User 'myOrgDomain\user.name' needs Override check-in 
validation by build permission for the following build definition(s). DefnName

The message prompt I get saying it is a partial succeed Gated check-in partial success

When I open the build I see this TFS Build output

While I checked this online I found the solution was to allow users to Bypass valdiations by enabling the check box which is grayed out. I dont want this to be the case. Is there a way I can keep the bypass validation disabled and still have my gated check in work?

This has me completely stumped and I can't figure out what could have gone wrong. Any pointers on where to look in my logs to find out what is going wrong would also probably help. The logs do say that the build has succeeded without warnings or errors.

CJBS
  • 15,147
  • 6
  • 86
  • 135
user20358
  • 14,182
  • 36
  • 114
  • 186
  • It looks like you have a customized build template (I see metrics generation), could it be that the build definition was altered to not include the `***NO_CI***` comment when checking in? Does the service account that is running the build have permission to by-pass checkin validation? – jessehouwing Jun 07 '12 at 11:37
  • Yes, I have a customized build template. To not include the ***NO_CI*** comment ?.. That comment used to be there when the build worked earlier with gated checkins. After this colleague left and when his account was disabled, I had to run TFS under my login. That is when the whole problem began. I have given myself all the privileges he had given himself; as far as I know. – user20358 Jun 07 '12 at 11:52
  • I think it is a problem with either the customized template or with your account. Can you try to do a gated checkin using a default template instead to see if that works? If so, you've essentially ruled out the permissions issue. If not, is your account a member of the 'Builders' group for your project? – jessehouwing Jun 07 '12 at 12:01
  • Default template gave the same problem. My account is a member of Builders group. I checked this by going into the TFS Admin console > Team Project collections > Group membership > Valid Users > [TestProject]Builders, and also under [TestProject]Administrators. In fact I have added my account under Project collection administrators as well... Still the same problem. – user20358 Jun 07 '12 at 12:28
  • In the build definition's permissions, do you have the deny override checkin validation by build specified? Or is it just blank? – jessehouwing Jun 07 '12 at 12:33
  • for [TestProject]Builders, [TestProject]Administrators & [TestProject]Contributors, I have Deny checked, for [TestProject]Readers I have it blank.. – user20358 Jun 07 '12 at 12:39

3 Answers3

1

[TestProject]Builders, [TestProject]Administrators & [TestProject]Contributors, I have Deny checked, for [TestProject]Readers I have it blank..

Since deny overrules any grants and since almost every user is a member of the Readers or Contributors group you will run into trouble. Since users can only by-pass check-in validation when they have their permission explicitly granted, there is no need to set any deny rule.

So to solve your issue:

  • Remove the deny checks from these groups.
  • Set the 'Override Check-in validation' to allow for the accounts should be able to by-pass your gated check-in build.

From the docs:

You can specify two explicit authorization settings for permissions in Team Foundation Server: Deny and Allow. There is also an implicit authorization that neither sets the permission to Allow nor sets the permission to Deny. This authorization is an implicit Deny setting that is referred to as Unset.

jessehouwing
  • 106,458
  • 22
  • 256
  • 341
  • [TestProject]Readers have no users. Under [TestProject]Administrators & [TestProject]Builders I put my account. Under [TestProject]Contributors I put the account which I will assume to be the developer who is checking in code. – user20358 Jun 07 '12 at 13:26
  • I unchecked both deny and allow for all Roles except for [DefaultCollection]\Project collection Administrators and that seemed to have worked for me.. for now. Do you think this should be ok or would I be doing something short sighted an I really really need to have the 'Override Check-in validation' option checked? Doing that would allow users to bypass the gated checkin feature altogether and I dont want them to do that.. – user20358 Jun 07 '12 at 13:33
  • You can Always turn the override on for a short period, for example when you're debugging build issues. Or you can turn it on for Project Administrators or key team members that can handle the responsibility. We generally turn it on for most team members, so that when they're checking in documentation or configuration files not covered by the actual build don't cause a build to be queued. – jessehouwing Jun 07 '12 at 16:56
0

Something fishy is going on in your setup. The access to the flag that is presented in your screenshot is controlled by the Build-permission "Override check-in validation by build". Since it's not set as a permission, but is apparently set as an option, you 're in a deadlock situation.

I would try to temporary enable this flag (right-click Team Explorer on "Builds", choose "Security" and set the permission for your user), then checkbox should get enabled & I 'd expect it to be checked. I'd uncheck the checkbox by hand and let a build run. Then I would disable the permission.
Hopefully now VS will keep this option.

If this failed, I would file a bug in MS.

pantelif
  • 8,524
  • 2
  • 33
  • 48
  • Thanks. I tried that but it did not work. I enabled that checkbox that is grayed out but did not select it and it built successfully. once I disabled the bypass option again it was back to partial succeeds again. – user20358 Jun 07 '12 at 10:54
  • Please elaborate on "back to partial succeeds": do now your builds start? What does the build-log report as reason for degrading the build into partial success? – pantelif Jun 07 '12 at 11:07
  • Well, I have gated checkin enabled, so for this new test project I made, for which I created a new build to the best of my knowledge, when I attempted a check-in, I would get 0 errors, 0 warnings for the code. But then it would give me checkin rejected because the build was partially succeeded. The build has run and I can see the code generated in the drop folder with my changes, but the file is not getting checked in. when I do view history the last changes I made are not there in the history of checkins.. – user20358 Jun 07 '12 at 11:23
  • Gated check in should only fail if my code is not compiling right? What is the reason for the check in to fail otherwise..? – user20358 Jun 07 '12 at 11:23
  • Gated check fails if the build exits unsuccessful and that can happen for any number of reasons, one of which is a compilation failure. You can check the build log to track down the failure. – pantelif Jun 07 '12 at 13:25
  • since its a test application I created just to work this TFS thing out with one line of code to show a message saying Hello World, I am absolutely sure it is not the code that has failed.. – user20358 Jun 07 '12 at 13:34
  • I checked the logs too.. and it was basically the same as summary section in the third image in the question above.. It seems to be a permissions issue. Since my account is the Admin, I need to explicitly give it the bypass option. The rest of the accounts can have that disabled.. this is just my assumption. I cant seem to get any documentation on that though... what do you think? – user20358 Jun 07 '12 at 13:36
0

TFS Build Security Dialog

I ran into the same problem you mention. The security setting you want to set is for the build itself as opposed to anything on the TFS box. What worked for me is right-click the build while in Visual Studio, and select the Security... option. Then, I ensured that my build service accounts had access to the "Override check-in validation on build" permission. It's not about the TFS users being allowed to override check-in. The message is really about whether the Build Service user has the capability to override check-in. For this to work, you would have to be a member of the Project Collection Build Service Accounts group.

I wondered if this would cause TFS to then override and check-in every time (even if a build fails), so I deliberately broke my build and tried it with this permission set. It did not allow my check-in to continue (i.e. failed appropriately).

In my case, I have multiple builds. It was insufficient to just allow the "Override check-in validation on build" for just the solution I was working with. For some reason, I had to do the same for all of my other builds. I have not been able to find documentation on why this is the case.

Chuck Sweet
  • 123
  • 5