2

I have a custom group in TFS, and I would like to grant access to this group for every team project so we don't have to do this one by one.

It seems like the developers have access via Source Control Explorer, but cannot see these projects via 'Connect to Team Project'.

Any idea what is going wrong, or what permission is missing?

We are using TFS2012 on-premise.

Daniel Mackay
  • 2,298
  • 1
  • 15
  • 19
  • Hosted TFS Service, or on-Premises? – John Saunders Apr 24 '13 at 03:21
  • This may help, though it's from TFS2010: [How to Grant Read-Only Access to All TFS Team Projects to a Group of Users?](http://stackoverflow.com/questions/7961727/how-to-grant-read-only-access-to-all-tfs-team-projects-to-a-group-of-users) – John Saunders Apr 24 '13 at 03:22

2 Answers2

1

The tfssecurity command line tool allows us to manage permissions for TFS groups and users. We could use it in a PowerShell script to grant access to projects that already exists. However I haven't found a way to use this command at the TFS collection level in order to grant permissions for future projects.

The approach I use is based on the fact that TFS permissions are inherited unless explicitly denied.

To create an user group that will automatically access all existent projects as well as the futures ones, follow those steps:

  1. Create a new security group at the project collection level. From Visual Studio you can do it from the "Team / Team Project Collection Settings/Group Membership" menu. On TFS Online you can access to "Account Settings / Security" page.

  2. Add the new group as a member of the "Project Collection Administrators" group. This will grant access to all projects in the collection, including the futures ones.

  3. Deny the permissions of the new group, in order to limit the administrator permissions inherited by the group. You can use an existent TFS group as template, and deny all permissions except those explicity allowed to the group which behavior you want to copy. For example, if you want to create a group with the same permissions that has the default "Project Collection Valid Users" group, you can deny all permisisons except "Create a workspace", "View build resources" and "View collection-level information"

Gustavo Russo
  • 161
  • 2
  • 9
0

It is possible but you’ll need to give your users a log more privileges than they need to have. You can give them privileges that are similar to project collection administrators and they will have access to all projects but with elevated privileges.

It is possible do this but only for source control like you’ve already done but I’m not really sure about connecting to projects, working with workitems and such.

John Moore
  • 1,321
  • 11
  • 8