Team Foundation Server Permissions

Lately I've been playing a bit with security rights and permissions in Team Foundation Server (TFS). TFS really has a very powerful access control model, allowing individual users and/or groups only the specific capabilities/rights they need to.

In Team Foundation Server authorization for user actions are determined by permissions. There are 3 authorization settings possible for permissions :

• Deny (explicit)
• Allow (explicit)
• Unset (implicit)

Deny is the most powerful permission setting in TFS. When a user belongs to two groups and one group has for a particular function a permission set to Allow and the other to Deny, then the user will not be able to perform that function. The only exception to the rule is if the user is a member of the Project Administrators group or the Team Foundation Administrators group. By default, most permissions in TFS are not set to either Deny or Allow, but are left Unset, which implicitly denies both users and groups.

One small note to close this post about permissions in TFS : permissions only allow you to control user actions on items and not on a particular version of an item. Branching an item to another location will give you the option to set a different security policy.

More information about Permissions in TFS on MSDN