Lately I've been playing a bit with security rights and permissions in Team Foundation Server (TFS). TFS really has a very powerful access control model, allowing individual users and/or groups only the specific capabilities/rights they need to.
In Team Foundation Server authorization for user actions are determined by permissions
. There are 3 authorization settings possible for permissions :
- Deny (explicit)
- Allow (explicit)
- Unset (implicit)
Deny is the most powerful permission setting in TFS. When a user belongs to two groups and one group has for a particular function a permission set to Allow
and the other to Deny
, then the user will not be able to perform that function. The only exception to the rule is if the user is a member of the Project Administrators
group or the Team Foundation Administrators
group. By default, most permissions in TFS are not set to either Deny or Allow, but are left Unset
, which implicitly denies both users and groups.
One small note to close this post about permissions in TFS : permissions only allow you to control user actions on items
and not on a particular version of an item. Branching an item to another location will give you the option to set a different security policy.
More information about Permissions in TFS on MSDN
Labels: Team Foundation Server, Team System