2

Given two TFS security groups

  1. Admins: Contains a set of Windows users
  2. Friends: Contains a Windows Security Group (which is also used as a mailing list)

However, the people listed as Admins are also part of the Friends security group since the mailing list should reach all the applicable people. It appears that when I lock down the Friends group to certain directories in TFS, the people in Admin also lose their privileges.

Is there any way for users to receive the maximum security allowed between multiple groups they are included in? Or have I perhaps setup my TFS security groups incorrectly?

Update: I've tried changing "deny" to "not allow", but that doesn't seem to help either because without "deny" or "allow" read at the TFS project level, they cannot even see the TFS project when connecting to the server.

Jedidja
  • 121
  • 4

1 Answers1

1

This is a very similar question to this one

In general you should try to avoid having users in multiple groups, however this isn't always possible. So the simple solution would be to remove the duplicate users from the Friends group, if you can't do this for some reason then read on.

Are you using the "deny" checkbox to manage persmissions to the folders? In TFS deny always wins. The easiest way to solve this without removing the members of the Admins group from the Friends group is to uncheck allow for Friends, do not use deny. This will stop Friends from being able to access the folders in question.

Community
  • 1
James Reed
  • 265
  • 3
  • 8
  • Interesting. So "not allow" is different than "deny". I will definitely have to look at that. Since the "Friends" group is also a mailing list, we would want the Admins as part of that. – Jedidja Apr 04 '12 at 17:11
  • That sums it up nicely – James Reed Apr 04 '12 at 21:04
  • Unfortunately this doesn't work in my scenario. I need to deny access to everything under the TFS project root and then allow read to a single subdirectory. If I don't allow or deny read at the root level, they cannot even see the project when connecting to the server :( Of course, If I allow read at root, I'd have to manually deny every other folder (and there are a lot of them) – Jedidja Apr 05 '12 at 12:04
  • Sounds like you're out of luck, if you could add some detail about the requirements for the Friends group and the folders that group needs access to. Then someone might be able to make some suggestions about organising the folder structure – James Reed Apr 05 '12 at 20:37