2

Here are my requirements:

  • I have three TFS groups: Company1, Team1, and Admins. Admins is a subset of Team1. Team1 is a subset of Company1.
  • My Git repository contains a master branch, and 0 or more additional branches.
  • Admins can do anything. Team1 can pull and push code to all branches; however they cannot push to master. Company1 can pull code from all branches, but they cannot push at all.

Here's what I've tried.

APPROACH 1

  • At the repo level:
    • Company1 has all permissions NOT SET, except for Read, which is Allow.
    • Team1 has all permissions NOT SET, except for "Branch creation" and "Read".
    • Admins has all permissions ALLOW.
  • At the branch level, for master:
    • Team1 has all permissions NOT SET
    • Admins has all permissions inherit ALLOW
  • At the branch level, for non-master branches:
    • Team1 has all permissions ALLOW
    • Admins has all permissions inherit ALLOW

PROBLEM: while this works perfectly for branches that exist, if a member of Team1 creates a new branch, which they are allowed to do, they cannot push code to it. I must set Team1 permissions manually to ALLOW for the branch before they can use it.

APPROACH 2

Note: Admins and Company1 permissions are unchanged from the previous approach.

  • At the repo level:
    • Team1 has ALLOW set for everything
  • At the branch level, for master:
    • Team1 has DENY set for everything
  • At the branch level, for non-master branches:
    • Team1 has inherit ALLOW set for everything

PROBLEM: this approach solves the problem stated above, however because Admins are a subset of Team1, Admins are also DENIED access to master (DENY wins out over ALLOW). So, each time I need to push code to master, I have to change the permissions temporarily to allow myself to do so, then change them back when finished.

QUESTION: Is there a way to configure permissions that solves both problems, i.e., no manual intervention is required on my part?

I am aware of one solution: creating two new groups, let's call them Regular and Master. The groups contain separate members of Team1 (no team member is in both). This solves the problem associated with Approach 2, where Admins exist in the Team1 group as well. The problem here is that I have 2 groups to manage, instead of 1 group that is managed by IT for me. So there is still some occasional manual work.

Is this the best solution available?

Note: I am new to all of this, having had this task dropped on my lap, so please excuse any terminology errors.

maltesehamster
  • 51
  • 3
  • I think your only other option is to write a server-side plugin like I did at https://github.com/giuliov/GitPushFilterPlugin. – Giulio Vian Jul 17 '15 at 17:49
  • Thanks for the info. Looks like a useful plug-in. – maltesehamster Jul 20 '15 at 12:45
  • In case you are still interested in an answer it's looking like this might be a bug in TFS2013. In my quick tests with TFS2015 it seems that granting 'read' and 'Branch Creation' permissions is enough to allow people to create and commit to their own branches, but not commit to other branches. Not quite sure yet how this all meshes with Pull Requests etc. – Petrik Nov 10 '15 at 01:17
  • Thanks for your response - I hope my IT department will upgrade before too long! – maltesehamster Nov 10 '15 at 13:26

0 Answers0