Team Foundation Server source control - can I prevent a group from seeing an entire collection

Question

I wish to give a small number of users (in their own Windows Group) access to their own collection in TFS 2013 source control, but prevent them from any access at all to the default collection on that TFS server. The idea is they can use source control for their own work without being able to access any of the code in the default collection - not even to browse.

Basically I want to prevent all access to the TFS default collection to members of a particular Windows group whilst allowing then normal access to another TFS collection. It sounds as if it should be simple, but I find the documentation for TFS security quite confusing, especially via Visual Studio. I've tried using TFSSecurity.exe too but so far that hasn't worked - the users can still see both their own collection and the default collection.

Can this be done, and if so how is it accomplished?

Sorry, I've been distracted lately. I've now changed permissions to 'deny' everything to the specific Windows group, but I actually want to remove the Windows group entirely. I can add a Windows group on the 'admin page', but how do I remove it? — haughtonomous, Mar 22 '17 at 09:21
Actually I can't add a Windows group either - or at least I can't find where to do either. All I want to do is allow one Windows group access to all source control projects in collection 'A', and nobody else to have access, and another Windows group ditto to all source control projects in collection 'B'. So I need to be able to add or remove Windows groups to/from the collection. — haughtonomous, Mar 22 '17 at 09:37
Can you add windows group in team project security page? (e.g. http://[team project address]/_admin/_security#_a=members — starian chen-MSFT, Mar 22 '17 at 09:42
To remove a windows group, you need to know which groups it is in. 1. Go to security page 2. Select a windows group 3. Select members of tab in the right panel 4. Check which groups that current windows group in 5. Select correspond group (step 4) > Members 6. select the windows group and click remove link. — starian chen-MSFT, Mar 22 '17 at 09:46
@starain-MSFT: Sorry, I can't do that. Followed your steps exactly. The Win group I want to remove says it is a member of Project Collection Valid Users, Scope=DefaultCollection, but the DefaultCollection.Project Collection Valid Users group itself says it has no members! — haughtonomous, Mar 22 '17 at 13:52
Do you mean you can't remove windows group? You can remove TFS groups of that windows group in member of tab directly. — starian chen-MSFT, Mar 23 '17 at 01:42
I can't remove the Windows group directly, and I can't remove it from the TFS group in which it appears. I get an error message saying it is not permitted to remove it directly. Also the TFS groups that the Windows group thinks it is a member of display no members. It's all very confusing. And I'm a TFS administrator! — haughtonomous, Mar 24 '17 at 09:25

kevchadders · Answer 1 · 2017-03-15T12:17:06.860

0

While in TFS (via the browser, click on the Cog wheel (top right) next to your user name to view the Administer Server page
- A new browser window should open
Click on the Control Panel Breadcrumb at the top left.
- All collections should be presented
Click on a collection, then click on the Manage project security and group membership link in the right panel
- You should then be taken to that collection page where you are presented with a number of tabs. (Overview/Iterations/Area/Security/Alerts/Version Control)
- In the overview tab you can add in new teams (if you wish to allocate these users to a group)
- For what your after I would first click on the Security tab for the collection you are interested in to see which groups/user have been allocated to those collections.
- Within Security you have 3 areas you can click on (Permissions/Members/Member of)
- e.g. Removing Members (users) from those collection where you don't want them to access them.
If you also click on the Version Control tab you will see the standard TFS groups with their access control summary for that collection you are in.

If you can create a test collection then I would suggest having a play with these settings to get what you are after.

I would suggest you read the following Permissions and groups defined for Team Services and TFS

edited Mar 15 '17 at 12:17

answered Mar 15 '17 at 12:10

kevchadders

8,335
4
42
61

Thanks, but can you be more specific about how I get to here "While in TFS (via the browser..."? Is this from VS on my local machine, or somewhere else, for example? – haughtonomous Mar 15 '17 at 13:29
Ok, got there, but what you have described is only available for each project in a collection, and I need to manage permissions for the entire collection. For the collection itself there is only "Manage collection security and group membership" and within that are only Overview and Security tabs, and on the Security tab no facility for removing Windows groups or Windows users. How do I do that? – haughtonomous Mar 15 '17 at 13:46
when you are in the security tab you should have permissions / members / member of in the right pane for collections also. Clicking on the Members link should give you a list of users/groups where you can remove/add – kevchadders Mar 15 '17 at 14:41
You also have Group / Users in the left pane. By default when you click in the security tab you will be presented with the Groups list, and you can create additional TFS Groups. You can also click on users. Clicking on users or groups will show you what groups they are in on the right – kevchadders Mar 15 '17 at 14:45
My problem seems to be that I need to remove a Windows group from the security tab. I can see how to remove TFS groups, but how do I deal with the Windows group? I can add a new Windows group, but not remove one (which is very odd). It's through the Windows group in question that unwanted access is being granted to certain users. – haughtonomous Mar 22 '17 at 09:13
@NeilHaughton To remove a windows group, you need to know which groups it is in. 1. Go to security page 2. Select a windows group 3. Select members of tab in the right panel 4. Check which groups that current windows group in 5. Select correspond group (step 4) > Members 6. select the windows group and click remove link. – starian chen-MSFT Mar 22 '17 at 09:47
Sorry, can't do that. Followed your steps exactly. The Win group I want to remove says it is a member of Project Collection Valid Users, Scope=DefaultCollection, but the DefaultCollection.Project Collection Valid Users group itself says it has no members! – haughtonomous Mar 22 '17 at 13:51
Project Collection Valid Users contains all user known to exist in the TFS instance. I would review https://www.visualstudio.com/en-us/docs/setup-admin/permissions and review the Collection-level groups section. There are also other sections in there which may help you – kevchadders Mar 22 '17 at 14:53

score 0 · Answer 2 · answered Mar 16 '17 at 02:55

Simple steps:

Create a new windows group in your TFS server and add corresponding users to this group
Open internet browser and navigate to your TFS (e.g. http://XXX:8080/tfs)
Click Browse and select a team project of corresponding collection and navigate to that team project
Click Administer Server Icon to go to the admin page of team project
Click Security tab
Select a team or TFS groups (e.g. Project Administrator, Readers)
Click Add > Windows user or group in the right panel
Type windows group name in the Identities box and click Check name > Save Changes

After that, users in that group can only access that team project, also they just can see that collection. (The same way for other team projects)

To change the permission of that group for team project collection:

Go to admin page of team project collection
Select a windows groups (will be existed there after pervious steps)
Change permissions and click Save changes

Team Foundation Server source control - can I prevent a group from seeing an entire collection

2 Answers2