Team Foundation Server permissions not working as documented

Hot Topic

Best Practice of building shelved code...
Unable to connect to Team Foudation Server - NullReferenceException
New Team Project Failed -- Insufficient privelege
Issue with playing back Web Requests with Body set to XML (Querystring parameters fail also) fails
Unable to add existing unit tests to a solution
Source Control doesn't do an automatic get latest on checkout?!
string.Empty and ""
Merge tool
Error when trying to build few solutions from different team project based on single label
Unplanned work report incorrect

VS Team System

automate build with beta 3
how to unbind a project and rebind it in new location
Procedure for using Build Server with Multiple Branches
Cyclomatic Complexity
Team Builds error when connecting to the build machine.
Build number for tasks and changesets.
Cannot connet to VMWare TFS from a other windows 2003 VMWare image with Team Explorer
vssscc file corrupt
.runconfig not picked up when excuting tests as part of a build
FxCop and DateTime

Team Foundation Server permissions not working as documented

Hi,

In a team foundation server, we created a team project. Added three groups in the project say G1, G2, G3. Added myself in all three groups and made sure that I am not part of any other groups especially "Project Administrators" and "Team Foundation Administrators". For G1 we keep both "Allow" and "Deny" for "Delete Team Project" unchecked. For G2 we keep "Allow" checked and for G3 we keep "Deny" checked. Then as per article http://msdn2.microsoft.com/en-us/library/ms252587(VS.80).aspx I shouldn't be abled to delete the team project. But I could delete team project using utility TFSDeleteProject.exe utility.

Am I missing something

Regards,

Saurabh

Answer this question

Team Foundation Server permissions not working as documented

  • Tomas

    Saurabh,

    Thanks for the posting.

    Yes I agree that this should disallow you from deleting a project. I'll double check with some of our team to investigate this a little further.

    Thanks,



  • aeroboy

    There are two direct tests for admin privileges. The first tests to see if you (or another user) are a member of the server-level administrative group:

    tfssecurity /server:<server name> /m adm: [<domain\user>]

    Note that there is a colon after the letters adm. The username is optional. If omitted, this command will check if the logged-in user is a member of the administrators group.

    The second form of the command requires that you have the Team Project URI. The easiest way to get this string is to open a Team Explorer client, select the project in the Team Explorer tool window and look at the Url property for the project. It will be of the form: vstfs:///Classification/TeamProject/<GUID>. Take that string and substitute it into the security membership command given above.

    tfssecurity /server:<server name> /m <Team Project URI> [<domain\user>]

  • raveIndia

    This does not reproduce for me, but the perhaps you are a TF or Project admin without knowing it You must have had admin priviledges at some point in order to create the groups and set the permissions. Unfortunately, it is not possible to overwrite the implicit allow of being a member of an admin group.

    Please verify your group memberships using the TfsSecurity tool (located on the AT).

    TfsSecurity.exe /server:<server name> /imx <domain/user>



  • Team Foundation Server permissions not working as documented
Answer this question