0
votes

We have enabled web access to our TFS 2010 server.
We have a set of users with security settings at all levels so that they can create new work item and view existing work items from the TFS website (http://:8080/tfs/web).

The Issue:

Now, we are trying to add new Windows domain users and provide security settings that match with the above (security settings listed below) so that they can also create new work items and view existing work items.
But no matter what permissions are given, they are

  • NEITHER able to see the "New Work Item" section on the left menu,
  • NOR able to view existing work items using the "Work Item #" query on the top right header menu. If they give an existing work item number and click "Go", they get the error: TF26198: The work item does not exist, or you do not have permission to access it.
  • They can only see "Queries" on the left menu.
  • If they search using the Search on the Left side, the "New Work Item" is enabled, but when clicked, they get the error: You do not have permission to create work items in project 'OurProject'. Contact your Team Foundation Server administrator

My Question:

How do I get users the required permission to create new work items and view existing work items from TFS 2010 web access? Am I missing something in the security settings listed below?

Security Settings:

Security Settings applied from Team Foundation Server Administration Console:

  • The user OURDOMAIN\MyUser is added to the [TEAM FOUNDATION]\Team Foundation Administrators group.
  • At servername > Application Tier > Administer Security: All permissions are checked for Allow for both OURDOMAIN\MyUser user and the [TEAM FOUNDATION]\Team Foundation Administrators group. None of permissions are checked for Deny.
  • At servername > Application Tier > Team Project Collections > OurProjectCollection > Administer Security: All permissions are checked for Allow for both OURDOMAIN\MyUser user and the [TEAM FOUNDATION]\Team Foundation Administrators group. None of permissions are checked for Deny.

Security Settings applied from Visual Studio 2010's Team Explorer:

  • At servername\OurProjectCollection > OurProject (Right-Click) > Team Project Settings > Security > Administer Security: All permissions are checked for Allow for both OURDOMAIN\MyUser user and the [TEAM FOUNDATION]\Team Foundation Administrators group. None of permissions are checked for Deny.

Things that we tried out:

During testing this out, we tried the following but to no avail:
numerous security setting combinations, cleared out cache regularly (Refresh Cache), removed and added areas and iterations (though none of the work items are categorized into them), restarted the TFS website, restarted IIS 7, recycled both app pools: Microsoft Team Foundation Server Application Pool and Microsoft Team Foundation Server Web Access Application Pool, restarted our windows server (Windows Server 2008 Standard).

Exception Trace Log:

Web method response: [http://servername:8080/tfs/TeamFoundation/Administration/v3.0/CatalogService.asmx] QueryNodes[Administration] 4 ms
Web method running: [http://servername:8080/tfs/OurProjectCollection/WorkItemTracking/v3.0/ClientService.asmx] QueryWorkitemCount[WorkItemTracking]
Web method response: [http://servername:8080/tfs/OurProjectCollection/WorkItemTracking/v3.0/ClientService.asmx] QueryWorkitemCount[WorkItemTracking] 11 ms
Web method running: [http://servername:8080/tfs/OurProjectCollection/WorkItemTracking/v3.0/ClientService.asmx] GetWorkItem[WorkItemTracking]
Web method response: [http://servername:8080/tfs/OurProjectCollection/WorkItemTracking/v3.0/ClientService.asmx] GetWorkItem[WorkItemTracking] 25 ms
UserControl: [Error, P 2460, T 3260/8, A 7511460, S 0, 10/18/12 06:31:32.271] { Error occured in user control ASP.ui_controls_workitems_editworkitem_ascx. Url: http://servername:8080/tfs/web/UI/Pages/WorkItems/WorkItemEdit.aspx?id=288&pguid=********-****-****-****-************


UserControl: [Error, P 2460, T 3260/8, A 7511460, S 0, 10/18/12 06:31:32.271] Exception: {
Exception Message: TF26198: The work item does not exist, or you do not have permission to access it. (type DeniedOrNotExistException)

Exception Stack Trace:    at Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItem.LoadWorkItem(Int32 id, Int32 rev, Nullable`1 asof)
   at Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItem..ctor(WorkItemStore store, Int32 id)
   at Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItemStore.GetWorkItem(Int32 id)
   at Microsoft.TeamFoundation.WebAccess.UI.Controls.EditWorkItem.OpenWorkitem(String workitemId, Int32 revision)
   at Microsoft.TeamFoundation.WebAccess.UI.Controls.EditWorkItem.GetEditorState(NameValueCollection requestParams)
   at Microsoft.TeamFoundation.WebAccess.UI.Controls.EditWorkItem.RenderUserControl()
   at Microsoft.TeamFoundation.WebAccess.UI.WebAccessUserControl.OnLoad(EventArgs e)

 }
UserControl: [Error, P 2460, T 3260/8, A 7511460, S 0, 10/18/12 06:31:32.271] }
Application_Request: [Info, P 2460, T 3260/8, A 7511460, S 0, 10/18/12 06:31:32.303] Application request processing ended for /tfs/web/UI/Pages/WorkItems/WorkItemEdit.aspx?id=288&pguid=********-****-****-****-************.
1
Maybe tfsadmin.codeplex.com will show you something you missed. Have you checked the permissions on the root area to see if the users have the create work item permission?Betty
@Betty - Thanks for your comment. The permissions on the root Area and root Iteration had also been given to both the user and the group but it didn't help. After some more research, apparently there is no way to list the "effective" permissions of a user or group in TFS... yet. That would have helped figure out if there was an explicit Deny somewhere that overrode this all. I will check out the admin tool.Kash

1 Answers

1
votes

Finally resolved it! The TFSJobAgent (Visual Studio Team Foundation Background Job Agent) windows service was stopped due to a logon failure (the service account password was changed recently). Hence we had to start it with the new password. We could trace this through warnings in the event log. This solved all the issues described in the question.