TFS Permissions 2012 - Project Collection Valid Users

0
votes

I have been asked to restrict permissions for users to Team Projects they need. So i have added users to Team group for their team projects and that gives them access to all the functionality they need in the relevant team project. However some of the users appear and some don't appear in the "Project Collection Valid Users" group. The user who is in this group, can see all the Team Projects in TFS and users who are not in group, can only see the team projects where they are in a team group. Now my question is should everyone be in the "Project Collection Valid Users" group? If yes, does that mean they will always have read permissions to full tfs team projects? How come some users in this group and some are not? Is something going wrong in the jobs that runs in background? How can i figure out? Please help.

1
tfs
Are you sure, that some user, who has not any permission in any of that Collection's any Team Project's permission layers, is still showing in this group or vice versa? I don't think a user in "Project Collection Valid Users" group can see all Team Projects in this collection, only the ones he/she has any permission in it. This group defines who can see the Team Project Collection AFAIK. And "No" to your second question, users of the group will not be able to have read permissions to full TFS Team Projects, although I couldn't understand what does read permissions for Team Project means quite.Beytan Kurt
You can start with SideKicks as @rerwinRR suggested and try to determine what is the difference between the "right user" and the "wrong user". Then if everything seems ok, you can check if TFS Job Agent is running without errors, if not correct the errors with it.Beytan Kurt
i cannot determine which is the right user? the one who is in Project Collection Valid Users group or the one who is not? sidekicks are not telling me a different story. the job seems to be running fine.Baahubali

1 Answers

1
votes

It sounds like some users may have been given permissions elsewhere. Download the sidekicks utility and it'll allow you to easily see what permissions a user has and groups they are a member of.

Attrice TFS Sidekicks

I wouldn't typically worry about the valid users groups. TFS security will take care of that, just give users access to their projects (contributors/readers) and make sure they aren't in a collection or server level group through being a member of some AD group.

If users are added to a Team then by default they will have Contributor rights on that Team Project (Team is a member of the Contributor group). Their team should be a member of the Project Valid Users which in turn is a member of the Project Collection Valid Users.

If a user is a Contributor on one Team Project, they do not automatically get rights on another Team Project unless they are a member of another group.

I would suggest that if users are getting read access to all other Team Projects it is because they are a member of a collection or even server level group. If someone has full access to the Project Collection then again, they must be a member of a server or collection level group. Have you double checked their membership at the collection level? Are they only a member of Collection Valid Users? Are they a member of an AD group that has been given permissions at a higher level?

You cannot add users to the Valid Users groups through the UI but I would guess you can using tfssecurity.exe, I'm assuming you haven't done that.