Access Denied when attempting to create an alert in TFS 2015

1
votes

I honestly don't know whether this question belongs on SO or SF, but thought I'd start here.

When attempting to create a new alert in a team project in TFS 2015 (Update 1) via the Web interface where the subscriber is a project team, I get this message:

Failed to save one or more alerts: Access Denied: [MyProject]\MyProject Team needs the following permission(s) to perform this action: View collection-level information

Of course, a project team doesn't have collection-level permissions available to it (AFAIK). I tried explicitly allowing View collection-level information for all of the team's members, but still no luck. I am the Team Foundation Administrator, so it shouldn't be a permissions issue on my end.

Here are the details of the alert I was trying to create:

Name: A work item is assigned to me
Subscriber: MyProject Team
Send to: [Members' default alert address]
Format: HTML
Alert filters:
    And/or   Field           Operator     Value
             Team Project    =            MyProject
    And      Assigned To     Changes to   [Me]
    And      Authorized As   <>           [Me]

Upon clicking the OK button, I receive the message above. Does anyone know how to resolve this?

Update:

I don't find any permissions at the collection level for the team:

enter image description here

3
tfstfs-2015
Did you check the permission for "[MyProject]\MyProject Team" group?Eddie Chen - MSFT
Unless I'm way off base, project teams can't be assigned collection-level permissions. At least, there's no "View collection-level information" permission listed for MyProject Team.JTennessen
Cannot add image in comments, please refer to the image in my answer for details.Eddie Chen - MSFT

3 Answers

0
votes

First you can double check if anyone with sufficient rights (Team Project Administrator, Team Project Collection Administrator, or TFS Admin) has changed the security at the Team Project or Team Project Collection level such that a "Deny" has been set? In TFS, deny will trump allow. Even though your security seems to be correct from what you describe.

If the permission sets without problem, this may caused by a delay in TFS picking up changes to the domain security groups. You can check the detail blogs to Force TFS to sync with Active Directory or Identity Synchronization in Team Foundation Server 2010

0
votes

You can check or set the permission for a group via following steps:

  1. Open the "Control Panel" settings for you collection. (Not for project)
  2. Open "Security" tab.
  3. Enter "[MyProject]\MyProject Team" in the textbox to search that group. Then you can set the permission for that group.

enter image description here

0
votes

In the end, I've been unable to find any better answer than giving all of the individual users that make up the AD groups explicit Allow permission for "View collection-level information." The implicit Allow that all contributors have by default was not sufficient, nor was giving the AD groups explicit Allow. I can't find a rational explanation for this, so I don't discount the possibility that I'm simply overlooking something obvious, but I didn't want this question to sit out here forever without an answer. Perhaps this information will be of use to someone else at some point. Thanks to everyone for the suggestions!