Admin user not able to manage permission for Team Project in TFS 2015

2
votes

Problem:
User 'TFSADMIN' is not able to manage permissions (add, remove users) in a Team Project. The user has admin role. After some investigation our understanding is as 'TFSADMIN' is member of a group(Contributors) which does not have 'Manage Permission' Role. Even though the user is TFS Admin, TFS-2015 is honoring permissions set at team project level.

Please advice how to resolve the issue. Currently I am not able to add/remove users from the team project.

TFS Version : 2015;
Visual Studio : VS 2015 Professional Edition

User 'TFSADMIN' has access on below groups:

  1. Project Collection Administrator
  2. Project Administrator
  3. Team Foundation Administrators
  4. OracleSMG Team

OracleSMG team is member of:

  1. Contributors
  2. Project Valid Users

We have removed below permission from the 'Contributor' role on the team project 'OracleSMG':

  1. Manage Permissions -- Deny
2
tfstfs-2015

2 Answers

2
votes

The problem is that "Deny" will override any other permissions. Deny always wins

you can do 2 things

  1. Remove TFSADMIN from the OracleSMG group. An admin account shouldn't need to be a member of a contributors group as admin is a superset of the permissions given to contributors.

  2. If for some reason you cannot remove the account from this group then change the permissions. TFS permissions have 3 states. Allow, not set, Deny. As the deny is causing the issue then change the permissions to "not set" this will still prevent members of the contributors group from being able to manage permissions, but will stop overriding the admin users permissions

0
votes

Got the solution.
1. As mentioned in the comment I added a new admin with Team Collection Administrator. But I not able to log in to the security (Web) Portal from TFS server.
2. In our environment, AD users are binded with their hardware assets (Laptops). So his/her AD user may be authenticated only if the user logs in from his/her Laptop.
3. Logged in to the security (Web) portal from the newly added Admin from his Laptop and removed TFSADMIN and AN258 from OracleSMG group. Now I am able to manage the group.

Thanks everyone for your time and attention.