Scribd Logo
Upload

Welcome to Scribd!

  • DENY or ALLOW - Who wins with TFS security profiles

    Uploaded by

    Jorge Enrique Rico Marulanda
    39 views1 page

    Original Title

    0202 Microsoft Team System Roles and Security[1]

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    39 views1 page

    DENY or ALLOW - Who wins with TFS security profiles

    Uploaded by

    Jorge Enrique Rico Marulanda

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    DENY or ALLOW … who wins?

    DEFAULT TFS SECURITY PROFILES DEFAULT GROUPS & PERMISSIONS


    Role Permission GroupsAdministrators
    Team Foundation

    Contributors
    Readers
    TF Valid users

    Service Accounts
    TF Administrators
    Gather TFS Security Evidence for User

    Build Services
    Project Administrator
    SharePoint Administration
    Administrator SharePoint Central Administration
    SQL Server Reporting Services Content Manager
    Team Foundation Server Project Administrators
    TF Administrator Project Lead Windows SharePoint Services Site Administrators Area Permission Name TFSecurity Utility TF Command-line Utility
    SQL Server Reporting Services Content Manager
    Team Foundation Project Contributor
    YES: Implicit Allow

    NO
    Contributor Windows SharePoint Services Contributor
    SQL Server Repoorting Services Browser
    Team Project Team Foundation Project Readers Administer shelved changes AdminShelvesets X X
    Administrator
    YES Reader Windows SharePoint Services Reader Administer w arehouse ADMINISTER_WAREHOUSE X X
    SQL Server Reporting Services Browser Administer w orkspaces AdminWorkspaces X X
    NO Create a w orkspace CreateWorkspace X X
    Team Project
    TFS Administration Tool (widget) is an excellent tool to Create new projects CREATE_PROJECTS X
    Permission Area?
    configure default TFS security profiles! Edit server-level information GENERIC_WRITE X
    Server-Level Groups & Permissions AdminConfiguration X
    NO
    AdminConnections X
    Alter trace settings DIAGNOSTIC_TRACE X
    Evaluate effective TFS permissions
    Trigger Events TRIGGER_EVENT X X
    Manage process template MANAGE_TEMPLATE X
    UNSET + ALLOW + DENY View server-level information GENERIC_READ X X X
    View system synchronization information SYNCHRONIZE_READ X X

    Delete this project DELETE X X


    Edit project-level information GENERIC_WRITE X X
    Project-Level Groups & Permissions Publish test results PUBLISH_TEST_RESULTS
    Effective TFS user profile and permissions X X X
    View project-level information GENERIC_READ X X X X X X
    YES: Implicit Allow

    Administer a build ADMINISTER_BUILD X X


    Any DENY? Edit build quality EDIT_BUILD_STATUS X X
    Build-Level Permissions Start a build START_BUILD X X X X
    NO Write to build operational store UPDATE_BUILD X X
    YES

    Create and order child nodes CREATE_CHILDREN X X


    YES
    ALLOW? NO
    TFSSecurity Utility Delete this node DELETE X X
    · Used to create, modify, and delete Team Foundation Server groups and users as well as Edit this node GENERIC_WRITE
    permissions for users and groups.
    X X
    Area-Level Groups & Permissions Edit w ork items in this node WORK_ITEM_WRITE
    · The command-line utility is located in X X X X

    ü û
    <drive>:\Program Files\Microsoft Visual Studio 9.0 Team Foundation Server\Tools on the View this node GENERIC_READ X X X X X
    Team Foundation Server application tier and <drive>:\Program Files\Microsoft Visual View w ork items in this node WORK_ITEM_READ
    Studio 9.0\Common7\IDE on the client, with Team Explorer installed.
    X X X X X
    DENY
    ALLOW · Example to Display the identity information for the "TR Administrators" group:
    tfssecurity /i "Team Foundation Administrators" /server:MyATServer Create and order child nodes CREATE_CHILDREN X X
    How TFF evaluates effective permissions ... · Commands Delete this node DELETE X X
    /i <identity> Iteration-Level Groups & Permissions Edit this node GENERIC_WRITE
    Display identity information (no membership). X X
    /im <identity> View this node GENERIC_READ
    Go to http://widgets.accentient.com for details on this and other Display identity information (direct membership only).
    X X X X X X
    /imx <identity>
    administrative widgets for Team Foundation Server. Display identity information (expanded membership).
    /g [scope] Read Read X X X X X X
    List application groups within a project scope. 'scope' is a project uniform resource identifier (URI);
    Check out PendChange X X X X X
    TF Command-line utility if 'scope' is omitted the global application groups are displayed.
    /gcg <group name> [group description]
    Check in Checkin
    Create a global application group. X X X X X
    · Modifies the user access control list (ACL) and displays authorization settings for an item /gc <scope> <group name> [group description] Label Label X X X X X
    Create an app group within a project scope, which is a project uniform resource identifier (URI).
    under version control. Note that the /global switch changes global VC settings Lock Lock
    /gun <group identity> <new name> X X X X X
    Rename an application group.
    Revise other user's changes ReviseOther X X X
    · Use the Permission command of the tf command-line utility for source control to set the /gud <group identity> <new description> Source-Control Groups & Permissions
    Change an application group's description. Unlock other user's changes UnlockOther
    permissions.
    /gd <group identity> X X X
    tf permission [/allow:(* |perm1[,perm2,…]] Delete an application group. Undo other user's changes UndoOther X X X
    [/deny:(* |perm1[,perm2,…])] [/remove:(* |perm1[,perm2,…])] /g+ <group identity> <member identity>
    Add a user or a group to an application group. Administer labels LabelOther X X X
    [/inherit:yes|no] [/user:username1[,username2,…]]
    /g- <group identity> <member identity>
    [/group:groupname1[,groupname2,…]] [/server:servername] Manipulate security settings AdminProjRights X X X
    Remove a member from an application group.
    [/recursive] itemspec [/global] /m <group identity> [member identity]
    Check group membership. If 'member identity' is omitted the current user context is used. Both
    Check in other user's changes CheckinOther X X X
    · Example to display the ACL information that relates to the group "developers" for the direct and expanded memberships are checked.
    teamserver2 Team Foundation Server /a+ <object id> <action id> <identity> {ALLOW | DENY}
    tf permission /group:[teamproject]\developers /server:teamserver2 Add an access control entry.
    /a- <object id> <action id> <identity> {ALLOW | DENY}
    Remove an access control entry.
    TFS Administrators contains the Local Administrators group (BUILTIN\Administrators) for the server and the SERVER\Service Accounts group.
    · Example to display the Team Foundation access control lists (ACLs) for 314.cs /acl <object id>
    tf permission 314.cs@@@@ Display an object's effective access control list. Contains all users and groups that have been added anywhere within TFS. Cannot be modified.

    V1.1 2008-07-17 Members of this group have service-level permissions for TFS. By default contains services accounts supplied during installation.
    http://msdn.microsoft.com/en-us/library/ms252587.aspx (Team Foundation Server Permissions)
    Contributors:
    · Eugene Zakhareyev (MVP) http://msdn.microsoft.com/en-us/library/ms253077.aspx (Team Foundation Server Default Groups, Permissions, and Roles)
    · Willy-Peter Schaub (MVP)
    References:
    · http://msdn.microsoft.com
    http://msdn.microsoft.com/en-us/library/ms253094.aspx (Managing Permissions)
    Team Foundation Server (TFS) – Roles and Security
    http://msdn.microsoft.com/en-us/library/ms253184.aspx (Team Foundation Server Security Concepts)

    You might also like