Groups and Permissions

  • Article

The Groups and Permissions plug-in defines a team project's initial security groups and their permissions. The plug-in name is Microsoft.ProjectCreationWizard.Groups. The Groups and Permissions XML file is named GroupsandPermissions.xml and is located in the Groups and Permissions folder in the process template folder hierarchy. You can change the XML file and folder name if required.

In the XML file, specify one or more tasks and their dependencies. Generally, you specify one task per security group to create for your process. For an example of a task specifying a simple security group and permissions, see the MSF for Agile Software Development process template.

Note

Team Foundation Server does not include a mechanism for the deployment of client-side plug-ins, policies, or other modifications. If you want to deploy plug-ins, policies, or other modifications to the Team Explorer, you must use your own distribution and installation program.

Groups

Use the group element to specify a new Team Foundation Server security group.

<group name="" description=""></group>

The following table describes the attributes for the group element.

Attribute Description

name

Specifies the name of the group being created.

description

Provides a description of the group to help users understand the purpose of the group.

The following example shows how to create a group named Reader.

<task id="GroupCreation1" 
      name="Create Groups and Permissions" 
      plugin="Microsoft.ProjectCreationWizard.Groups" 
      completionMessage="Groups and Permissions created.">
   <taskXml>
      <groups>
         <group name="Readers"
                description="A group for those with read access across the project">
            <permissions>
               <!-- permissions -->
            </permissions>
         </group>
      </groups>
   </taskXml>
</task>

Permissions

For each group that you specify, you must also specify permissions. Use the permission element for this purpose.

<permission name="" class="" allow=""/>

The following table describes the attributes for the permission element.

Attribute Description

name

Identifies which permission is being applied.

class

Identifies the class, or area, where the permission is being applied.

allow

A true or false value that indicates if the permission is being allowed or denied.

The following table describes each class and name combination you can specify as a permission.

Class Name Description

NAMESPACE

GENERIC_READ

Users with this permission can view server level groups (their members), and users and their permissions unless denied by more specific permissions.

NAMESPACE

GENERIC_WRITE

Users with this permission can edit server level groups and permissions.

They can:

  • Create, delete, or rename a server level Team Foundation Server application group.

    Note

    Admin groups cannot be deleted.

  • Add/remove a Windows user, Windows group, or another Team Foundation Server application group (at the server level).

  • Change server level permissions for users and groups.

  • Additionally, users who have this permission are implied version control write access unless explicitly denied by other version control permissions.

NAMESPACE

MANAGE_EVERYONE_GROUP

Can add or remove members to the Team Foundation Valid Users global group.

NAMESPACE

CREATE_PROJECTS

Users who have this permission can create new team projects, as long as they have administrative rights to SharePoint and Report Server.

NAMESPACE

ADMINISTER_WAREHOUSE

Users who have this permission can change warehouse settings through the WarehouseController.asmx Web service's ChangeSetting Web method. This lets the user set, for example, the update interval on calculating the OLAP cubes through the ChangeSetting Web method.

NAMESPACE

MANAGE_TEMPLATE

Only users who have this permission can download or upload process templates.

PROJECT

GENERIC_READ

Users who have this permission can view project level groups (their members), and users and their permissions unless denied view of certain items by more specific permissions.

PROJECT

GENERIC_WRITE

Users who have this permission can edit project level groups and permissions.

They can:

  • Create, delete, or rename a project level Team Foundation Server application group.

    Note

    Admin groups cannot be deleted.

  • Add/remove a Windows user, Windows group, or another Team Foundation Server application group to/from a Team Foundation Server application group (at the project level).

  • Change grant/deny/remove project permissions for users and groups.

  • Add/remove project level WIT queries.

PROJECT

DELETE

Deleteteamproject is a project level permission used when a user created a test or a bad project and must delete it. It is a project specific permission.

PROJECT

PUBLISH_TEST_RESULTS

This permission controls whether a user can upload test results to data to the application tier and whether they can remove the test runs.

PROJECT

DELETE_TEST_RESULTS

Users who have this permission can delete test results.

PROJECT

ADMINISTER_BUILD

Users who have this permission can create new build types, edit new build types, add or check in custom build tasks, delete completed builds or abort current builds in progress.

PROJECT

START_BUILD

Only users with this permission can start a build either through Team Explorer or via the command line.

PROJECT

EDIT_BUILD_STATUS

Enables the user to 'tag' a build with a quality value such as "self test" or "ready for testing." This can be done through the Team Build Browser user interface. The quality tag is stored in the Team Foundation Build database store.

PROJECT

UPDATE_BUILD

This permission must be granted to the account under which the Build Service is running in order to update the Team Foundation Build database store. This permission should only be assigned to service accounts and not to individual users.

CSS_NODE

GENERIC_READ

Users with this permission can edit work items under this area node.

CSS_NODE

GENERIC_WRITE

Users with this permission can rename this area node.

CSS_NODE

CREATE_CHILDREN

Users with this permissions can create new area nodes and re-order any child area nodes.

CSS_NODE

DELETE

Users with this permission can delete area nodes. Any child nodes under the parents being deleted are also deleted.

CSS_NODE

WORK_ITEM_READ

Users with this permission can view, but not edit or change work items under this area node.

CSS_NODE

WORK_ITEM_WRITE

Users with this permission can edit work items under this area node.

EVENT_SUBSCRIPTION

GENERIC_READ

Users who have this permission can view alerts.

EVENT_SUBSCRIPTION

GENERIC_WRITE

Users who have this permission can change alert settings.

EVENT_SUBSCRIPTION

UNSUBSCRIBE

Users who have this permission can unsubscribe from alerts.

The following example shows how to grant permissions to the Reader security group such that readers can view team project information, but not modify it.

<group name="Readers" description="A group for those with read access across the project">
   <permissions>
     <permission name="GENERIC_READ" class="PROJECT" allow="true" />
     <permission name="GENERIC_READ" class="CSS_NODE" allow="true" />
     <permission name="WORK_ITEM_READ" class="CSS_NODE" allow="true" />
   </permissions>
</group>

See Also

Tasks

How to: Verify Groups and Permissions Changes

Concepts

Windows SharePoint Services [Team Foundation Server]
Version Control [Team Foundation Server]
Reports

Other Resources

Work Item Tracking