Default Team Foundation Security Groups appear to be Inadequate
I may be missing something but I only see 2 security groups.
- Team Foundation Administrators
- Team Foundation Valid UsersWhy is the Team Foundation Valid Users group not configurable?
Is there a document that discusses the recommended set of groups?
I expected to see 4 default security groups as follows:
- Project Managers
- Architects
- Developers
- Testers
I created a "Team Foundation Developers Group" and mapped the users from an AD domain.
I set the permissions of the Developers group as follows:
- Access the source control system
- Administer shelved changes
- Create a workspace
- Create new projects
- Edit server level information
- Fire-events
- View server-level information
- View system synchronization information
My problem is that the "Create new projects" permission is not working.
When the developer attempts to create the new project, it fails when creating the SharePoint site. The SharePoint server throws an exception because the user does not have permissions to create the SharePoint site.
What is the recommended solution?
Unfortunately, it looks like I may need to make the user an admin of the SharePoint server.
Hi Gary
The four groups you expected to see are not created by default. You can create these groups at a global level once you connect to your TFS, just as you created your Team Foundation Developers Group.
Groups associated with the TFS are automatically added as part of the Team Foundation Valid Users group.
Have a look here for TFS user security setting info.It looks like you need to give your developers the appropriate rights in WSS. You can use Sharepoint Central Administration to do this from the Administrative Tools menu.
Hope this helps.
Hi Gary,
Joe is correct on the default groups, TFS Valid User group and Sharepoint. Note that you'll need to do something similar for the Reporting site too. Unfortunately we were not able to integrate the security, groups and permissions across TFS, Sharepoint and Reporting Services, so you'll have to manage these separately.
By default the only "global/server" scope user groups are TFS Admins and TFS valid users. TFS Admins have permissions to modify all projects and settings on the server. When a project is created, groups created for this project are scoped to that project only (so that groups/users cannot access other projects that they aren't supposed to).
Project groups that you describe are actually created as part of project creation. MSF Agile will create 3 project user groups: A project admin, Contributor and Reader. You are free to either add more groups as you describe (like Dev or Test Leads etc) after the project is created or you could amend the process template (and the GSS security plug-in) to automatically create these groups. I would advise that you take a step back to determine what kind of processes your company uses, and how you'd like to adapt team foundation to work to those process. It might be worthwhile to read the MSF Agile Process Guidance as well.
There is a administrators guide that ships with TFS that should describe these groups and their permissions. This documentation is continually being improved/updated (and will be updated on MSDN during November).
Hello Dan,
Yes, I am currently taking a step back to see the best way to roll out TFS.
We are a CMMI shop. So I plan to customize your CMMI templates.
>> There is a administrators guide that ships with TFS that should
>> describe these groups and their permissionsI see Team Foundation beta 3 does not yet have a draft version.
This will be very useful when it is ready.
Thanks for the info.
On the server (AT if this is a dual server install) please look in:
%Program Files%\Microsoft Visual Studio 2005 Team Foundation Server\1033
You should find TFSAdmin.chm. This should provide some of the info you're looking for.
You might also find information here http://lab.msdn.microsoft.com/teamsystem/workshop/msfagile/
