I've figured out how to prevent showing "project information" from TFS. However the other projects still show up in reporting services. I went to Reporting Services configuration and could not figure out how to add a Deny View permission.
Is there any way to do this?
Unfortunately I do not know of a way to restrict query permissions based on a users project membership. The, for example, work items for all projects are stored in a single table - if a user has read access to it they can query any other project's work items.
You can set the individual access permissions for Reports, Folders, and/or Data Sources.
From Report Server -> http://localhost/Reports
Select the Properties "tab" then Security from the menu on the left.
Hi Darrell,
As you've figured out, the permissions in TFS Projects dont translate into permissions for looking at information in the warehouse. You would have to configure permissions directly on the different components.
There are a few levels of security here:
Reporting Services
Analysis Services
SQL Server
They interact as following:
1. User clicks on report
2 . The report uses the TFSReport user credentials to fetch data from the Analysis Services (all in-box reports except Load Test Summary) or SQL Server
-- The TFSReport user has read permission on everything in the TFSWarehouse sql database and the Team System cube in Analysis Services. You can see this in the Roles node underneath the databases in SQL Management Studio.
TFS:
There is msdn info on TFS Permissions here:
http://msdn2.microsoft.com/en-us/library/ms253094.aspx
I'm seeing that we're missing details on how to configure the warehouse for the scenario you're talking about.
Reporting Services:
As long as someone has access to the Report Server, they can use the the data sources TFSReportDS and TFSOlapReportDS to access all information in the cube - this is because they connect to SQL and Analysis Services with the TFSReport account. You can configure different data sources for different projects and have each data source have specific permissions on AS and SQL.
Analysis Services:
I think you may be able to restrict information at the cell level in Analysis Services. This is AS BOL on Security:
http://msdn2.microsoft.com/en-us/library/ms174517.aspx
You can contact the SQL Analysis Services team at this forum for more detailed questions: http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=83&SiteID=1
SQL Server:
I'm not sure about SQL - you can post the question on their forum:
http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=93&SiteID=1
SQL also has a security forum:
http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=92&SiteID=1
Please let me know if you need help figuring this out, and we can figure it out together.
Mauli
Bummer.
What we've decided to do is name our projects with codenames so that the subcontractors in our TFS at least can't guess what the project is by its name.
Hi Darrell,
Sounds like you have found a good workaround. This is an issue that we will look at for future versions. I'd appreciate it if you could tell me more about your requirements when you get a chance: mauli.shah@microsoft.com(donotspam)mauli
