DCSIMG
About TFS Permissions, TFSSecurity and Uri’s - SRL Group

SRL Group

This blog is about Team System, QA and Development methodologies and more...

VSTS Resources

Team System Bloggers

About TFS Permissions, TFSSecurity and Uri’s

Security must be very important to the Microsoft TFS security team, otherwise I cannot really understand why there are 3 different tools you need to use to cover all permissions aspects:
  • tf.exe – Installed with Team Explorer.
  • TFSAdmin.exe – Separate download from here.
  • TFSSecurity.exe – Installed with Team Foundation server.
We are working on document, which will provide a complete reference of TFS permissions aspects, In the meanwhile, let's talk a little bit about TFSSecurity.exe.
This utility deals with group membership, project-level permissions, area path permissions and some server-level permissions.
Note: using TFSAdmin is the only way to set server-level permissions (as far as I know), except for using the API of course.
First of all, I hate to say, but TFSSecurity is far from being an intuitive tool. It requires the following command line arguments:
TFSSecurity.exe /a+ <object Uri> <permission name> <member identity> {ALLOW|DENY} /server:<server name>
  • Server name – this one is easy
  • Member identity – in most cases you will use NT user name (MyDomain\MyUserName) or TFS group name ([SERVER]\Developers), also Sid or AD distinguished name can be used.
  • Permission name – where should we get this one? You can see permissions tables with descriptions here.
    Note: only permissions in upper case are relevant for TFSSecurity.
  • Object Uri – this one is tricky. I was expecting an ability  to use a friendly object path (e.g. MyProject\Area\MyModule\BL). Unfortunately there is no such option. We just have to extract the object Uri ourselves; the only way I know of is through the API.
    • Retrieving the area path node Uri is relatively easy.
    • Retrieving the project Uri is quite different; the value received from the API has little to do with the Uri expected by utility. After some investigation in TFS database I found that you have to concatenate " $PROJECT: " to the Uri to make it work.
    • Global permissions: my investigation ended up with the surprising answer: use $NAMESPACE as Uri to set global permissions.
I am attaching a simple utility to this post to help you with the Uri hunting task. Click on server name and project name to get global and project Uri.
Posted: Oct 20 2006, 01:16 AM by Leon Langleyben | with 5 comment(s) |
תגים:, , ,

Comments

SRLTeam said:

There is a lot of useful free utilities for Team System you can find spread all over the web. Some of

# October 25, 2006 12:52 PM

alikl said:

why don't you tag is with Security tag? :-)

Good stuff!!

# November 25, 2006 3:28 PM

SRLTeam said:

Working with Team Foundation Server we have to perform various repeating task related to user declaration

# November 28, 2006 12:05 AM

Sarit Tamir said:

Thanks aliki -It was so obvious we didn't think about it... tag is now added

# November 28, 2006 4:01 AM

Rob Caron said:

As an alternative to TFSAdmin , you can now use TFS Permission Manager , which was created by Leon Langleyben

# November 30, 2006 12:25 AM
Leave a Comment

(required) 

(required) 

(optional)

(required) 


Enter the numbers above: