About TFS Permissions, TFSSecurity and Uri’s

20 באוקטובר 2006

2 תגובות

Security must be very important to the Microsoft TFS security team, otherwise I cannot really understand why there are 3 different tools you need to use to cover all permissions aspects:


  • tf.exe – Installed with Team Explorer.
  • TFSAdmin.exe – Separate download from here.
  • TFSSecurity.exe – Installed with Team Foundation server.
We are working on document, which will provide a complete reference of TFS permissions aspects, In the meanwhile, let's talk a little bit about TFSSecurity.exe.
This utility deals with group membership, project-level permissions, area path permissions and some server-level permissions.
Note: using TFSAdmin is the only way to set server-level permissions (as far as I know), except for using the API of course.
First of all, I hate to say, but TFSSecurity is far from being an intuitive tool. It requires the following command line arguments:
TFSSecurity.exe /a+ <object Uri> <permission name> <member identity> {ALLOW|DENY} /server:<server name>

  • Server name – this one is easy
  • Member identity – in most cases you will use NT user name (MyDomain\MyUserName) or TFS group name ([SERVER]\Developers), also Sid or AD distinguished name can be used.
  • Permission name – where should we get this one? You can see permissions tables with descriptions here.
    Note: only permissions in upper case are relevant for TFSSecurity.

  • Object Uri – this one is tricky. I was expecting an ability  to use a friendly object path (e.g. MyProject\Area\MyModule\BL). Unfortunately there is no such option. We just have to extract the object Uri ourselves; the only way I know of is through the API.

    • Retrieving the area path node Uri is relatively easy.
    • Retrieving the project Uri is quite different; the value received from the API has little to do with the Uri expected by utility. After some investigation in TFS database I found that you have to concatenate " $PROJECT: " to the Uri to make it work.
    • Global permissions: my investigation ended up with the surprising answer: use $NAMESPACE as Uri to set global permissions.
I am attaching a simple utility to this post to help you with the Uri hunting task. Click on server name and project name to get global and project Uri.

הוסף תגובה
facebook linkedin twitter email

כתיבת תגובה

האימייל לא יוצג באתר. שדות החובה מסומנים *

2 תגובות

  1. alikl25 בנובמבר 2006 ב 15:28

    why don't you tag is with Security tag? 🙂

    Good stuff!!

    הגב
  2. Sarit Tamir28 בנובמבר 2006 ב 4:01

    Thanks aliki -It was so obvious we didn't think about it… tag is now added

    הגב