Configuring Team Foundation Server Permissions for Small Groups

Team Foundation Server (TFS) is a pretty good source control and process guidance tool, especially with the release of the latest version TFS 2010.  One benefit is that it allows extremely granular permissions which are great for large enterprise setups, but I work in a small group where everyone needs to have access to everyone’s files.  So it becomes sort of a pain because unless you add everyone into the administrators group you need to add permissions manually to everything.

One thing to understand about TFS is that it is really 3 separate applications working together, TFS Application Layer, Microsoft SQL Server Reporting Services and Microsoft Sharepoint Services.  And since they don’t really talk with each other about permissions, these need to be granted individually to each application.

I’ve come up with the following steps, even though they may not be best practices they work for my environment.  Before beginning I recommend setting up a security group that will contain all of your users that you wish to have access to the TFS server.

TFS Application Layer Permissions
  • Open up the Team Foundation Server Administration Console
  • Expand Server Name > Application Tier > Team Project Collections
  • Select “Group Membership”
  • tfs-adminconsole1
  • In the “Global Groups on http://localhost:8080/tfs/defaultcollection” window click “New…” button.
  • In the “Create New Team Foundation Server Group” fill in “User” as “Group Name” and a Description if you choose.  And click “Ok”
  • tfs-adminconsole2
  • In the “Global Groups on http://localhost:8080/tfs/defaultcollection” window, select the newly created group and click the “Properties” button.
  • In the properties window add your users that you wish to have access to all projects.
Sharepoint Permissions

Sharepoint permissions need to be sort of granted individually for each project that you have.  But with the way I have it set up it should be slightly easier to manage.  All users are granted to the main site in Sharepoint.  Each project’s site is a sub site of the main site and can inherit the permissions from the main site.  The first part is granting permissions to the main site.

  • Log in to your Sharepoint site (most likely http://localhost/tfs/defaultcollection) as an administrator
  • Select “Site Action” > “Site Settings” > “Advanced Permissions”
  • In the permissions page you will want to add all of your users as contributors, this is where that security group will come in handy as well.

The next step is for each project that you have going on, you need to set it to inherit permissions.

  • Once again log into your Sharepoint site.
  • Select the project you would like to change (url example http://localhost/tfs/defaultcollection/projectname)
  • Select “Site Action” > “Site Settings” > “Advanced Permissions”
  • In the permissions page select “Actions” > “Inherit Permissions”

In the end permissions will be automatically updated if you edit the permissions on the main site or if you decided to setup the Active Directory group changing membership in the group.

Report Server Permissions
  • Log in to your reporting services management site (usually http://localhost/reports)
  • Click on “Properties” > “New Role Assignment”
  • In the “New Role Assignment” screen, add your user (or security group) and select the “Browser” role.
  • reportingservices1

Congratulations your permissions are now granted so everyone in your group can access all the Sharepoint sites and all the source control.


3 thoughts on “Configuring Team Foundation Server Permissions for Small Groups

  1. I’m not sure about the Sharepoint settings, TFS during project creation creates new site collection for each project (not subsite under the root portal). So, permissions cannot be inherited as you described. The problem is that it is not possible to create a group of users (i.e. TfsAdmins) that would have all necesary permissions. Why, becasuse to be able to create a new site collection you must be site collection administrator on tfs application in moss, defined in the central administration. For the site collection administrators it is possible to add only two persons (not groups), one as primary and one as secondary… Correct me if I’m wrong, but this is my case.

    1. Your configuration may be different from mine as one possible reason you are seeing different results. I have a single server setup with TFS 2010.

      TFS 2010 organizes the projects under collections (I only operate one collection currently so someone can correct me if I’m wrong), but the sharepoint sites seem to be organized into the collections. For my default collection the sharepoint address is https://{server}/sites/defaultcollection/default.aspx. And from this portal it automatically creates links to each of the project sites which urls are https://{server}/sites/defaultcollection/{projectname}/

      So in this configuration a new subsite is created for each project. I have done almost no configuration (except for ssl) so this is more or less an out of the box config for 2010.

  2. The Project portal creation process, as far asI know creates site collection per project, not a sub-site. I am not saying that it can not configured any other way, but the default install creates site collections.

    Anlai, If you go into your central admin, under application mgmt, click on site collection list, if you see an item for each project, then these are site collections and not sub-sites.

    The fact that you may see them organized under /sites/colleciton name/ project name

    is just something called managed paths. “Sites” is not a site or a site colelction, it is just a Path.

    Mika, just a slight correction to what you said. you do not set site collection administrator on a web application, you set it on each site colelction. It may look like you are setting it on the web app, but thast is simply because you are setitng it on the root site collection “/”.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s