TFS security - users in both Readers and Contributors groups

Question

I am trying to setup security in TFS and running into an issue. We have several team projects and about 30 developers. We want all developers to have read access to all team projects. Then there are certain teams which would have read/write access to one or more team projects.

I have an AD group which has all 30 developers and several other AD groups which have the appropriate developers. I assigned the AD group which contains all the developers to the Readers group in each team project. And then the other specific groups as Contributors in their respective team projects.

The problem is that when a user is in both the Readers and Contributors group - it seams as if the Readers group permissions are used (since they are more restrictive). According to the documentation this appears to be the way tfs security is supposed to work.

But how can I set this up properly ?

Answer 1

This is a bit old but maybe you will still find it useful.

Assigning all developers to Readers group is a shortcut which you should not take in this case.

I would create a separate group for each group of developers (dived based on projects) and then assign permissions to those groups - similar to contributors for their own project and similar to readers for all other projects.

As for why it didn't work for you - Deny permission wins over Allow permission if a user has both.