Reputation: 1292
TFS (2012) security 'deny' permission denies everyone even admins granted 'allow'
From what I can tell, if you ever use 'deny' to anything, it overrides EVERYTHING and denys access. For example, you have a 'contributors' group and you want to 'deny' them 'Manage Branch' to keep people from making branches.
Sounds good, but as an Admin, I happen to also be in that group, and even though I have set 'project collection administrators' group to 'allow' the 'deny' overrides it!
I'd like to change this behavior to grant access if any of my permissions grants it (like about every other security model I've worked with) as it is, it looks like I need to be sure that none of the admins are in ANY other groups - or we will be locked out of those!
This makes the 'deny' almost useless - only good for creating a 'former employees' group or something where you want them locked out of everything and want to be able to turn that on.
Oh, I'm using TFS 2012
Upvotes: 1
Views: 642
Answers (1)
Reputation: 59073
That's correct. The Deny permission trumps all other permissions.
Think of it like this:
Allowmeans something is explicitly allowed.Not Setmeans that something is denied unless it's overridden by anAllow.Denymeans that something is denied even if it'sAllowed elsewhere.
It's worth noting that this is exactly the same as how Windows security works.
Upvotes: 6
Related Questions
- In TFS 2015, how do I block contributors from checking into a branch while allowing the project administrators branch?
- Overriding the Contributor group permissions
- TFS Contribute permission for Git branch
- Set Team Iteration Security Settings with TfsSecurity in TFS 2017
- Permission for release def security editing in TFS
- How correctly setup Stakeholders access in TFS
- Where is the "Edit build definition" permission in our TFS 2013 installation?
- Minimum permissions to give to a project manager
- Prevent check-ins and restrict merges for TFS branch