TFS Queue Background Jobs permission

Question

We would like to have a process which runs a script that forces an Active Sync of TFS (the Active Directory TFS sync job ordinarily only runs once an hour). Based on my understanding of this post (which discusses using a command line program to accomplish the same end result), the calling account would need to have the Queue Background Jobs TFS permission granted.

Without this permission attempting to execute the PowerShell script, I receive the following error:

Exception calling "QueueJobNow" with "2" argument(s): "Access Denied: Smith, Jane needs the following permission(s) on the resource AllJobs to perform this action: Queue background jobs"

It is not clear how one would grant the Queue Background Jobs permission. It does not appear to be in the TFS Console or GUI anywhere.

Answer 1

This permission is granted via the tfsecurity command. You will need to grant the Job namespace Queue and Read permissions as depicted below in order for the PowerShell script referenced in the question to work:

To see current security assignments:

tfssecurity /acl job /server:https://myserver/tfs

To grant a user read job information:

tfssecurity /a+ Job AllJobs Read n:mydomain\myuser ALLOW /server:https://myserver/tfs

To remove a user’s read job information: tfssecurity /a- Job AllJobs Read n:mydomain\myuser ALLOW /server:https://myserver/tfs

To grant a user queue job access:

tfssecurity /a+ Job AllJobs Queue n:mydomain\myuser ALLOW /server:https://myserver/tfs

To remove a user’s queue job access:

tfssecurity /a- Job AllJobs Queuen:mydomain\myuser ALLOW /server:https://myserver/tfs