Reputation: 31270
I have following users groups
and following build definitions (Dev build definitions outnumber prod build definitions by many times)
Since Dev build definitions outnumber the prod build definitions by many times, the default at "All Build Definition" level is to allow access to both Contributors and Builders. I want to deny Contributors access to Prod build definitions. However, if I explicitly Deny, User1 and User2 who are members of both groups gets "denied" that access. The only other option I can use is "Inherited Allow" and "Allow". How else can it be achieved? I would like to keep the default this way so that less number of build definitions require override unless there is no other way.
Here is a typical permission
Here is what happens
Upvotes: 1
Views: 221
Reputation: 51183
This is the expected behavior. According to TFS permission setting, most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
Details you could take a look at the tutorial in MSDN: About permissions and groups
To achieve what you want, you can create a new group such as DenyProGroup. Adding the others developers except user1/user2 in Contributors to this group. Such as User3/User4/User5 in your case.
For this group, set View Build Definiton permissions to “Deny” of all Prod Build Definitions. For Contributors and Builders, set the same permissions to”Allow”. Saved Changes. Then the user3/4/5 will lose the ability to view Prod Builds but user1/2 still have.
Upvotes: 1