amit_g
amit_g

Reputation: 31270

TFS build definition permissions and groups inheritence with user having membership to multiple groups

I have following users groups

and following build definitions (Dev build definitions outnumber prod build definitions by many times)

Since Dev build definitions outnumber the prod build definitions by many times, the default at "All Build Definition" level is to allow access to both Contributors and Builders. I want to deny Contributors access to Prod build definitions. However, if I explicitly Deny, User1 and User2 who are members of both groups gets "denied" that access. The only other option I can use is "Inherited Allow" and "Allow". How else can it be achieved? I would like to keep the default this way so that less number of build definitions require override unless there is no other way.

Here is a typical permission

Here is what happens

Upvotes: 1

Views: 221

Answers (1)

PatrickLu-MSFT
PatrickLu-MSFT

Reputation: 51183

This is the expected behavior. According to TFS permission setting, most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.

Details you could take a look at the tutorial in MSDN: About permissions and groups

To achieve what you want, you can create a new group such as DenyProGroup. Adding the others developers except user1/user2 in Contributors to this group. Such as User3/User4/User5 in your case.

For this group, set View Build Definiton permissions to “Deny” of all Prod Build Definitions. For Contributors and Builders, set the same permissions to”Allow”. Saved Changes. Then the user3/4/5 will lose the ability to view Prod Builds but user1/2 still have.

Upvotes: 1

Related Questions