Reputation: 31270
TFS build definition permissions and groups inheritence with user having membership to multiple groups
I have following users groups
- Builders
- User1
- User2
- Contributors
- User1 (Note this is member of Builders also)
- User2 (Note this is member of Builders also)
- User3
- User4
- User5
and following build definitions (Dev build definitions outnumber prod build definitions by many times)
- Dev Builds
- Build Definition 01
- Build Definition 02
- Build Definition 03
- Build Definition 04
- Build Definition 05
- Prod Builds
- Build Definition 51
- Build Definition 52
Since Dev build definitions outnumber the prod build definitions by many times, the default at "All Build Definition" level is to allow access to both Contributors and Builders. I want to deny Contributors access to Prod build definitions. However, if I explicitly Deny, User1 and User2 who are members of both groups gets "denied" that access. The only other option I can use is "Inherited Allow" and "Allow". How else can it be achieved? I would like to keep the default this way so that less number of build definitions require override unless there is no other way.
Here is a typical permission
- All Build Definition
- View Build Definition (Picked one of the permission for sample)
- Builders - Allow
- Contributor - Allow
- One of the Prod Build Definition
- View Build Definiton (Picked one of the permission for sample)
- Builders - Inherited Allow (Options are Allow, Deny, Not Set)
- Contributor - Inherited Allow (Options are Allow, Deny, Not Set)
Here is what happens
- Inherited Allow at Contributor - All users have access
- Deny at Contributor - User 1 and User 2 lose their access regardless of any permissions at Builders group
Upvotes: 1
Views: 221
Answers (1)
Reputation: 51183
This is the expected behavior. According to TFS permission setting, most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
Details you could take a look at the tutorial in MSDN: About permissions and groups
To achieve what you want, you can create a new group such as DenyProGroup. Adding the others developers except user1/user2 in Contributors to this group. Such as User3/User4/User5 in your case.
For this group, set View Build Definiton permissions to “Deny” of all Prod Build Definitions. For Contributors and Builders, set the same permissions to”Allow”. Saved Changes. Then the user3/4/5 will lose the ability to view Prod Builds but user1/2 still have.
Upvotes: 1
Related Questions
- TFS 2012 Multiple Security Groups
- User permissions for TFS Build server
- Restrict Create Build Definition permissions in TFS
- User Permissions in TFS API - Start a Build, Administer a Build
- TFS - Set permission for specific project within team project
- TFS Permissions 2012 - Project Collection Valid Users
- Adding a TFS server group to access levels via command line
- TFS 2010 Build setup permissions issue
- TFS security - users in both Readers and Contributors groups
- How to create Group Membership in TFS?