I have run into a problem with security for TFS source control .
I have 2 windows groups (Developers and Lead Developers)
I have 2 users
1. Developers group contains : Dave (local admin on the TFS box)
2. Lead Developers group contains: John (local admin on the TFS box)
They are NOT Team foundation admins. (they were..and were removed.The tfs
admin group only has the setup account under it now)
They are both project level members on a single team project.They have only
View project level permission on the project. (they are not team project
admins)
On the source control side, they have only Read. I have explicitly denied
them all other permissions on the source control root folder(Including the
manipulate security setting permission). But they are able to change all the
permission settings on the source control level to what ever they want.
However they cant do it in the team project level.
They are actually TFS Admins (the ones that are going to be TFS Admins). We
are doing a dry run of the promotional model process for source control.
They cant be removed from the Admin group (without going through a harrowing
2 day process) directly because, they are part of a bigger AD group that is
a local admin on this box. Its a very difficult situation, as we arent
getting any other user whom we could use to test this.
Could any of you please help with this. This is a show stopper. If you guys
could give any pointers, I would really appreciate it.
Thanks
Deepak
*REPLY TO THE ABOVE EMAIL _ Some questions and answers
======================================================*
To recap/understand:
Two users were part of TFS-Admin group -* Yes (the Team foundation server
level group)
*
Team Project was created
TFS Admin group edited (two users removed) - *All users were removed except
for the TFSSetup account
*
Source code secured at root(deny permissions, etc)
*- Only read permission was explicitly set to allow for the two groups (Team
project level group -Developers and Lead developers)
*
Assuming I have this correct, what timeframe was allowed before you tried to
verify your security model? - around 2 hours
Did both users reboot their boxes? - *No*
Was the security Deny verified at the Team Project level under Root in the
Source-Control stack (not sure how permissions flow by default –
recursively, etc)? - *Yes they flow recursively, if you check "Inherit
security settings".I have made sure, that I only give minimum required
permissions at the root level.(Read)*
You said you removed them from TFS-Admin group – is that a domain group or
the actual TFS Server group? In my default 2008 install, my Admin group is
Builtin\Admin, ServiceAccounts, and TFSSetup – did you remove the
Builtin\Admin group from here?
*Yes. Builtin\Admin was removed right away after the install.The TFS-Admin
is a Team foundation server level group. It only has the TFSSetup account
under it now.
*
*ACTIONS PERFORMED AFTER THIS EMAIL*
**
Tried to manipulate security settings with another user (not a local admin
on the TFS box). He was not able to do so? Is this a bug in TFS?
OzTFS.com - to unsubscribe from this list, send a message back to the list with
'unsubscribe' as the subject. View the web archives at
http://www.mail-archive.com/[email protected]/
Powered by mailenable.com, supported by www.readify.net
