Get started for free
Visual Studio Developer Center >
When we give TFS user permission in Application it is giving permissions to TFS Production Database also for that particular user

Answered When we give TFS user permission in Application it is giving permissions to TFS Production Database also for that particular user

  • Tuesday, May 29, 2012 1:55 PM
     
     
    Sign In to Vote
    0

    Hi,

    Consider the scenario there is a User : XYZ and we have given Permissions as ProjectAdministrators for Team Project

    For the same user it is allocating DB_OWNER permission against the TeamProjectCollection Database for that User.

    Why it is giving access to production Database on giving permissions at application level

    Any help will be great......

    Thanks

    Madhu

    Madhu Sandeep

     

All Replies

  • Tuesday, May 29, 2012 2:35 PM
     
     Answered
    Sign In to Vote
    1

    Hi Madhu,

    Members of the Team Foundation Administrators group have the highest set of permissions of any users in Team Foundation Server. For most organizations that use Team Foundation Server, administrators create and manage team project collections, in addition to performing any operations that are required to maintain the server.

    An administrator for Team Foundation Server must be a member of the following groups or have the following permissions:

    • Team Foundation Server: Team Foundation Administrators or have the appropriate server-level permissions set to Allow. For more information, see Team Foundation Server Default Groups, Permissions, and Roles.

    • Windows: Administrators group on the server that is running the administration console for Team Foundation. The administration console requires administrative permissions to operate correctly.

    • SharePoint Products: the appropriate groups or permissions in SharePoint Central Administration. Depending on your deployment configuration and security requirements, you might not need to add the user to any groups in SharePoint Products. For optimum interoperability, consider adding them to the following SharePoint Products groups:

      • Farm Administrators

      • Site Collection Administrators group for all site collections that are used by the deployment of Team Foundation Server.

      For more information, see Interactions Between SharePoint Products and Team Foundation Server andService Accounts and Dependencies in Team Foundation Server.

    • Reporting Services: Team Foundation Content Manager and either sysadmin or the db_owner group membership for the configuration database, the reporting and analysis databases, and the databases for team project collections.

    • SQL Server: serveradmin role if you want the user to be able to create a database when creating a team project collection. If your security requirements restrict membership in this role, a SQL Server administrator must create a database to be used before a team project collection can be created.

    So, yes if you see the last 2 points. 

    Can you validate this for another user who is not a tfs admin. They shouldn't get added  to these groups. 

    Please remember to mark the replies as answers if they help.

    Tarun Arora

    Blog: http://geekswithblogs.net/TarunArora  Subscribe in a reader

    • Marked As Answer by Madhu Sandeep Wednesday, May 30, 2012 8:23 AM
    •  
     
  • Wednesday, May 30, 2012 8:23 AM
     
     Answered
    Sign In to Vote
    0
    1. Root Cause: This problem will arise when you try to give access in Team Foundation Administration console. On adding user here it will give full permissions to the user respective Database also.
    2. Solution:
      1. We should add only TFS User account  in administrative console.
      2. If any other   users wants Project Administrators permissions for that particular user we need to add in respective Team Project Collection-->Project Administrators.

    Madhu Sandeep

    • Marked As Answer by Madhu Sandeep Wednesday, May 30, 2012 8:23 AM
    •