TFS Build Definition - Security lock down - TFS 11 Beta

Question

I want to allow only specific users in the team to queue build definitions but allow the entire team to view them (so they know they do exists).  These definitions are for Production deployment builds.  I am using TFS 11 Beta but if you can explain in TFS 2010 I can figure it out.

Due to the inheritance of permissions I can't get the desired outcome because I believe applying the "deny" permission is prevailing.  My plan is to create two new TFS Groups and set permissions for one group to manage the build definition and the other group with only view access.

I created a new TFS Group at the Collection Level named "Collection Prod Deploy".  In the permissions tab of the group I eventually set everything to "allow" (reason for doing this follows).  I added myself and other users to the group (I'm an admin).  I then right clicked the build definition, selected security, turned off inheritance, add the newly created group and set all permissions eventually to "allow".  

This allows the queue of the build definition however the build just sits in the controller queue and never does anything.  I can't stop the build and get permission errors when attempting.  The build has sat in the queue for up to 15 minutes before I applied inheritance back to the build definition and stopped.

I also applied the same scenario using a newly created Project Level TFS Group with the same result of the build getting stuck in the build queue.  I never got to creating the second group for only view access.

Answer 1

Hi Scott, 

Thanks for your post. 

To allow the entire team to  view the build definitions, you can add all the users in [Collection]\Project Collection Valid Users group or [TeamProject]\Readers group.

To allow only specific users to queue the build definition, add these users in [TeamProject]\Builds group.   

In your test scenario, if checked the Inherit Security Setting for your new TFS Group when right-click build definition>>Security, the user which in your new TFS Group can queue and stop build definition correctly?

For the permission Inheritance, please refer the information in this MSDN document: http://msdn.microsoft.com/en-us/library/ms252587.aspx.   

---

John Qiao [MSFT]
MSDN Community Support | Feedback to us

Answer 2

Thanks for your answer John.  The problem still continued after using your solution but I did find the issue and it ultimately resided in the inheritance down to the user level.  Ultimately, the user cannot be in the Contributor group and in the Builders group to apply this scenario.  

Here was the issue I was running into having the user in both groups.  Contributors have the Queue build access of "inherited allow" by default.  If you set this to deny then user loses Queue build access no matter what group they are in even if the permission in the other group is a explicit "allow".  When attempting to queue the build in this scenario you get a very clear message that you do not have permissions to queue a build.  

I gave the Builders group explicit "allow" Queue build access and then turned inheritance to off.  I then changed the Contributor setting for Queue builds to "not set"...in this scenario the user can queue the build. The user is still in both groups.  However, it will sit indefinitely in the controllers queue and do nothing!  Also, the user can't stop the queued build.

Short answer I found is the user can't be in both groups

---

Scott H

Answer 3

Hi Scott, 

Thanks for your reply. 

You did your test in TFS 11 or TFS 2010 server? 

I followed your scenario to do a test in TFS 2010, but I can’t reproduce that “the user can’t stop the queue build”.

Could you please provide the detailed reproduce steps here, I will follow your detailed steps to reproduce this scenario.

If you have any further research of this issue, please share your experience here.  

Additionally, for more information about TFS 11,  you can post it at TFS vNext forum for the better response.  

---

John Qiao [MSFT]
MSDN Community Support | Feedback to us

Answer 4

We have migrated to TFS 11 Beta and using TFS 11 build controllers also.

Detailed steps...

1) The user is in both the [Project]Builders group and the [Project]Contributors group.  The user can be in other groups too and is, in this case also in the Project Administrators group.

2) Right click the build definition in Team Explorer.  This launches the TFS Web security interface for the build definition.

3) Select the Builders group.  Explicitly set the Queue builds, Stop builds, View Build Definition and View Builds to "allow".

4) Select the Contributors group.  Explicitly set the Queue builds to "deny" and View build definition to "allow".

5) Set Inheritance to "off".  This will leave only the groups with explicitly set permissions which is the two above.  Don't close the browser in which you are applying permissions just yet.  

6) Queue the build from Team Explorer and at this point you will get an Access denied error for Queue build permissions.  In receiving this error I followed up with...

7) Go back to the Contributors group and change Queue builds to "not set".  Go back to team explorer and queue the build.  

You will now be able to queue the build.  However, the build will only sit in the controller indefinitely and you will not be able to stop it.  To stop the build you only have to set inheritance back to "on".  That's it.

***TO CLARIFY FOR ANYONE ELSE READING...THE ABOVE DOES NOT WORK...BELOW DOES***

So to get the scenario I needed I have to do the following...

1) Make sure the user is not in the Builders and Contributors group.

2) In the Builders group set the View Build definition and View Builds to "allow".

3) In the Contributors group set the Queue builds to "deny".

4) Leave Inheritance "On"

This works!

---

Scott H