Get started for free
Visual Studio Developer Center >
TF218030: Groups and Permissions Error preventing project creation

Answered TF218030: Groups and Permissions Error preventing project creation

  • Wednesday, February 06, 2013 3:53 AM
     
     
    Sign In to Vote
    0

    Hi all!

    I have TFS 2012 and have modified the process template to add our environment's four Agile teams automatically to the "Contributors" group so I don't have to manually do this with every project creation. After uploading the process template, however, I receive the error indicated below. This user is a member of the team foundation administrators group, the project collection administrators group. The error seems problematic because I can't be a member of the [Project]\Project Administrators group because the group doesn't exist yet, right?

    ERROR INFO:

    Error 
    TF218030: The Groups and Permissions plug-in file contains an entry that could not be validated. The following error occurred: Access Denied: TFAdmin needs the following permission(s) to perform this action: Edit project-level information. The group member, [419]\Jaguars, could not be added to group: Contributors. The error may indicate that there was a problem connecting to Team Foundation Server to validate the contents. To correct this problem, you can check that Team Foundation Server is operating correctly, review the log for more information, verify the process template file is correct, and then try again. For more information, see the Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=179551.  

    Explanation 
    The Project Creation Wizard encountered a problem while creating groups on tfs\DefaultCollection. The reason for the failure cannot be determined at this time. Because the operation failed, the wizard was not able to finish creating the Team Project.  


    The exception from the log file is:

    ---begin Exception entry---
    Time: 2013-02-05T22:28:09
    Module: Engine
    Event Description: TF30162: Task "GroupCreation1" from Group "Groups" failed
    Exception Type: Microsoft.TeamFoundation.Client.PcwException
    Exception Message: TF218030: The Groups and Permissions plug-in file contains an entry that could not be validated. The following error occurred: Access Denied: TFAdmin needs the following permission(s) to perform this action: Edit project-level information. The group member, [419]\Jaguars, could not be added to group: Contributors. The error may indicate that there was a problem connecting to Team Foundation Server to validate the contents.

    To correct this problem, you can check that Team Foundation Server is operating correctly, review the log for more information, verify the process template file is correct, and then try again. For more information, see the Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=179551.

    Exception Details: The Project Creation Wizard encountered a problem while creating groups on tfs\DefaultCollection. 
    The reason for the failure cannot be determined at this time. 
    Because the operation failed, the wizard was not able to finish 
    creating the Team Project.
    Stack Trace:
       at Microsoft.VisualStudio.TeamFoundation.PCW.GssStructureCreator.AddMembersToGroup(ProjectCreationContext context, ProjectCreationMacroResolver macroResolver, XmlNode identityXmlNode, String groupName, String groupSid)
       at Microsoft.VisualStudio.TeamFoundation.PCW.GssStructureCreator.Execute(ProjectCreationContext context, XmlNode taskXml)
       at Microsoft.VisualStudio.TeamFoundation.PCW.ProjectCreationEngine.TaskExecutor.PerformTask(IProjectComponentCreator componentCreator, ProjectCreationContext context, XmlNode taskXml)
       at Microsoft.VisualStudio.TeamFoundation.PCW.ProjectCreationEngine.RunTask(Object taskObj)
    --   Inner Exception   --
    Exception Message: Access Denied: TFAdmin needs the following permission(s) to perform this action: Edit project-level information (type AccessCheckException)
    Exception Data Dictionary:
    DISPLAYNAME = TFAdmin

    Exception Stack Trace:    at Microsoft.TeamFoundation.Client.Channels.TfsHttpClientBase.HandleReply(TfsClientOperation operation, TfsMessage message, Object[]& outputs)
       at Microsoft.TeamFoundation.Client.Channels.TfsHttpClientBase.Invoke(TfsClientOperation operation, Object[] parameters, TimeSpan timeout, Object[]& outputs)
       at Microsoft.TeamFoundation.Framework.Client.IdentityManagementWebService.AddMemberToApplicationGroup(IdentityDescriptor groupDescriptor, IdentityDescriptor descriptor)
       at Microsoft.TeamFoundation.Framework.Client.IdentityManagementService.AddMemberToApplicationGroup(IdentityDescriptor groupDescriptor, IdentityDescriptor descriptor)
       at Microsoft.VisualStudio.TeamFoundation.PCW.GssStructureCreator.AddMembersToGroup(ProjectCreationContext context, ProjectCreationMacroResolver macroResolver, XmlNode identityXmlNode, String groupName, String groupSid)

    Inner Exception Details:

    Exception Message: Access Denied: TFAdmin needs the following permission(s) to perform this action: Edit project-level information (type SoapException)SoapException Details: <detail xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><ExceptionProperties xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><property name="DisplayName"><value xsi:type="xsd:string">TFAdmin</value></property></ExceptionProperties></detail>
    Exception Stack Trace: 

    --- end Exception entry ---

     

All Replies

  • Thursday, February 07, 2013 7:18 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi Pwil3012, 

    Thanks for your post.

    The current user can create team project using the default 2012 process template without any issue?

    How did you modify the process template and you downloaded which default process template to edit?

    Did you modify the process template using TFS 2012 Power Tools? 

    To add your domain\group to default Contributors group in process template, for example Scrum 2.1 process template, you can try to modify the GroupsandPermissions.xml file in Process Template like the follow:

     … … …

            <group name="Contributors" description="Members of this group can add, modify, and delete items within the team project.">

              <permissions>

                <permission name="GENERIC_READ" allow="true" />

                <permission name="DELETE_TEST_RESULTS" allow="true" />

                <permission name="PUBLISH_TEST_RESULTS" allow="true" />

                <permission name="VIEW_TEST_RESULTS" allow="true" />

                <permission name="GENERIC_READ" allow="true" />

                <permission name="WORK_ITEM_READ" allow="true" />

                <permission name="WORK_ITEM_WRITE" allow="true" />

                <permission name="MANAGE_TEST_PLANS" allow="true" />

                <permission name="MANAGE_TEST_ENVIRONMENTS" allow="true" />

                <permission name="MANAGE_TEST_CONFIGURATIONS" allow="true" />

              </permissions>

              <members>

                <member name="@defaultTeam" />

                <member name=" Domain\Group(domain\username)" />

              </members>

            </group>

    … … …

    John Qiao [MSFT]
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

     
  • Thursday, February 07, 2013 12:40 PM
     
     
    Sign In to Vote
    0

    Hi John,

    Thank you for helping. Here are the answers to your questions:

    1. Yes - the current user can create a project with one of the default templates with no problems

    2. I modified the Microsoft Visual Studio Scrum 2.0 template in the following ways:

    • Added Active Directory groups to the default permission groups (Readers, Builders, Contributors)
    • Added the "Completed Work" and "Original Estimate" fields back in to synchronize with Project Server later
    • Put a filter into the "Assigned To" field on tasks and PBIs that restricts to project contributors only
    • Renamed the new version of the template
    • Added four teams into the Contributors group

    The last item seems to be the problem. Each team has members defined in AD. The Groups and Permissions xml looks like:

    <group name="Penguins" description="" isTeam="true">
              <permissions>
                <permission name="GENERIC_READ" class="PROJECT" allow="true" />
              </permissions>
              <members>
                <member name="DEVELOPMENT\TFS - Penguins" />
              </members>
              <teamSettings areaPath="Area">
                <iterationPaths backlogPath="Iteration">
                  <iterationPath path="Version 1" />
                </iterationPaths>
              </teamSettings>
            </group>

    Each team is then included in the members section of the "Contributors" group:

    <members>
                <member name="DEVELOPMENT\TFS - Project Contributors" />
                <member name="Team3" />
                <member name="Team2" />
                <member name="Team1" />
                <member name="Penguins" />
              </members>

    3. I used the TFS 2012 Power Tools Process Template Editor to modify the template.

     
  • Friday, February 08, 2013 3:09 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi Pwil,    

    Thanks for your reply.

    Have you tried this scenario in an existed team project(created using Scrum 2.0), manually edit these setting in your existed team project, add that four teams in to Contributors group in this team project, check if all these process template modifies can manually set in existed team project successfully.

    John Qiao [MSFT]
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

     
  • Friday, February 08, 2013 3:16 AM
     
     
    Sign In to Vote
    0

    Hi John,

    I did. I set up several team projects manually this way using the Scrum 2.0 template without error. Given the number of project in our environment, however, I quickly realized called for editing the template to automate much of this configuration for me. Because these settings worked so well in the existing projects, I was surprised when I couldn't configure them in the template.

    What's weird to me is that the error looks like my user account isn't a member of the Project Administrators group. I'm not sure exactly when that group is created (seeing as it isn't listed in the process template). Is it possible it won't let me proceed because it is trying to create the teams and join them to the contributors group before it has created the Project Administrators group and added me to it? I know by default it adds Project Collection and Team Foundation Server administrators. Just a thought....

    Thanks,

    Phil

     
  • Friday, February 08, 2013 9:47 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi Phil,

    Thanks for your reply.

    Open your process template using TFS Power Tools in VS 2012, selected the Group & Permissions, then share the Groups detailed structure screenshot here.

    John Qiao [MSFT]
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

     
  • Monday, February 11, 2013 1:54 PM
     
     
    Sign In to Vote
    0

    Hi John,

    Good idea. I'm trying to upload the screenshot but the forum page is telling me I can't include a picture until my account is verified. How do I verify my account? I thought I already was.

    Phil

     
  • Tuesday, February 12, 2013 3:11 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi Phil, 

    Thanks for your reply.

    You can upload your screenshots to SkyDrive, then share the links here.

    John Qiao [MSFT]
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

     
  • Wednesday, February 13, 2013 3:09 AM
     
     Answered
    Sign In to Vote
    1

    Hi John,

    Thanks for everything. I've discovered the problem, however. I attempted to be clever and configure my Active Directory accounts to match the TFS accounts. For example, "Project Administrators" has a corresponding AD group called "TFS - Project Administrators." I have separate AD groups for each team I added as well. However, I added each of the teams with their AD groups and then I also added a generic "TFS - Project Contributors" group that contained shared staff resources.

    In Active Directory, I had attempted to stack my groups like this:

    TFS Administrators were included in the Project Collection Administrators group which was inside the Project Administrators group which was also inside the Project Contributors group, etc. etc. What I didn't realize was that TFS would apply security on the lowest level.

    Therefore my account, being a TFS Admin, was also in the Contributors group so the latter was the one whose permissions were actually assigned.

    When the project was being created, it always failed immediately after applying this particular security setting. I further verified it manually.

    Thank you again for your time!

    Phil

    • Marked As Answer by Pwil3012 Wednesday, February 13, 2013 3:10 AM
    •  
     
  • Wednesday, February 13, 2013 3:12 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi Phil, 

    Thanks for your reply.

    And thank you for sharing your experience here.

    All your participation and support are very important to build such harmonious/ pleasant / learning environment for MSDN community. 

    John Qiao [MSFT]
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.