How to reference a Custom Collection level security group in Process template groups and permissions
יום רביעי 30 נובמבר 2011 20:13
I have a custom Collection level group called: "[DefaultCollection]Project Collection Testers" for the QA team. How can I reference that group in the "Groups and Permissions\GroupsandPermissions.xml" process template file? There is no Collection level group referenced in that xml file. I have seen in another process template file: "WorkItem Tracking\workitems.xml", that a reference to a Collection level Admin group is: "[SERVER]\$$PROJECTCOLLECTIONADMINGROUP$$", but it doesn't seem to work in GroupsandPermissions.xml, nor does it work for a Customized security group at the Collection level.
Reason for the request: I want to modify the process template so that whenever a new Team Project is created, the "Project Collection Testers" group gets permission to "Modify Work Items in this node" under TeamProject "Areas" security permissions.
יום חמישי 01 דצמבר 2011 12:53
Unfortunately it is not possible. You can customize the PCW (Project Creation Wizard) and call out to a script that would create the groups for you. like this:
TFSSecurity /gc "vstfs:///Classification/TeamProject/TeamProjectGUID" "_Team Project Group" "DESC." /collection:http://tfsserver:8080/tfs/defaultcollection
TFSSecurity /gc "vstfs:///Classification/TeamProject/TeamProjectGUID" "Team Project XXX Team" "." /collection:http://tfsserver:8080/tfs/defaultcollection
TFSSecurity /gc "vstfs:///Classification/TeamProject/TeamProjectGUID" "Team Project Database XXX" "DESC." /collection:http://tfsserver:8080/tfs/defaultcollection
TFSSecurity /gc "vstfs:///Classification/TeamProject/TeamProjectGUID" "Team Project Development XXX" "DESC." /collection:http://tfsserver:8080/tfs/defaultcollection
יום חמישי 01 דצמבר 2011 15:08
Thank you very much for your response. However, isn't "TFSSecurity /gc" for creating a group? I'm not trying to create a group; the group already exists. I'm trying to define permissions for the group in the process template so that when a new Team Project is created, the create team project wizard will automatically assign the permissions to the group I want. It just so happens that the group is a Collection group instead of a Team Project group.
For example, suppose I have a Team Project = "FredProject", in the GroupsandPermissions.xml file of the process template, you can set:
<group name="Contributors" description="...">
<permission name="WORK_ITEM_READ" class="CSS_NODE" allow="true" />
<permission name="WORK_ITEM_WRITE" class="CSS_NODE" allow="true" />
This will essentially give "edit work items in this node" rights to the team project group called: "[FredProject]\Contributors"
Are you saying that we can not do the same for "[DefaultCollection]\Project Collection Testers", something like:
<group name="[Global]\Project Collection Testers" description="...">
If it is possible, I'm looking for the syntax to reference the Collection group inside the name="<whatgoeshere>" I guess I'm confused because you can set permissions for Collection groups in queries, work item type definitions, etc., so I figure it should be possible in "GroupsandPermissions.xml" as well.
Thanks for all your help.
יום חמישי 01 דצמבר 2011 16:04
Thanks AceMan you are correct that you can't include Collection Groups and set permissions on collection groups.
Take a look at these links to help you create a script in the PCW wizard:
יום חמישי 01 דצמבר 2011 16:23Thank you very much for your assistance, Allen
יום שישי 02 דצמבר 2011 14:58
I didn't find this functionality to be very useful. We can use a Collection level group and set permissions for them on queries and work item type definitions used in the Process template, but you can't set permissions for them in the process template Groups and Permissions, which performs setup on both queries and type definitions for new Team Projects?
I found a work around for this. I can create a Team Project level group, assign it the security I need in the process template. Then, I can go back (after Team Project is created) and assign a Collection level group to the Team Project level group. Extra work to get the same result, but it does work.
Since we are given the flexibility to modify access in Groups and Permissions for the process template and define security access to some groups, we should be able to define access for all groups at all levels, not just team project groups. With the current method, I have to use the work around for every team project instead of setting it once in the process template and forgetting it.