Customization and security groups

Question

I am trying to customize a couple of fields in the task WIT. I want to make only Project admins or leads who can change a task from Proposed to active state and some fields to be readonly like stack rank, and oif course only project admins can revert back from active to proposed. Tried using the WHEN and "Readonly" and "For" properties in the rules. However, in the "FOR" dialog box, it seems that I can only use Collection level security  groups and not team project level security groups.

Am I right? what is the best route to follow to acheive this type of customization

Answer 1

Just like to add the following :

I opened the task work item and modified of of the fields, in the FOR, I have put the "Project Collection\my security group" and was able to save the task to server.

Opened again the task WIT I repalced the "Project Collection\my security group" in the FOR using "MyTeamproject\Contributors" when trying to save it I get the follwoing error message :

TF26204 : The account you enetred is not recognized. Contact.......

Answer 2

You edit in the template that will be used for all new project, how do you expect to hard code this??

---

We are volunteers, if the reply help you mark it as your answer. thanks!!

Blog: http://mohamedradwan.wordpress.com

 

Answer 3

I dont understand the response, indeed I want to modify the WIT for the whole project with reinforcing some special security rules.

SO am I doing something against a best practice or what? can you explain what do you mean by "You edit in the template that will be used for all new project"?

If I understand well, we can customize work items according to company process and policy, is it correct or wrong? I should think that having several different groups on the team project level is there for this

Answer 4

Hi Eliassal,

Thanks for your post.  

For Team Project level groups, you should input [project]\groupname manually, for example, you can input [project]\Readers in “For” property.  The [project] mean the current Team Project. Please refer to this article: http://www.codewrecks.com/blog/index.php/2011/06/25/customize-work-items-fields-with-rules/.     

To make only Project admins can change a task from Proposed to Active, in Work Item Type>>Workflow, we need to set this transition for [project]\admingroup in Workflow Transitionwindow>>Transition Detailtab, which from Proposed to Active state. Please refer to the detailed steps in this article: http://tedgustaf.com/en/blog/2011/1/how-to-customize-tfs-2010-work-items-and-workflows/.   

---

John Qiao [MSFT]
MSDN Community Support | Feedback to us

Answer 5

So many thanks, links were very usefull. However, I have a 2nd issue. I need only admins who can change state from proposed to Active, then contibutors can change to resolved and closed. From state "closed" I need to allow contributors and admins to be able to switch back to active or proposed. It seems that the "For" field does not accept/allow multiple group with semi colon or comma

as follows

[project]\Contributors; [Global]\Project Collection Administratorsor

or

[project]\Contributors,[Global]\Project Collection Administrators

Answer 6

John, there is another point confusing me a little bit confused about the "For" and "Not".

Please confirm my understanding : Both fields "For" and "Not" should be used at the same time. I tried to use the "For" for project administrators in a transition from proposed to active, when I logged as a contributor, I still had the chance to do the same thing. I needed to use the "Not" in order that contributor could not change from Proposed to active and vice versa.

I thought that by using a "For" for 1 group, this will by default not allow  other groups.

Answer 7

Hi Eliassal, 

Yes, it not allowed the multiple groups. Please refer to the reply in this post: http://social.msdn.microsoft.com/Forums/ta/tfspowertools/thread/8361b73b-44cc-4839-9f2f-cb1415d7f0d2.   

---

John Qiao [MSFT]
MSDN Community Support | Feedback to us

Answer 8

Hi Eliassal, 

As far as I know, we needn’t set the “For” and “Not” at the same time. As you thought, when using the “For” 1 group, this will by default not allow other groups.

I tested to only set “For” to [project]\Contributors group in my work item type, then open the work item, I can’t change from Proposed to Active although I’m an admin account(user in [project]\ Project Administrators group).

So I think your that contributor account still in the project administrators group, please execute the tfssecurity /imx contributor /collection:url to check that contributor belong to which groups, for more information about tfssecurity /imx, please refer to: http://msdn.microsoft.com/en-us/library/ms400806.aspx.    

---

John Qiao [MSFT]
MSDN Community Support | Feedback to us

Answer 9

So many thanks. I ran the commande, here is the output :

*******************************************************************************

Resolving identity "contributors"...

SID: S-1-9-1551374245-787972990-2242660680-2653334683-2593497722-1-2754690549-618849868-2700694139-3118192147

DN:

Identity type: Team Foundation Server application group
   Group type: Generic
    Project scope: Demo Build
    Display name: [Demo Build]\Contributors
    Description: Members of this group can add, modify, and delete items within the team project.

Member of 1 group(s): e [A] [DefaultCollection]\Project Collection Valid Users

Done.

C:\Program Files\Microsoft Visual Studio 10.0\VC>

***********************************************

As we can see they are not in project admin group, however, I checked the group membership on the project itself, I found that

in the members Tab , I have mymachine admin

and in the member of Tab, I have the "Project Collection Valid users group".

So where is the link to allow contributors do what project admins can do? is the project admin group being member of the valid users is creating this confusion?

Thanks for your help

Answer 10

Hi Eliassal, 

Sorry for that I confused you, not the “contributors” in Tfssecurity command line.

You said you logged as a contributor, but still had the chance to do…, so please provide this contributor account in Tfssecurity command line, for example, if this contributor account is domain\user1, you should execute Tfssecurity /imx domain\user1/collection:url. Then check this domain\user1belong to which TFS groups in the result.    

And when you logged on as this contributor, please create and save a work item, then check the work history to ensure that the work item be created by this contributor.   

---

John Qiao [MSFT]
MSDN Community Support | Feedback to us

Answer 11

Hi Eliassal, 

Have you confirmed that? 

If misunderstood anything, please describe your question in more detail and we will be able to provide the better responses.

---

John Qiao [MSFT]
MSDN Community Support | Feedback to us