none
User gets Access Denied User needs PendChange for project (on a branch)

    Question

  • I am trying to solve a problem that I have for one user in a project on only one of the three branches.

     

    I have a project that has 3 branches with no special permissions on the branches. The user is setup as everyone else is for that project, a member of the project's Contributors group. Everyone except for this one user has been able to checkout files on the latest branch. The user can checkout files in the other 2 branches without any problems but receives a message: TF14098: Access Denied: User <user> needs PendChange permission(s) for <file>.

     

    I have explicitly added the user to the branch with all permissions. I have removed them and added them again to the Contributors group. I have added them as Project Administrator and nothing has worked.

     

    The permissions for one of the files is as follows, and none of the entries have any Deny values:

     Identity: [<project>]\Contributors
       Allow:
       Deny:
       Allow (Inherited): Read, PendChange, Checkin, Label, Lock
       Deny (Inherited):

    Wednesday, April 11, 2007 2:50 PM

Answers

  • When a user is affected by a Deny ACL and an Allow ACL, the Deny always wins. 

    If you read books/papers on Windows security you've probably seen this principle called "deny trumps allow".  I find that phrase memorable, but it can just as easily sound like gibberish.  Use whatever mnemonic works for you.
    Wednesday, April 11, 2007 7:31 PM

All replies

  • Sorry you are having trouble with permissions.  It can be difficult to determine what is going in these situations.  Let's try the following to see if it helps:

     

    Find a file that the user cannot pend changes on, let's call it foo.txt.

    From the command line, have the user change directories to the directory that contains foo.txt and run the following:
             tf perm foo.txt

     

    Look for an identity in the list where in the Deny section you see PendChange

    Verify the user is not a member in any of these identities.

     

    Let us know if this reveals anything.

     

    Ed

    http://blog.msdn.com/edhintz

     

    Wednesday, April 11, 2007 4:50 PM
  • The only group that has a deny is the Readers group (see below). The user is a member of the readers group but also the Contributors group.

     

    Thanks

     

      Identity: [<project>]\Build Services

        Allow:

        Deny:

        Allow (Inherited): Read, PendChange, Checkin, Label, Lock

        Deny (Inherited):

     

      Identity: [<project>]\Contributors

        Allow:

        Deny:

        Allow (Inherited): Read, PendChange, Checkin, Label, Lock

        Deny (Inherited):

     

      Identity: [<project>]\Project Administrators

        Allow:

        Deny:

        Allow (Inherited): Read, PendChange, Checkin, Label, Lock, ReviseOther,

                           UnlockOther, UndoOther, LabelOther, AdminProjectRights,

                           CheckinOther

        Deny (Inherited):

     

      Identity: [<project>]\Readers

        Allow:

        Deny:

        Allow (Inherited): Read

        Deny (Inherited):  PendChange, Checkin, Label, Lock, ReviseOther,

                           UnlockOther, UndoOther, LabelOther, AdminProjectRights,

                           CheckinOther

     

      Identity: [SERVER]\Service Accounts

        Allow:

        Deny:

        Allow (Inherited): Read, PendChange, Checkin, Label, Lock, ReviseOther,

                           UnlockOther, UndoOther, LabelOther, AdminProjectRights,

                           CheckinOther

        Deny (Inherited):

     

      Identity: [SERVER]\Team Foundation Administrators

        Allow:

        Deny:

        Allow (Inherited): Read, PendChange, Checkin, Label, Lock, ReviseOther,

                           UnlockOther, UndoOther, LabelOther, AdminProjectRights,

                           CheckinOther

        Deny (Inherited):

    Wednesday, April 11, 2007 5:32 PM
  • When a user is affected by a Deny ACL and an Allow ACL, the Deny always wins. 

    If you read books/papers on Windows security you've probably seen this principle called "deny trumps allow".  I find that phrase memorable, but it can just as easily sound like gibberish.  Use whatever mnemonic works for you.
    Wednesday, April 11, 2007 7:31 PM
  • Thanks, your walkthru saved my day!
    Friday, November 01, 2013 7:16 PM