none
How Can I Deny Team Project Administrator Area Path Node Permissions?

    Question

  • Hi,

    As part of the release process, we want to assign work items to a specific area path node and make those work items read-only for everyone except for a collection level security group. We do not want team project administrators to have more than read-only permissions on these work items.  However, on any given area path node the UI will not allow the Deny box to be checked for the project administrators group. If I remove the project administrators group from that area path node, it comes back automatically. If I put the project administrators in a group I created and then deny them permissions on that area path node, it doesn't work.

    Is there any way to lock-down work items to ready-only for all team project level groups on a specific area path node?

    Thanks,

    Bob


    Bob Hardister
    Wednesday, August 10, 2011 3:39 PM

Answers

  • OK, I think I have the final story on this regrading 1) restricting Project Administrators on Area Path and 2) finding out the URI for Area Path nodes.

    1) You cannot restrict Project Administrators from creating, editing and creating child area path nodes. You can restrict Project Administrators from editing work items assigned to an Area Path node using the command-line only.

    2) the area path node URI is just -  vstfs:///Classification/Node/<id column value from tbl_nodes>.

    I believe a better approach than restricting the PA group, is to restrict who gets into the PA group. If needed create a custom group that has all the same permissions as the PA group except for permissions on Are Path nodes.

    Bob


    Bob Hardister
    Friday, August 26, 2011 7:39 PM

All replies

  • Bob,

    Have you created a new Team Project Administrators group with exact security permissions that of default Admin Group, removed all the users from default Admin group and added them to new group. Then, under Area node you made the work items read-only for this new Admin group.

     

    Thursday, August 11, 2011 1:32 AM
  • Hello Bob,

    Thanks for your post.

    It is not possible for you to deny some permissions of the Area Path for the Project Administrators group on the VS UI. However, you can do that by using the tfssecurity a- command.

    Please refer to this article for further information about how to use tfssecurity a- command:

    http://msdn.microsoft.com/en-us/library/ms400690.aspx

    Thanks.


    Vicky Song [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thursday, August 11, 2011 9:33 AM
    Moderator
  • Hi Vicky,

    It looks like I'm on the right track.

    But, I can't tell what namespace to use for Area Path security. Is it CSS? Also, will I need to look up the token for the speciifc area path node I want to change? How do I do that?

    Thanks!


    Bob Hardister
    Friday, August 12, 2011 8:47 PM
  • Hello Bob,

    You are correct that you should use the CSS workspace. And To get the token for the "CSS" namespace, you got to run the next query:

    SELECT AreaUri FROM dbo.tbl_Area WHERE AreaPath = '<TeamProjectName>'

    To get the token for the "Iteration" namespace, you got to run the next query:

    SELECT IterationUri FROM dbo.tbl_Iteration WHERE Iteration = '<TeamProjectName>'

    You can also refer to my post on this thread for better understanding how to use the TFSSecurity a- command:

    http://social.msdn.microsoft.com/Forums/en-US/tfsadmin/thread/f55d218f-03be-4825-ae1b-3988152a805d

    Thanks.


    Vicky Song [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Monday, August 15, 2011 9:10 AM
    Moderator
  • Hi Vicky, that's working for me. Thanks!

    I did find that the following query format works better because it list all the area path Tokens under a given node:

    SELECT * FROM dbo.tbl_Area where AreaPath Like '<node name>%';

    I"ll close out the question once I sucessfully change area node permissions for a project administrator.


    Bob Hardister
    Monday, August 15, 2011 2:52 PM
  • Hi Vicki,

    I am having trouble in a 2 ways. And I have a critical question I need answered.

    Problems:

    1. Getting the AreaURI from the dbo.tbl_area table: the table does not always display child area path nodes for a team project. See the Connect bug I filed: https://connect.microsoft.com/VisualStudio/feedback/details/684345/team-foundation-server-2010-table-dbo-tbl-area-not-being-updated-properly

    2. Permission changes made to the area path root for the project administrators group do not show up in the team explorer UI

    I was able to deny the project administrators group permissions to a child area path node. Yeah!  But I had to delete and create team projects such that I could get child area path nodes to show up in the dbo.tbl_area table. Obviously, that's not an option in production.

    Question:

    What's another way I can find out the area path node uri for any and all area paths of a team project?

    Thanks so much for your help!

    Bob


    Bob Hardister


    Tuesday, August 16, 2011 4:00 PM
  • Hello Bob,

    Sorry for the late response.

    I am sorry that I can reproduce the same issue as you. And I found that these new added areas are actually stored in the TFS database. Instead of in the [dbo].[tbl_Area], you can find them in the [dbo].[TreeNodes] table.

    And to get the AreaUri information, I am afraid you should use TFS API to do so.

    As you have created one feedback on the Microsoft Connect site, I hope our PG member can help you out of this issue.

    Thanks.


    Vicky Song [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thursday, August 18, 2011 9:22 AM
    Moderator
  • OK, I think I have the final story on this regrading 1) restricting Project Administrators on Area Path and 2) finding out the URI for Area Path nodes.

    1) You cannot restrict Project Administrators from creating, editing and creating child area path nodes. You can restrict Project Administrators from editing work items assigned to an Area Path node using the command-line only.

    2) the area path node URI is just -  vstfs:///Classification/Node/<id column value from tbl_nodes>.

    I believe a better approach than restricting the PA group, is to restrict who gets into the PA group. If needed create a custom group that has all the same permissions as the PA group except for permissions on Are Path nodes.

    Bob


    Bob Hardister
    Friday, August 26, 2011 7:39 PM