none
TFSSecurity /a+: how to get the value for parameter Token?

    Question

  • Could anyone give me some help and explanations how to determine the value for the parameter Token in the tfssecurity commands?

     

     

    What I want to do:

    I want to allow the security setting DELETE_TEST_RESULTS in Project_A for the Developers group

     

    Using the command

    TFSSecurity /a+ Namespace Token Action Identity (ALLOW | DENY) [/collection:CollectionURL] [/server:ServerURL]

     

    I would set the values:

    Namespace: Project

    Action: DELETE_TEST_RESULTS

    Identity: [Project_A]\Developers

     

    so that the command would look like:

    TFSSecurity /a+ Project Token DELETE_TEST_RESULTS [Project_A]\Developers ALLOW /collection:CollectionURL

     

    My question is:

    Which value must be set for the parameter Token? Where can I find it, to which Object does it belong to? Sorry, but I didn´t find any general description about it.

     

    Best Regards, and thanks for your answers!

    Martin

    Tuesday, February 01, 2011 3:17 PM

Answers

  • Hello Martin,

    To get the Token is a little difficult. The Token consists of the TeamProjectId and QueryItemId.

    1) To get the TeamProjectId: Right-click the team project and select Properties, the value of the Url property consists the TeamProjectId. You can just copy it, which is similar to ED04523A-B819-42DF-A1B6-BE0705A73822 .

    2) To get the QueryItemId: You can first use the Visual Studio to deny some permission. (Because the initial data in the database is set to allow, we deny some permission is easy for us to find in the database).

    a). In the Visual Studio, right-click the Team Queries and select Security, select a user (or a group) and set one permission to Deny.

    b). Open the SSMSE, and in the tfs_Collection database, select the tbl_SecurityAccessControlEntry table and find the column DenyPermission. You should see all these values in the column is zero except one. Select that non-zero row, that is the deny permission action you just done. You then check out the value of the IndexableToken column. Please look that value carefully, it is consists of the TeamProjectId and QueryItemId. Which is similar to:

    $/ ED04523A-B819-42DF-A1B6-BE0705A73822/4AB69B5E-F318-4A12-BC93-3DF92E2887C6/

    The value ED04523A-B819-42DF-A1B6-BE0705A73822 is the TeamProjectId and 4AB69B5E-F318-4A12-BC93-3DF92E2887C6 is the QueryItemId. You can find the QueryItemId in the QueryItems table.

    You can also refer to another thread I have replied, here:

    http://social.msdn.microsoft.com/Forums/en-US/tfsadmin/thread/f55d218f-03be-4825-ae1b-3988152a805d

    Thanks,


    Vicky Song [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Wednesday, February 02, 2011 5:21 AM
    Moderator

All replies

  • Hello Martin,

    To get the Token is a little difficult. The Token consists of the TeamProjectId and QueryItemId.

    1) To get the TeamProjectId: Right-click the team project and select Properties, the value of the Url property consists the TeamProjectId. You can just copy it, which is similar to ED04523A-B819-42DF-A1B6-BE0705A73822 .

    2) To get the QueryItemId: You can first use the Visual Studio to deny some permission. (Because the initial data in the database is set to allow, we deny some permission is easy for us to find in the database).

    a). In the Visual Studio, right-click the Team Queries and select Security, select a user (or a group) and set one permission to Deny.

    b). Open the SSMSE, and in the tfs_Collection database, select the tbl_SecurityAccessControlEntry table and find the column DenyPermission. You should see all these values in the column is zero except one. Select that non-zero row, that is the deny permission action you just done. You then check out the value of the IndexableToken column. Please look that value carefully, it is consists of the TeamProjectId and QueryItemId. Which is similar to:

    $/ ED04523A-B819-42DF-A1B6-BE0705A73822/4AB69B5E-F318-4A12-BC93-3DF92E2887C6/

    The value ED04523A-B819-42DF-A1B6-BE0705A73822 is the TeamProjectId and 4AB69B5E-F318-4A12-BC93-3DF92E2887C6 is the QueryItemId. You can find the QueryItemId in the QueryItems table.

    You can also refer to another thread I have replied, here:

    http://social.msdn.microsoft.com/Forums/en-US/tfsadmin/thread/f55d218f-03be-4825-ae1b-3988152a805d

    Thanks,


    Vicky Song [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Wednesday, February 02, 2011 5:21 AM
    Moderator
  • Hello Vicky,

    I still have difficulties with this command.

    I got the TeamprojectID like you described in 1. I didn´t use a QueryID.

    I set the command again like this:

    C:\>tfssecurity /a+ Project 40aab4ec-6db8-4ce1-b90e-dd3df2c4e8de DELETE_TEST_RESULTS [Project_A]\Developers ALLOW /collection:http://tfs-eval03:8080/tfs/marzwe
    TFSSecurity - Team Foundation Server Security Tool
    Copyright (c) Microsoft Corporation.  All rights reserved.
    The target Team Foundation Server is http://tfs-eval03:8080/tfs/marzwe.
    Resolving identity "[Project_A]\Developers"...
      [A] [Project_A]\Developers
    Adding the access control entry...
    Verifying...

    Access Control List on object "40aab4ec-6db8-4ce1-b90e-dd3df2c4e8de":
      [+] DELETE_TEST_RESULTS                [Project_A]\Developers

    Done.

    When I have a look into TeamExplorer - Project_A - Security Settings, the delete test runs permission is not set for the Developers group.   

     

    Do you have any idea where I might be completely wrong?
    Martin

    Wednesday, February 02, 2011 11:33 AM
  • Hello emzett,

    I am sorry you don’t solve your questions.

    Just as I mentioned above, the Token consists of TeamProjectId and QueryItemId. If you don’t find out the QueryItemId I am afraid you not be able to execute the TFSSecurity /a+ command successfully.

    Thanks,


    Vicky Song [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Tuesday, February 15, 2011 9:09 AM
    Moderator
  • Hello emzett,

    I have marked my reply as answer. If you found it no help, please feel free to unmark it and let me know.

    Thanks,


    Vicky Song [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Monday, February 21, 2011 10:50 AM
    Moderator
  • I figured this out...but it's still quite difficult. Hope this helps somebody.


    Wednesday, August 10, 2011 5:40 PM
  • A couple of folks emailed me from this thread asking for more information. So I put together the following diagram. Hope it helps a few more folks.

     

    Thursday, September 08, 2011 3:49 AM