none
After upgrade to TFS 2012: Cannot manage permissions as a server admin on upgraded projects

    Question

  • I am having the same issue that was found here: 

    http://social.msdn.microsoft.com/Forums/en-US/TFSvnext/thread/06c20bf5-58d8-441c-b3fb-36eeba997d28?prof=required

    The difference from one of the respondents is that on the upgraded projects, I cannot even manage their permissions with the master admin account (SA/TFS Admin,Local Admin on the server).   Luckely most of our projects have a number of project admins and their permissions are intact, it will just be troublesome if they ever lock themselves out (as users tend to do).

    I was able to narrow down the affected projects to projects that have existed in this collection since TFS 08 (this is the second upgrade these projects have gone through).  The projects that were created in TFS 2010 do not exhibit this behavior.   Has anyone been able to track down the source of this issue yet?

    Output of TFS Security:

    DN: CN=TFS Setup Prod Service

    Identity type: Windows user
       Logon name: tfs.setup
     Display name: TFS Setup Prod Service

    Member of 10 group(s):
    a [A] []\Project Collection Administrators
    a [A] [TEAM FOUNDATION]\Team Foundation Administrators
      [G] BUILTIN\Administrators
    e [A] []\Project Collection Valid Users

    Done.

    Error on an affected project (run from the app tier itself):

    • Access Denied: TFS Setup Prod Service needs the following permission(s) on the resource vstfs:///Classification/TeamProject/07cfe10b-eb3c-4856-a33b-3f58ccacf87e\c49a576d-9242-4e1f-8fbc-eb360c4b9e6e to perform this action: Manage group membership

    Monday, September 10, 2012 1:54 AM

Answers

  • These commands worked, logged into the TFS Server as a TFS Admin.  I am now able to manage the project through the web interface.  As I said, going to try to write an all powerful script to do all of the projects in the collection, but that will take longer and I wanted to get the solution into people's hands that need it right away.

    1) Grab the Guid of the project in question.  I did through through VS 2010 and clicking the properties of the project itself.

    2) Grab the SSID of the project Collection Administrators. (You might be able to skip this step, I just couldn't get the syntax right in TFSSecurity to use it by name).

    tfssecurity /i "Project Collection Administrators" /collection:<collectionPath>
    
    output:  
    
    SID: S-1-**********
    
    DN:
    
    Identity type: Team Foundation Server application group
       Group type: AdministrativeApplicationGroup
    Project scope: Server scope
     Display name: [ProjectCollection]\Project Collection Administrators
      Description: Members of this application group can perform all privileged oper
    ations on the Team Project Collection.


    Now run the following command:

    tfssecurity /a+ Identity vstfs:///Classification/TeamProject/<ProjectGUID> ManageMembership SID:<SID> ALLOW /collection:<CollectionPath>

    You can grant read/write/delete access by just changing the part that says ManageMembership to be those other rights.


    • Edited by Ed Frey Tuesday, September 11, 2012 4:14 PM
    • Marked as answer by Ed Frey Thursday, September 13, 2012 2:26 AM
    Tuesday, September 11, 2012 4:10 PM

All replies

  • Monday, September 10, 2012 2:12 AM
  • Unless I need to restart app pool for those changes to take affect, that did not work.

    However, using that idea, I did a dump of the ACL from both that old project, one I created after the server was upgraded to 2010, and a new one I just created after the 2012 upgrade.  It appears that the ACL on those really old projects are just completely out of touch with what they should be

    Project Created in 08 and upgraded to 2010 and now to 2012 (with the command the previous site had me run)

      [+] Read                               [Project ]\Contributors
      [+] ManageMembership          [Project ]\Contributors
      [+] Read                               [ Project]\Readers
      [+] Read                               [ Project]\Build Services
      [+] ManageMembership         [Project ]\Build Services
      [+] Read                               [ Project]\Project Administrators
      [+] Write                              [ Project]\Project Administrators
      [+] Delete                             [ Project]\Project Administrators
      [+] ManageMembership         [Project ]\Project Administrators

    Project Created in 2010 and upgraded to 2012

      [+] Read                               [PC]\Project Collection Administrators
      [+] Write                              [PC]\Project Collection Administrators
      [+] Delete                             [PC]\Project Collection Administrators
      [+] ManageMembership       [PC]\Project Collection Administrators
      [+] Read                               [Project]\Builders
      [+] Read                               [Project]\Project Administrators
      [+] Write                              [Project]\Project Administrators
      [+] Delete                             [Project]\Project Administrators
      [+] ManageMembership       [Project]\Project Administrators
      [+] Write                              [Project]\Build Editors
      [+] Delete                             [Project]\Build Editors
      [+] ManageMembership        [Project]\Build Editors
      [+] Read                               [Project]\Contributors
      [+] Read                               [Project]\Readers
      [+] Read                               [PC]\Project Collection Valid Users
      [+] Read                               [PC]\Project Collection Service Accounts
      [+] Write                              [PC]\Project Collection Service Accounts
      [+] Delete                             [PC]\Project Collection Service Accounts
      [+] ManageMembership        [PC]\Project Collection Service Accounts

    Project Created in 2012

      [+] Read                               [PC]\Project Collection Administrators
      [+] Write                              [PC]\Project Collection Administrators
      [+] Delete                             [PC]\Project Collection Administrators
      [+] ManageMembership        [PC]\Project Collection Administrators
      [+] Read                               [Project]\Readers
      [+] Read                               [PC]\Project Collection Build Service Accounts
      [+] Read                               [Project]\Build Administrators
      [+] Read                               [PC]\Project Collection TestService Accounts
      [+] Read                               [Project]\Contributors
      [+] Read                               [Project]\Project Administrators
      [+] Write                              [Project]\Project Administrators
      [+] Delete                             [Project]\Project Administrators
      [+] ManageMembership        [Project]\Project Administrators
      [+] Read                               [PC]\Project Collection Valid Users
      [+] Read                               [PC]\Project Collection Service Accounts
      [+] Write                              [PC]\Project Collection Service Accounts
      [+] Delete                             [PC]\Project Collection Service Accounts
      [+] ManageMembership        [PC]\Project Collection Service Accounts


    Monday, September 10, 2012 6:26 PM
  • Hi Ed

    Thanks for your post.

    According the command result, the user has the ManageMerbership permissions([Project]\Project Administration) in old team project which created in 08 TFS, but that user still can’t manage the permissions in that team project?

    If  you have any further research of this issue, please share your experience here.  


    John Qiao [MSFT]
    MSDN Community Support | Feedback to us

    Tuesday, September 11, 2012 10:27 AM
    Moderator
  • The user in question is the TFS admin and has no specific permissions to any project.  In the 08 project, the project collection administrator permissions are missing as well as the project collection service account permissions.

    I'm going to test the theory by creating those permission/role combinations in the ACL on one project.  if it works, I'm going to try to write a script to create those across all projects that are missing them (we have 30ish I think).  Don't want to do all of that by hand.

    Tuesday, September 11, 2012 11:51 AM
  • These commands worked, logged into the TFS Server as a TFS Admin.  I am now able to manage the project through the web interface.  As I said, going to try to write an all powerful script to do all of the projects in the collection, but that will take longer and I wanted to get the solution into people's hands that need it right away.

    1) Grab the Guid of the project in question.  I did through through VS 2010 and clicking the properties of the project itself.

    2) Grab the SSID of the project Collection Administrators. (You might be able to skip this step, I just couldn't get the syntax right in TFSSecurity to use it by name).

    tfssecurity /i "Project Collection Administrators" /collection:<collectionPath>
    
    output:  
    
    SID: S-1-**********
    
    DN:
    
    Identity type: Team Foundation Server application group
       Group type: AdministrativeApplicationGroup
    Project scope: Server scope
     Display name: [ProjectCollection]\Project Collection Administrators
      Description: Members of this application group can perform all privileged oper
    ations on the Team Project Collection.


    Now run the following command:

    tfssecurity /a+ Identity vstfs:///Classification/TeamProject/<ProjectGUID> ManageMembership SID:<SID> ALLOW /collection:<CollectionPath>

    You can grant read/write/delete access by just changing the part that says ManageMembership to be those other rights.


    • Edited by Ed Frey Tuesday, September 11, 2012 4:14 PM
    • Marked as answer by Ed Frey Thursday, September 13, 2012 2:26 AM
    Tuesday, September 11, 2012 4:10 PM
  • Hi ED, 

    Thanks for your reply.

    And thank you for sharing your experience here. It will be very beneficial for other community members having the similar questions.

    All your participation and support are very important to build such harmonious/ pleasant / learning environment for MSDN community. 


    John Qiao [MSFT]
    MSDN Community Support | Feedback to us

    Wednesday, September 12, 2012 1:39 AM
    Moderator