locked
TFS 2015 On premise - Work item security RRS feed

  • Question

  • Hi

    That I want to have a sub area below a project, e.g. ProjectA - "Security" restrict viewing, editing etc to most people.
    NB: These people normally having full access elsewhere. What I found is when you add a few names for access to the area, everyone else still can read items!!

    If you set "all valid users" to deny, yes it works but the people you want to have access are denied as well!! That seems to be because the "denied" takes precedence over the allow..

     https://www.visualstudio.com/en-us/docs/setup-admin/restrict-access-tfs  has

    , you can deny a group or individual the ability to create or edit work items assigned under an area path. " which seems to imply that all can read work items.

    >> So how can I restrict access to an area for a selected few ? (all others cannot read)

    Many thanks


    Monday, January 23, 2017 3:59 AM

Answers

  • Hi Greg B Roberts,

    Thank you for posting here.

    Because when you set deny for the all valid users, the few users will get the inherited deny permission from the valid group:

    Unless you move these users from the valid users group, otherwise you could not set allow for these users. Or you could create a new group, then add other users to this group, and set deny for the group. Then only the users could view the work item.

    Best Regards

    Limitxiao Gao


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Greg B Roberts Tuesday, January 24, 2017 4:56 AM
    Tuesday, January 24, 2017 3:00 AM
    Moderator

All replies

  • Hi Greg B Roberts,

    Thank you for posting here.

    Because when you set deny for the all valid users, the few users will get the inherited deny permission from the valid group:

    Unless you move these users from the valid users group, otherwise you could not set allow for these users. Or you could create a new group, then add other users to this group, and set deny for the group. Then only the users could view the work item.

    Best Regards

    Limitxiao Gao


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Greg B Roberts Tuesday, January 24, 2017 4:56 AM
    Tuesday, January 24, 2017 3:00 AM
    Moderator
  • Thanks

    That is what I feared and quite unmanageable, it is a shame the way it has been coded
    as you can control source code access as you want. i.e. why the inconsistency ?

    i.e. 5 people you want and 100 employees and you would have to manage the exclusion list based on all the current users and maintain it.

    I create a vs voice request https://visualstudio.uservoice.com/forums/121579-visual-studio-ide

    Regards

    Tuesday, January 24, 2017 4:56 AM