locked
How to using TFSSecurity to grant permission for custom group on each level

    Question

  • When I generate a new group in team project I need to grant permission on each level  such as project level, area level, build level, team queries  and version control. I want to set permissions by command line. But when I using TFSSecurity /a+ namespace token action identity /collection I don't know how to get Token. After refer to some articles I found the way to get token for "Project" and "Area" namespace, such as get ProjectUri from tbl_project  and get AreaUri from tbl_Area. The token for "VC" namespace is the path of team project such as $/<team project name>/folder. But the token for "Build" and "CSS" have not find the way to get. The token of CSS is consist of TeamProjectID and QueryItemID. I can get the TeamProjectID from tal_project by team project name. Although I know I can get QueryItemID from QueryItems. But I don't know how to set the where condition.

    In this thread http://social.msdn.microsoft.com/Forums/en-US/tfsversioncontrol/thread/9c50f294-f689-497a-8c99-ac27ef9f65fe/ I found the way to get the token by set one permission to Deny on each level. So I can get the tokens by

    SELECT TOP 1000 a.[NamespaceGuid]
       ,b.Name
          ,a.[SecurityToken]
          ,a.[IndexableToken]
          ,a.[TeamFoundationId]
      FROM [Tfs_Collection].[dbo].[tbl_SecurityAccessControlEntry] as a,
           [Tfs_Collection].[dbo].[tbl_SecurityNamespace] as b
      where a.NamespaceGuid=b.NamespaceGuid
      and (b.Name='CSS' or
        b.Name='Project' or
        b.Name='Build' or
        b.Name='VersionControlItems' or
        b.Name='WorkItemQueryFolders' )   
      and a.[DenyPermission]<>0

    But it is not convenience. Anybody have good ideas to get the tokens and not need  to set permission to Deny?

    Thursday, January 12, 2012 2:36 AM

Answers

  • After investigation I found the way to get the token of those namespace I've mentioned above.

    1. For "Project" namespace get ProjectUri from tbl_Project and then consist with "$PROJECT:" at first like below

    SELECT [ProjectUri]
    FROM [Tfs_Collection].[dbo].[tbl_Project]
    where projectname='<Team Project Name>'

    The result is $PROJECT:vstfs:///Classification/TeamProject/24c10d03-b5f1-4582-b8d3-04936dcfff11

    2. For "Area" namespace get AreaUri from tbl_Area:

    SELECT [AreaUri]
    FROM [Tfs_Collection].[dbo].[tbl_Area]
    Where AreaPath='t=<Team Project Name>/<Sub Area Path>'

    The resule is vstfs:///Classification/Node/3c66bc6c-c447-4920-85fd-41abd468da3e

    3. For "Build" namespace is just project id and consist of "/". We can get project id from tbl_Projects

    SELECT [project_id]
    FROM [Tfs_Collection].[dbo].[tbl_Projects]
    where project_name='<Team Project Name>' 

    The result is 24c10d03-b5f1-4582-b8d3-04936dcfff11/

    4. For "CSS" namespace is consist of project id and QueryItemID get from QueryItems.

    SELECT q.ID
    FROM [Tfs_testCollection2].[dbo].[TreeNodes] t
            ,[Tfs_testCollection2].[dbo].QueryItems q
    Where t.ID=q.ProjectID
      And t.Name='<Team Project Name>'
      And t.fDeleted=0
      And q.Name='Team Queries'

    The Result is $/24C10D03-B5F1-4582-B8D3-04936DCFFF11/54C49D51-7FD9-4A0C-A688-118639E2DE0A/

    5. For "VC" namespace is just the path in source control, is like

    $/ <Team Project Name>/Sub folder

    Friday, January 13, 2012 2:06 AM

All replies

  • After investigation I found the way to get the token of those namespace I've mentioned above.

    1. For "Project" namespace get ProjectUri from tbl_Project and then consist with "$PROJECT:" at first like below

    SELECT [ProjectUri]
    FROM [Tfs_Collection].[dbo].[tbl_Project]
    where projectname='<Team Project Name>'

    The result is $PROJECT:vstfs:///Classification/TeamProject/24c10d03-b5f1-4582-b8d3-04936dcfff11

    2. For "Area" namespace get AreaUri from tbl_Area:

    SELECT [AreaUri]
    FROM [Tfs_Collection].[dbo].[tbl_Area]
    Where AreaPath='t=<Team Project Name>/<Sub Area Path>'

    The resule is vstfs:///Classification/Node/3c66bc6c-c447-4920-85fd-41abd468da3e

    3. For "Build" namespace is just project id and consist of "/". We can get project id from tbl_Projects

    SELECT [project_id]
    FROM [Tfs_Collection].[dbo].[tbl_Projects]
    where project_name='<Team Project Name>' 

    The result is 24c10d03-b5f1-4582-b8d3-04936dcfff11/

    4. For "CSS" namespace is consist of project id and QueryItemID get from QueryItems.

    SELECT q.ID
    FROM [Tfs_testCollection2].[dbo].[TreeNodes] t
            ,[Tfs_testCollection2].[dbo].QueryItems q
    Where t.ID=q.ProjectID
      And t.Name='<Team Project Name>'
      And t.fDeleted=0
      And q.Name='Team Queries'

    The Result is $/24C10D03-B5F1-4582-B8D3-04936DCFFF11/54C49D51-7FD9-4A0C-A688-118639E2DE0A/

    5. For "VC" namespace is just the path in source control, is like

    $/ <Team Project Name>/Sub folder

    Friday, January 13, 2012 2:06 AM
  • Tracy,

    I'm glad that you figured out the problem, and share the knowledge on the forum. It will benifit other community members definitly. 

    In addition, a similar thread we could quote is: http://social.msdn.microsoft.com/Forums/en-HK/tfsadmin/thread/b40cebfb-3a35-468e-b147-021fd3824a77

    Best Regards,


    Forrest Guo | MSDN Community Support | Feedback to us

    Monday, January 16, 2012 2:51 AM
    Moderator
  • To facilitate in the search on the internet I created a blog post that lists all tokens on one age.

    http://roadtoalm.com/2014/07/28/add-permissions-with-tfssecuritythe-ultimate-reference/

    Hope this helps!


    Please mark as answer if my answers are useful!<br/> René van Osnabrugge <br/> MVP Visual Studio ALM <br/> W: www.delta-n.nl <br/> B: roadtoalm.com <br/> T: @renevo

    Thursday, July 31, 2014 3:30 PM