locked
Are there Command Line Arguments for setting Team Queries security in TFS 2010

Answers

  • Hello Speedbits,

    Sorry for the late reply.

    Just as I mentioned in another thread you started, you can use the /a+ to add permissions for a user or a group in a server-level, collection-level, or project-level group.

    The grammar of the /a+ is the similar with the followings:

    TFSSecurity /a+ Namespace Token Action Identity (ALLOW | DENY) [/collection:CollectionURL] [/server:ServerURL]

    How to get the values of these parameters:

    First please open the Visual Studio Command Prompt(2010).

    1). Namespace: in the command line tool, type the following commands: tfssecurity /a / collection:http://serverName:8080/tfs/collectionName

    At this time, you will see these security namespaces. Because you want to grant permissions to the Team Queries, so you should use the WorkItemQueryFolders namespace.

    2). Token: to get the Token is a little difficult. The Token consists of the TeamProjectId and QueryItemId.

    2.1) To get the TeamProjectId: Right-click the team project and select Properties, the value of the Url property consists the TeamProjectId. You can just copy it, which is similar to ED04523A-B819-42DF-A1B6-BE0705A73822 .

    2.2) To get the QueryItemId: You can first use the Visual Studio to deny some permission. (Because the initial data in the database is set to allow, we deny some permission is easy for us to find in the database).

    a). In the Visual Studio, right-click the Team Queries and select Security, select a user (or a group) and set one permission to Deny.

    b). Open the SSMSE, and in the tfs_Collection database, select the tbl_SecurityAccessControlEntry table and find the column DenyPermission. You should see all these values in the column is zero except one. Select that non-zero row, that is the deny permission action you just done. You then check out the value of the IndexableToken column. Please look that value carefully, it is consists of the TeamProjectId and QueryItemId. Which is similar to:

    $/ ED04523A-B819-42DF-A1B6-BE0705A73822/4AB69B5E-F318-4A12-BC93-3DF92E2887C6/

    The value ED04523A-B819-42DF-A1B6-BE0705A73822 is the TeamProjectId and 4AB69B5E-F318-4A12-BC93-3DF92E2887C6 is the QueryItemId. You can find the QueryItemId in the QueryItems table.

    3). Action: in the command line, type the following statement and you will get the available actions in the security namespace WorkItemQueryFolders.

    tfssecurity /a /collection: http://serverName:8080/tfs/collectionName WorkItemQueryFolders

    4).Identity: this parameter has two options, allow and deny.

    Conclusion: you should have your command line like:

    Tfssecurity /a+ WorkItemQueryFolders $/ ED04523A-B819-42DF-A1B6-BE0705A73822/4AB69B5E-F318-4A12-BC93-3DF92E2887C6/ Delete / collection:http://serverName:8080/tfs/collectionName.

    I hope this helps you solve your problem. Please let me know if you have any further concerns.

    Thanks,

    Vicky Song


    Please remember to mark the replies as answers if they help and unmark them if they provide no help

    Friday, November 5, 2010 7:45 AM
    Moderator

All replies

  • Hello Speedbits,

    Sorry for the late reply.

    Just as I mentioned in another thread you started, you can use the /a+ to add permissions for a user or a group in a server-level, collection-level, or project-level group.

    The grammar of the /a+ is the similar with the followings:

    TFSSecurity /a+ Namespace Token Action Identity (ALLOW | DENY) [/collection:CollectionURL] [/server:ServerURL]

    How to get the values of these parameters:

    First please open the Visual Studio Command Prompt(2010).

    1). Namespace: in the command line tool, type the following commands: tfssecurity /a / collection:http://serverName:8080/tfs/collectionName

    At this time, you will see these security namespaces. Because you want to grant permissions to the Team Queries, so you should use the WorkItemQueryFolders namespace.

    2). Token: to get the Token is a little difficult. The Token consists of the TeamProjectId and QueryItemId.

    2.1) To get the TeamProjectId: Right-click the team project and select Properties, the value of the Url property consists the TeamProjectId. You can just copy it, which is similar to ED04523A-B819-42DF-A1B6-BE0705A73822 .

    2.2) To get the QueryItemId: You can first use the Visual Studio to deny some permission. (Because the initial data in the database is set to allow, we deny some permission is easy for us to find in the database).

    a). In the Visual Studio, right-click the Team Queries and select Security, select a user (or a group) and set one permission to Deny.

    b). Open the SSMSE, and in the tfs_Collection database, select the tbl_SecurityAccessControlEntry table and find the column DenyPermission. You should see all these values in the column is zero except one. Select that non-zero row, that is the deny permission action you just done. You then check out the value of the IndexableToken column. Please look that value carefully, it is consists of the TeamProjectId and QueryItemId. Which is similar to:

    $/ ED04523A-B819-42DF-A1B6-BE0705A73822/4AB69B5E-F318-4A12-BC93-3DF92E2887C6/

    The value ED04523A-B819-42DF-A1B6-BE0705A73822 is the TeamProjectId and 4AB69B5E-F318-4A12-BC93-3DF92E2887C6 is the QueryItemId. You can find the QueryItemId in the QueryItems table.

    3). Action: in the command line, type the following statement and you will get the available actions in the security namespace WorkItemQueryFolders.

    tfssecurity /a /collection: http://serverName:8080/tfs/collectionName WorkItemQueryFolders

    4).Identity: this parameter has two options, allow and deny.

    Conclusion: you should have your command line like:

    Tfssecurity /a+ WorkItemQueryFolders $/ ED04523A-B819-42DF-A1B6-BE0705A73822/4AB69B5E-F318-4A12-BC93-3DF92E2887C6/ Delete / collection:http://serverName:8080/tfs/collectionName.

    I hope this helps you solve your problem. Please let me know if you have any further concerns.

    Thanks,

    Vicky Song


    Please remember to mark the replies as answers if they help and unmark them if they provide no help

    Friday, November 5, 2010 7:45 AM
    Moderator
  • Thanks Vicky that helps a lot!

    • Proposed as answer by speedbits Tuesday, November 9, 2010 6:39 AM
    Tuesday, November 9, 2010 6:39 AM
  • I know i'm resurrecting an old thread here but hey.

    I've been trying to construct a powershell script that'll set all sorts of permissions automagically, and this particular one was a massive headache, so I thought i'd post this here in case someone finds it useful.

    [string] $TeamQueryACLToken = [string]::Empty
    			$tmpFile = [System.IO.Path]::GetTempFileName()
    			
    			
    			$QueryString = "select max(IndexableToken) from tbl_SecurityAccessControlEntry inner join TreeNodes on SecurityToken like '$/' + CSSNodeId + '/%' where TreeNodes.Name = '" + $TeamProject.Name + "'"
    			$DatabaseName = 'Tfs_' + $collectionName
    			
    			sqlcmd -S lwsvdev04 -d $DatabaseName -r1 -Q $QueryString -o $tmpFile
    			
    			Get-Content $tmpFile | ForEach-Object {
    				if ($_[0] -eq '$') {
    					$TeamQueryACLToken = $_
    				}
    			}
    			
    			[System.IO.File]::Delete($tmpFile)

    The above code puts the ACL token into the $TeamQueryACLToken. You can then use this in your scripts like so:

    tfssecurity /a+ WorkItemQueryFolders $TeamQueryACLToken READ $group.Sid DENY /collection:$tfsCollectionUri

    This does, of course, assume that you've obtained an object reference to the group you're permissioning by using the TFS SDK to iterate through the groups belonging to the team project you're fiddling with.

    I'm sure, really, really sure, that this could be significantly easier.

    Wednesday, May 30, 2012 3:57 PM