Manage RM permissions using TfsSecurity.exe

Recently one of the customer wanted to know whether he can programmatically manage RM-related permissions. The msdn documentation for this is not yet finished, so Rohit Batra from the team put together a list of steps on how it can achieved and they are as follows.

  • Step to add a new group at the collection level.

          TFSSecurity.exe /gcg mygroupName /collection:http://<Server>/tfs/<MyCollectionName>

  • View the list of all available RM security bits.

          TFSSecurity.exe /a ReleaseManagement /collection:http://<Server>/tfs/<MyCollectionName>

  • Grant ViewReleases permission to the above created group on a particular RD.

         TFSSecurity.exe /a+ ReleaseManagement <ProjectId>/<ReleaseDefinitionId> ViewReleases n:[<MyCollectionName>]\mygroupName ALLOW /collection:http://<Server>/tfs/<MyCollectionName>

  • Grant EditReleaseEnvironment permission to the above created group on a particular environment.

         TFSSecurity.exe /a+ ReleaseManagement <ProjectId>/<ReleaseDefinitionId>/Environment/<EnvironmentId> EditReleaseEnvironment n:[<MyCollectionName>]\mygroupName ALLOW /collection:http://<Server>/tfs/<MyCollectionName>

Note :- To use the /a+ command, you must have the View collection-level information or the View instance-level information permission set to Allow, depending on whether you are using the /collection or /server parameter, respectively. If you are changing permissions for a team project, you must also have the Edit project-level information permission for the team project set to Allow.

You can read about TFS Security here

Enjoy !!