Manage Permission to Create or Modify Work Items

You can control who can create or modify a work item by applying the VALIDUSER element to person-name fields. When you specify this element, you indicate which user or group of users can be assigned as a value for the field. You can set this element to support the optional group attribute, which mandates that the person who is assigned to the field must be a direct or indirect member of the group that you specify. By default, all members of the Team Foundation Valid Users group can be specified in the field.

The VALIDUSER element is valid only for String field types. You can specify this rule as a child element of the FIELD (Definition) or FIELD (Workflow) element.

In this topic

  • Person-Named Fields

  • VALIDUSER Syntax Structure

  • VALIDUSER Attributes

  • Avoiding Validation Errors by Allowing an Existing Value to Remain for a Field

Note

To apply a rule to a FIELD definition, use the witadmin command-line tool to import and export the definition for the work item type. See Customizing and Managing Work Item Types [witadmin].

Person-Named Fields

You can use the VALIDUSER rule only when you refer to person-name fields. The following system fields are examples of person-named fields:

  • Activated By (System.ActivatedBy)

  • Assigned To (System.AssignedTo)

  • Authorized As (System.AuthorizedAs)

  • Changed By (System.ChangedBy)

  • Closed By (System.ClosedBy)

  • Created By (System.CreatedBy)

In addition to the system fields, you can create a custom string field and use it as a person-named field. Also, you can synchronize custom person-named fields with Active Directory. For more information, see Managing Work Item Fields [witadmin].

VALIDUSER Syntax Structure

When you use the VALIDUSER element, you can specify that a person-named field must contain the name of a member of the Team Foundation Valid Users group or another group that you specify.

You can allow or restrict whether the rule applies to the user who is modifying the work item by specifying a user or group for the for or not attributes, respectively.

<VALIDUSER group="groupName" for="userName" not="userName" />

All attributes are optional. All attributes must consist of a string of text that contains between 1 and 255 characters. You can use tokens to specify groups. For more information, see Use Tokens to Reference Users and Groups.

Note

Work item fields do not distinguish between user identities in different domains. Therefore, "Example1\jaepak" and "Example2\jaepak" are treated as the same user when they are entered into a field that uses the VALIDUSER rule. However, user identities are distinguished by domains elsewhere in Visual Studio Team Foundation Server.

Back to top

VALIDUSER Attributes

You can specify whether to restrict to whom the VALIDUSER rule applies. If you do not define one of the optional attributes, all valid users and groups in Team Foundation Server can modify the field.

Attribute

Description

for

Optional. Specifies the name of a user or group in Team Foundation to whom the rule applies. Valid names consist of a string of text that contains between 1 and 255 characters.

Pattern value: ^[^\\]+\\[^\\]+$

Pattern value example: Domain\UserID

not

Optional. Specifies the name of a user or group in Team Foundation to whom the rule does not apply. Valid names consist of a string of text that contains between 1 and 255 characters.

Pattern value: ^[^\\]+\\[^\\]+$

Pattern value example: Domain\UserID

group

Optional. The name of a group. Users can specify members of this group as values of the person-named field. Valid names consist of a string of text that contains between 1 and 255 characters.

Pattern value: ^[^\\]+\\[^\\]+$

Pattern value example: Domain\GroupID

Back to top

Avoiding Validation Errors by Allowing an Existing Value to Remain for a Field

The following example shows how to make sure that only valid users are assigned to a work item, set the default value of the Assigned To field to the user who created the work item, and provide a pick list of names that includes members of the Contributors group for the team project. By specifying the ALLOWEXISTINGVALUE element, you avoid validation errors that would otherwise occur when members leave the team and are no longer registered as project contributors.

<FIELD name="Assigned To" refname="System.AssignedTo" type="String" syncnamechanges="true" reportable="dimension">
   <HELPTEXT>The user who is working on this work item</HELPTEXT>
   <ALLOWEXISTINGVALUE />
   <VALIDUSER />
   <ALLOWEDVALUES expanditems="true" filteritems="excludegroups">
      <LISTITEM value="Active" />
      <LISTITEM value="[project]\Contributors" />
   </ALLOWEDVALUES>
   <DEFAULT from="field" field="System.CreatedBy" />
</FIELD>

See Also

Reference

Managing Work Item Fields [witadmin]

Concepts

Use Tokens to Reference Users and Groups

Other Resources

Working with Field Rules