Managing Permissions

You can add, change, or remove permissions for users and groups in Visual Studio Team Foundation Server (TFS). Permissions in TFS can be explicitly set, and they can also be inherited depending on a user's membership in specific groups at each of the four levels of permissions: the team level, the project level, the collection level, and the server level. You can view the explicit and implicit permissions for any user or group in TFS, and you can change permissions for users and groups at everything except the team level. Team-level permissions are determined by membership within the team, and cannot be manually set or changed.

When you add a user or group to TFS, you might also need to add that user or group to two other components on which your deployment might depend: SharePoint Products and SQL Server Reporting Services. If your deployment is configured with these resources, you must add users and groups to those programs and grant the appropriate permissions for those users or groups before all operations will function correctly in TFS.

Because of this complexity, it can be difficult to manage individual users and their associated permissions in deployments of TFS. It is much simpler to use Active Directory to organize users into role-based groups and then add each group to TFS, SharePoint Products, and Reporting Services with the appropriate permissions. By taking this approach, you can manage only a few groups across these three programs, instead of many individual users. You can add users to Active Directory groups as needed without having to change that group membership or permissions within those three programs. You can find an example of this here: Configure Team Foundation Server to Support Your Development Teams.

As an administrator, you control what tasks users can perform by specifying group membership and permissions. To simplify this task, Team Foundation provides default groups and permissions settings. You can use the default groups and settings as they are, customize them, or create your own groups. The topics in this section provide details about permissions.

In Visual Studio Team Foundation Server 2012, you can use the new features in Team Web Access to view and manage the permissions for users and groups at the project and collection level. This includes the ability to quickly view both inherited and explicitly set permissions, as well as view a user's membership in groups:

Permissions in Team Web Access

You must also configure access to Team Web Access features in the administration context of Team Web Access:

Access groups for Team Web Access

You must use the administration console for Team Foundation to view and manage server-level permissions for users, groups, and service accounts.

In This Section

Configure Team Foundation Server to Support Your Development Teams

Get Started as a Team

Configuring Users, Groups, and Permissions

Team Foundation Server Services and Service Accounts

Control Access to Team Foundation Version Control

Configuring Your Server Using the Team Foundation Administration Console

Organizing Your Server with Team Project Collections

Team Foundation Server Architecture

Team Foundation Server Concepts