Set administrator permissions for Team Foundation Server
To perform system maintenance, schedule backups, add functionality, and do other tasks, administrators in Visual Studio Team Foundation Server (TFS) must be able to configure and control all aspects of TFS. That’s why TFS administrators require administrative permissions in the software programs that TFS interoperates with.
You can quickly grant these permissions to administrators by adding them to the Team Foundation Administrators group in Team Foundation Server (TFS). However, you should only grant this level of permission to the minimum number of users needed to maintain TFS.
Add users to the TFS local Administrators group and as an administrator for the Team Foundation Server Administration console
On the application-tier server, add the user to the local Administrators group.
Open the administration console and add a console user.
Review the progress to make sure that the user account is added to all aspects of the deployment, including SharePoint and reporting resources.
If you're running a standard single-server deployment, or a multi-server deployment without SharePoint or reporting, that's it! However, if you have multiple application tiers, you'll need to repeat these two steps on every application tier server. And if you have SharePoint or reporting on other servers, you might need to manually add administrative users to those products separately.
Grant administrative permissions in SharePoint Foundation
On the server that is running SharePoint Products, open SharePoint Central Administration.
Grant permissions that are appropriate for this user at the farm or the Web application level, depending on your security needs.
For optimum interoperability, consider adding users of the Team Foundation Administrators group to the following groups in SharePoint Products:
Site Collection Administrators group for all site collections that the deployment of Team Foundation Server uses
Grant administrative permissions in Reporting Services
Start Internet Explorer.
In the Address bar, specify the following URL, where ReportServer is the name of the server that is running Reporting Services: http://ReportServer/Reports/Pages/Folder.aspx
If you are using a named instance, you must include its name in the path of the reports. You use the following syntax, where ReportServer is the name of the report server for Team Foundation and InstanceName is the name of the instance of SQL Server: http://ReportServer/Reports_InstanceName/Pages/Folder.aspx
Choose Folder Settings, and then choose New Role Assignment.
Add the account name of the user or group to whom you want grant administrative permissions and grant them membership in the Team Foundation Content Manager role.
Q & A
Q: Who should I add to the administrator role in TFS?
A: Administrators maintain at least one server that is running Team Foundation Server, and they administer permissions and security for other roles at the server level and at the level of team project collections. You'll need at least one administrator for your deployment. Depending on your availability needs, you might need to add more administrators to help ensure that there is someone available to perform administrator-level tasks on short notice.
For example, you need to add someone as an administrator if that person is expected to perform one or more of the following tasks:
Create or delete team project collections
Back up TFS
Change access levels for Team Web Access
Administer the reporting warehouse
Change SharePoint Web applications used by TFS
View and edit server-level permissions
Trigger alert events
Q: What are the optimal permissions needed to administer TFS across all its components and dependencies?
A: Optimally, an administrator for TFS must be a member of the following groups or have the following permissions:
Team Foundation Server: Team Foundation Administrators or have the appropriate server-level permissions set to Allow.
Windows: the local Administrators group on the server that is running the administration console for Team Foundation. The administration console requires administrative permissions to operate correctly.
SharePoint Products: the appropriate groups or permissions in SharePoint Central Administration. Depending on your deployment configuration and security requirements, you might not need to add the user to any groups in SharePoint Products. For optimum interoperability, consider adding them to the following SharePoint Products groups:
Site Collection Administrators group for all site collections that are used by the deployment of Team Foundation Server.
Reporting Services: Team Foundation Content Manager and either sysadmin or the db_owner group membership for the configuration database, the reporting and analysis databases, and the databases for team project collections.
SQL Server: sysadmin and serveradmin for all databases that TFS uses.
Q: Is there more than one way of granting administrator permissions in TFS?
A: Yes. You can grant administrative permissions for Team Foundation Server in two ways: from the administrative console or directly through each program for which you want to grant permissions. Granting permissions through the administrative console is simpler but has some requirements. Consider using the administrative console when all of the following conditions are true:
Your deployment of Team Foundation Server is in a trusted environment where the service account for Team Foundation Server has permissions in SharePoint Products and SQL Server Reporting Services.
All programs are running on the same computer (a single-server deployment).
The security requirements for your deployment do not restrict granting one or more of the permissions in the next bulleted list.
By default, adding users from the administration console grants them membership in the following groups in a single-server deployment of Team Foundation Server:
Team Foundation Administrators group in Team Foundation Server
The IIS_IUSRS and TFS_APPTIER_SERVICE_WPG groups in Internet Information Services (IIS)
The Content Manager role in SQL Server Reporting Services, if reporting is configured
The Farm Administrators group in SharePoint Products, if the deployment is configured to use SharePoint Products
The DBO role and TFSExecRole for all databases that Team Foundation Server uses, including collection databases
You cannot add a user to the local Administrators group by adding that user's account as a console user. You must manually add the user to that group before that user will have all the permissions that are required to open and use the console. In addition, if you want the user to have sufficient permissions to create a database as part of creating a team project collection, you must grant that user membership in the sysadmin role in SQL Server.
Granting permissions directly in each program in your deployment of Team Foundation Server is more time-consuming, but you can precisely configure the exact permissions that you want to grant to a user. Consider granting permissions directly in each program when any of the following conditions are true:
Your deployment of Team Foundation Server is a multiple-server deployment.
Your deployment is in an environment that has security restrictions between Team Foundation Server and the servers that are running SQL Server and SharePoint Products.
You want to configure different group memberships and permissions levels in SharePoint Products, SQL Server Reporting Services, and Team Foundation Server than those that are automatically granted from the administrative console.
Q: I'm an admin, but I don't seem to have all the permissions I need to add a TFS administrator. What else might I need?
A: These are the required permissions:
Team Foundation Administrators group or have the View instance-level information and Edit instance-level information permissions set to Allow.
If you want to add permissions for SQL Server Reporting Services, the Team Foundation Content Managers group or the System Administrators group.
If you want to add permissions for SharePoint Products, the Farm Administrators group, the administrators group for the Web application that supports Team Foundation Server, or the SharePoint Administration group. Group membership will depend on the security architecture of your deployment and the group or groups to which you want to add the user.
The sysadmin role in SQL Server on each server that hosts databases for Team Foundation Server.
To perform administrative tasks that involve database changes, such as creating team project collections, your user account requires administrative permissions, and the service account that the Team Foundation Background Job Agent uses also must have certain permissions granted to it. For more information, see Service accounts and dependencies.
Q: What are the minimum permissions required for TFS to connect to SQL Server?
A: To install, upgrade, and configure TFS, the user running the Team Foundation Administration console requires the following permissions and role memberships.
Membership in the serveradmin server role
ALTER ANY LOGIN, CREATE ANY DATABASE, and VIEW ANY DEFINITION server scoped permissions
CONTROL permission on the master database.
If the user doesn’t have these permissions and role memberships, TFS configuration operations will be blocked. When you add a user to the Administration Console Users group through the Team Foundation Server Administration Console, TFS attempts to grant these permissions and role memberships.
Q: Why are SQL Server permissions and memberships required?
A: Installing, upgrading, and configuring TFS involves a complex set of operations that require a high degree of privilege. These operations may include creating databases, provisioning logins for service accounts, and more. To ensure successful install, upgrade, and configuration, TFS checks that permissions are correctly assigned to ensure that the various operations can be done successfully. Even performing these checks requires a high degree of privilege. As such, these permissions and role memberships are required and cannot be bypassed.
Q: Can SQL Server permissions and role memberships be revoked after TFS is installed or upgraded?
A: Yes, as long as TFS service accounts are allocated the required permissions and role memberships as described in Service accounts and dependencies. Administrators only require permissions and role memberships described above when they need to install, upgrade, or configure TFS.