Restrict access to functions and tasks

You can restrict access to many Team Foundation Server (TFS) tasks by setting the permission state to Deny through a security group. For a comprehensive list of default groups and permissions, see Permission reference for Team Foundation Server.

Q: How do I restrict who can access or modify source code?

A: From the Version Control tab in the TWA administration context, you can set permissions for a group or individual.

Permissions page for TF version control

For team projects that use Git for version control, you can set the following permissions.

Permissions page for Git project in admin context

For additional information, see Permission reference for Team Foundation Server.

Q: How do I restrict who can modify build definitions?

A: From the Build hub in TWA, you can set build permissions at the project level for a group or individual.

Security link in Actions menu on Build page

You can set permissions for the build operations shown in the following image.

Permissions page for TF version control

Also, you can set permissions by opening the Context Menu Icon context menu for a build definition.

For additional information, see Permission reference for Team Foundation Server.

Q: How do I restrict access to team members changing a work item?

A: By setting permissions on an area path, you can deny a group or individual the ability to create or edit work items assigned under an area path.

Q: How do I restrict access to people creating specific work item types (WITs)?

A: You can restrict access in one of two ways:

  • By adding WITs to the Hidden Categories group, you can prevent the majority of project contributors from creating them. You can create a hyperlink to a template that opens the work item form and share that link with those team members who you do want to create them.

  • By adding a field rule to the workflow for the System.CreatedBy field, you can effectively restrict a group of users from creating a work item of a specific type. As the following example shows, the user who creates the work item must belong to the Allowed Group in order to save the work item.

    <TRANSITION from=" " to="New">
       <FIELDS>
         <FIELD refname="System.CreatedBy">
             <VALIDUSER for="Allowed Group" not="Disallowed Group" />
         </FIELD>
       </FIELDS>
    </TRANSITION> 
    

For more information about how to customize WITs, see Modify or add a custom work item type (WIT).

Q: How do I restrict access to changing a work item based on certain conditions or field values?

A:Set a condition field rule, a condition-based field rule or a combination of the two that applies to a group. You can restrict changes from being made to a field by specifying a qualifying rule and making it apply for a specific group. Conditional rules can include CANNOTLOSEVALUE, EMPTY, FROZEN, NOTSAMEAS, READONLY, and REQUIRED elements.

Q: How do I restrict who can modify a shared work item query?

A:Set permissions on a shared query or query folder to restrict who can modify the query or queries within the folder.