/a- command: Remove a user or a group from membership in a group

Use the /a- command to remove a user or a group from membership in a server-level, collection-level, or project-level group. To add users to groups from the user interface, see Manage users or groups in TFS.

Required Permissions

To use the /a- command, you must have the View collection-level information or the View instance-level information permission set to Allow, depending on whether you are using the /collection or /server parameter, respectively. If you are changing permissions for a team project, you must also have the Edit project-level information permission for the team project set to Allow.

TFSSecurity /a- Namespace Token Action Identity (ALLOW | DENY) [/collection:CollectionURL] [/server:ServerURI]

Parameters

Argument

Description

Namespace

The namespace that contains the group from which you want to remove the user or group. You can also use the TFSSecurity /a command to view a list of namespaces at the server level, the collection level, and the project level.

Token

The name or GUID of the object on which you want to set permissions.

Note

Tokens vary depending on the namespace that you specify. Some namespaces do not have tokens that apply for this command.

Action

The name of the permission that for which access is granted or denied. For a list of valid IDs, see Permission reference for Team Foundation Server, or use the TFSSecurity /a command to view a list of valid actions for a namespace that you specify.

Identity

The identity of the user or the group. For more information about the identity specifiers, see TFSSecurity Identity and Output Specifiers.

  • ALLOW

    The group or user can perform the operation that the Action specifies.

  • DENY

    The group or user cannot perform the operation that the Action specifies.

/collection:CollectionURL

Required if /server is not used. Specifies the URL of a team project collection in the following format: http://ServerName:Port/VirtualDirectoryName/CollectionName

/server:ServerURL

Required if /collection is not used. Specifies the URL of an application-tier server in the following format: http://ServerName:Port/VirtualDirectoryName

Remarks

Run this command on an application-tier server for Team Foundation.

Access control entries are security mechanisms that determine which operations a user, group, service, or computer is authorized to perform on a computer or server.

Examples

The following example displays what namespaces are available at the server level for the application-tier server that is named ADatumCorporation.

Note

The examples are for illustration only and are fictitious. No real association is intended or inferred.

>tfssecurity /a /server:ServerURL 

Sample output:

TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation.  All rights reserved.

The target Team Foundation Server is http://ADatumCorporation:8080/.

The following security namespaces are available to have permissions set on them:

     Registry
     Identity
     Job
     Server
     CollectionManagement
     Warehouse
     Catalog
     EventSubscription
     Lab

Done.

The following example displays what actions are available for the Server namespace at the collection level.

>tfssecurity /a Server /collection:CollectionURL

Sample output:

TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation.  All rights reserved.

The target Team Foundation Server is http://ADatumCorporation:8080/.

The following actions are available in the security namespace Server:
    GenericRead
    GenericWrite
    Impersonate
    TriggerEvent

Done.

The following example removes the server-level "View instance-level information" permission to the ADatumCorporation deployment for the Datum1 domain user John Peoples (Datum1\jpeoples).

>tfssecurity /a- Server FrameworkGlobalSecurity GenericRead n:Datum1\jpeoples ALLOW /server:http://ADatumCorporation:8080 

Sample output:

TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation.  All rights reserved.

The target Team Foundation Server is http://ADatumCorporation:8080/.
Resolving identity "n:Datum1\jpeoples"...
  [U] Datum1\jpeoples (John Peoples)
Removing the access control entry...
Verifying...

Effective ACL on object "FrameworkGlobalSecurity":
  [+] GenericRead                        [INSTANCE]\Team Foundation Valid Users
  [+] GenericRead                        [INSTANCE]\SharePoint Web Application Services
  [+] Impersonate                        [INSTANCE]\SharePoint Web Application Services
  [+] GenericRead                        [INSTANCE]\Team Foundation Service Accounts
  [+] GenericWrite                       [INSTANCE]\Team Foundation Service Accounts
  [+] Impersonate                        [INSTANCE]\Team Foundation Service Accounts
  [+] TriggerEvent                       [INSTANCE]\Team Foundation Service Accounts
  [+] GenericRead                        [INSTANCE]\Team Foundation Administrators
  [+] GenericWrite                       [INSTANCE]\Team Foundation Administrators
  [+] TriggerEvent                       [INSTANCE]\Team Foundation Administrators

Done.

The following example removes the collection-level "View collection-level information" permission to the Collection0 team project collection for Datum1 domain user John Peoples (Datum1\jpeoples).

>tfssecurity /a+ Server FrameworkGlobalSecurity GenericRead n:Datum1\jpeoples ALLOW /collection:http://ADatumCorporation:8080/Collection0

Sample output:

TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation.  All rights reserved.
The target Team Foundation Server is http://ADatumCorporation:8080/COLLECTION0.
Resolving identity "n:Datum1\jpeoples"...
  [U] DATUM1\jpeoples (John Peoples)
Removing the access control entry...
Verifying...

Effective ACL on object "FrameworkGlobalSecurity":
  [+] GenericRead                        [Collection0]\Project Collection ValidUsers
  [+] GenericRead                        [Collection0]\Project Collection Service Accounts
  [+] GenericWrite                       [Collection0]\Project Collection Service Accounts
  [+] Impersonate                        [Collection0]\Project Collection Service Accounts
  [+] TriggerEvent                       [Collection0]\Project Collection Service Accounts
  [+] GenericRead                        [Collection0]\Project Collection Administrators
  [+] GenericWrite                       [Collection0]\Project Collection Administrators
  [+] TriggerEvent                       [Collection0]\Project Collection Administrators
  [+] GenericRead                        [INSTANCE]\SharePoint Web Application Services
  [+] Impersonate                        [INSTANCE]\SharePoint Web Application Services
  [+] GenericRead                        [Collection0]\Project Collection Build Service Accounts

Done.

See Also

Other Resources

Change groups and permissions with TFSSecurity

How to: Create a Global Group

Team Project Groups

Default Groups