Tutorial: Change individual permissions, grant select access to specific functions

VSTS | TFS 2018 | TFS 2017 | TFS 2015 | TFS 2013

The standard way for permissions to accrue to individuals are by adding user accounts to one or more built-in security groups. However, in certain instances, you'll want to grant additional permissions to select individuals, but perhaps not all permissions assigned to the security group. For example, you might want to grant several individuals the ability to add or edit area and iteration paths, but not have all permissions available to members of the Project Administrators group.

The three ways to change permissions for an individual are:

  • Create a custom group, define permissions for that group, add the user account to the group
  • For object-level permissions: Add the user account and set permissions
  • For project or collection-level permissions: Search for the user account and selectively change their permission assignments

In this topic you'll learn how to:

  • Create a custom security group
  • Set permissions for a custom security group
  • Add members to a custom security group
  • Change the permission assignments for an individual user account

If you are new to administrating permissions and groups, review About permissions and groups to learn about permission states and inheritance.

Note

The images you see from your web portal may differ from the images you see in this topic. These differences result from updates made to VSTS or your on-premises TFS. However, the basic functionality available to you remains the same unless explicitly mentioned.

Create a custom security group

Create a custom security group at the project-level or the collection-level. The method for creating a custom security group is the same, no matter at what level you add it.

  1. To create a project-level security group, open the web portal and choose the team project where you want to add users or groups. Choose the gear icon gear icon to open the administrative context.

    VSTS, TFS 2017, Team Project hub, Click gear icon to open the Admin context

  2. Open the Security page and and choose Create group to open the dialog for adding a group.

    Create security group at the account or collection level

  3. Enter a name for the group, and optionally a description.

    For example, here we define a Team Admins group.

    Security group dialog, Add a security group at the project level

  4. Choose Create group.

Set permissions for a custom security group

  1. To set permissions for the custom group you just created, click the group name and then set one or more permissions.

    Set permissions for a project-level custom security group

    For a description of each permission, see Permissions and groups reference, project-level permissions.

  2. Choose Save changes.

Add members to a custom security group

You add members to a custom security group in the same way you add users to a built-in group.

  1. Choose the security group, choose Members, and then choose Add.

    Web portal, Admin context, Security hub, Add member

  2. Type the name of the user account into the text box. You can type several identities into the text box, separated by commas. The system will automatically search for matches. Choose the match(es) that meets your choice.

    Add users and group dialog

    Note

    Users that have limited access, such as Stakeholders, won't be able to access select features even if granted permissions to those features. To learn more, see Permissions and access.

Change the permission assignments for an individual user account

To change the permission at a project-level

  1. From the project-level Security admin page, type the name of the user account in the Filter users and groups box and select the account whose permissions you want to change.

    Filter and select a user account

  2. Change the permissions for the account, setting a permission as Allow or Deny.

    Set permissions for a single user account

    For a description of each permission, see Permissions and groups reference, project-level permissions.

  3. Choose Save changes.

To change the permission at a collection level

  1. Open the account-level or collection-level Security admin page and follow the instructions provided in the previous section for project-level permissions.

    For a description of each collection-level permission, see Permissions and groups reference, collection-level permissions.

To change the permission at an object-level

  1. From the web portal, open the Security dialog for the object whose permissions you want to set. For specific instructions, see these topics:

  2. From the Security dialog, choose Add to add a user account.

    Open the Add users or group permissions dialog

  3. Type the name of the user account, choose search, and select the account you want.

  4. Select the user name from the left pane and then update the permission assignments, setting Allow or Deny for specific permissions.

    Set permissions for a single user account

    For a description of a specific permission, see Permissions and groups reference.

  5. Choose Save changes.

Next steps