Permissions and groups in VSTS and TFS

VSTS | TFS 2018 | TFS 2017 | TFS 2015 | TFS 2013

This topic provides descriptions for each built-in group and permission. To learn how to add users to a group or set a specific permission that you can manage through the web portal, see the following resources:

Note

The images you see from your web portal may differ from the images you see in this topic. These differences result from updates made to VSTS or your on-premises TFS. However, the basic functionality available to you remains the same unless explicitly mentioned.

Groups

Permissions can be granted directly to an individual, or to a group. Using groups can make things a lot simpler, and TFS sets up some built-in groups for that purpose. These groups and the permissions they're assigned to exist at several different levels: server (TFS deployment), team project collection, team project, and specific objects. You can also create your own groups and grant them the specific set of permissions that are appropriate for certain roles in your organization.

   Server-level groups (TFS only)

Server groups apply to TFS only. When you install TFS, the system creates default groups that have deployment-wide, server-level permissions. You can neither remove nor delete the built-in server-level groups.

ADMIN_GROUPS_PERMISSIONS

You can't remove or delete the default server level groups.

Group name Permissions Membership
Team Foundation Administrators Has permissions to perform all operations for TFS.

Local Administrators group (BUILTIN\Administrators) for any server that hosts Team Foundation application services.

Server \Team Foundation Service Accounts group and the members of the \Project Server Integration Service Accounts group.

This group should be restricted to the smallest possible number of users who need total administrative control over TFS.

If your deployment uses SharePoint or Reporting, consider adding the members of this group to the Farm Administrators and Site Collection Administrators groups in SharePoint and the Team Foundation Content Managers groups in Reporting Services.
Team Foundation Proxy Service Accounts Has service level permissions for Team Foundation Server Proxy, and some TFS service level permissions.
Created when you install the TFS proxy service.
This group should contain only service accounts and not user accounts or groups that contain user accounts.
Team Foundation Service Accounts

Has service level permissions for TFS.

Contains the service account that was supplied during installation

This group should contain only service accounts and not user accounts or groupsthat contain user accounts. By default, this group is a member of Team Foundation Administrators.

Team Foundation Valid Users Has permission to view instance level information.
If you set the View instance-level information permission to Deny or Not set for this group, no users will be able to access the deployment.
Contains all users known to exist in the VSTS account or TFS instance. You can't modify the membership of this group.
Project Server Integration Service Accounts Has service level permissions for the Project Server deployments that are configured for interoperation with TFS and some TFS service level permissions.
Created when you install Project Service integration.
This group should contain only service accounts and not user accounts or groups that contain user accounts. By default, this group is a member of Team Foundation Administrators.
SharePoint Web Application Services Has service level permissions for the SharePoint Web applications that are configured for use with TFS and some service level permissions for TFS. This group should contain only service accounts and not user accounts or groups that contain user accounts. Unlike the Service Accounts group, this group is not a member of Team Foundation Administrators.

The full name of each of these groups is [Team Foundation]/{group name}. So the full name of the server level administrators group is [Team Foundation]/Team Foundation Administrators.

   Collection-level groups

When you create a VSTS account or TFS collection, the system creates collection-level groups that have permissions in that collection. You can neither remove nor delete the built-in collection-level groups.

Groups

Group name Permissions Membership
Project Collection Administrators

Has permissions to perform all operations for the collection.

Contains the Local Administrators group (BUILTIN\Administrators) for the server where the application-tier services for TFS have been installed. Also, contains the members of the CollectionName\Service Accounts group.

This group should be restricted to the smallest possible number of users who need total administrative control over the collection. For VSTS, assign to administrators who will customize work tracking.

If your deployment uses SharePoint or Reporting, consider adding the members of this group to the Site Collection Administrators group in SharePoint and the Team Foundation Content Managers groups in Reporting Services.
Project Collection Build Administrators

Has permissions to administer build resources and permissions for the collection.

Limit this group to the smallest possible number of users who need total administrative control over build servers and services for this collection.

Project Collection Build Service Accounts

Has permissions to run build services for the collection.

Limit this group to service accounts and groups that contain only service accounts.
Project Collection Proxy Service Accounts

Has permissions to run the proxy service for the collection.

Limit this group to service accounts and groups that contain only service accounts.

Project Collection Service Accounts

Has service level permissions for the collection and for TFS.

Contains the service account that was supplied during installation. This group should contain only service accounts and groups that contain only service accounts. By default, this group is a member of Team Foundation Administrators and Team Foundation Service Accounts.

Project Collection Test Service Accounts

Has test service permissions for the collection.

Limit this group to service accounts and groups that contain only service accounts.

Project Collection Valid Users

Has permissions to access team projects and view information in the collection.

Contains all users and groups that have been added anywhere within the collection. You cannot modify the membership of this group.

The full name of each of these groups is [{collection name}]/{group name}. So the full name of the adminstrators group for the default collection is [Default Collection]/Project Collection Administrators.

   Project-level groups

For each team project that you create, the system creates the followings team project-level groups. These groups are assigned project-level permissions.

The full name of each of these groups is [{team project name}]{group name}. For example, the contributors group for a team project called "My Project" is [My Project]/Contributors.

Group name Permissions Membership
Build Administrators Has permissions to administer build resources and build permissions for the team project. Members can manage test environments, create test runs, and manage builds.
Contributors Has permissions to contribute fully to the team project code base and work item tacking. By default, the team group created when you create a team project is added to this group, and any user you add to the team will be a member of this group. In addition, any team you create for a team project will be added to this group by default, unless you choose a different group from the list.
Readers Has permissions to view the team project but not modify it. Assign to stakeholders who want to be able to view work in progress.
Project Administrators Has permissions to administer all aspects of teams and team project, although they can't create team projects. Assign to users who will manage user permissions, create or edit teams, modify team settings, define area an iteration paths, or customize work item tracking.
Project Valid Users

Has permissions to access the team project.

If you set the View collection-level information permission to Deny or Not set for this group, no users will be able to access the team project.

Contains all users and groups that have been added anywhere within the team project. You cannot modify the membership of this group.

{team name} Has permissions to contribute fully to the team project code base and work item tacking. The default Team group is created when you create a team project, and by default is added to the Contributors group for the team project. Any new teams you create will also have a group created for them and added to the Contributors group.
You can grant permissions to administer team assets by adding members to the team administrator role.
Add members of the team to this group.

   Team administrator role

For each team that you add, you can assign one or more team members as administrators. The team admin role isn't a group with a set of defined permissions. Instead, the team admin role is tasked with managing the following team assets.

Note

Project Administrators can manage all team admin areas for all teams.

  • Create and manage team alerts
    Can add and modify alerts so that the team can receive email notifications as changes occur to work items, code reviews, source control files, and builds. For details, see Manage team alerts.

    Note

    There is no UI associated with managing alert permissions. Instead, you can use TFSSecurity to manage alerts in TFS.

  • Create and manage team rooms
    Can add users and events to team rooms, and add team rooms. Team rooms are chat rooms limited to team members. For details, see [Collaborate in a team room](../collaborate/collaborate-in-a-team-room.md).

  • Select team area paths
    Can select the default area path(s) associated with the team. These settings affect a number of Agile tools available to the team. For details, see [Set team defaults](../work/scale/set-team-defaults.md).
  • Select team sprints Can select the default area path(s) associated with the team. These settings affect a number of Agile tools available to the team. For details, see Set team defaults.
  • Configure team backlogs
    Can choose which backlog levels are active for a team. For example, a feature team may choose to show only the product backlog and a management team may choose to show only the feature and epic backlogs. For details, see Select backlog levels for your team.
  • Customize the Kanban board
    Can fully customize the team's Kanban boards associate with the product and portfolio backlogs. This includes the following elements:
  • Manage team dashboards
    Can add, configure, and manage permissions (VSTS and TFS 2017) for team dashboards. For details, see Add and manage dashboards.
  • Set working days off
    Sprint planning and tracking tools automatically consider days off when calculating capacity and sprint burndown. Team admins can choose which days are non-working days through the team's Settings dialog. For details, see Set working days.
  • Show bugs on backlogs and boards
    Team admins can choose whether bugs are treated similar to user stories and requirements or as tasks. For details, see Set your team's preferences for tracking bugs.

Permissions

The system manages permissions at different levels—server, collection, project, or object—and by default assigns them to one or more built-in groups. You manage most permissions through the web portal.

   Server-level (TFS)

You manage server-level permissions through the Team Foundation Administration Console or TFSSecurity command-line tool. Team Foundation Administrators are granted all server-level permissions. Other server-level groups have select permission assignments.

Permission Description
Administer warehouse

Can process or change settings for the data warehouse or SQL Server Analysis cube by using the Warehouse Control Web Service.

Additional permissions may be required to fully process or rebuild the data warehouse and Analysis cube.

Create team project collection Can create and administer collections.
Delete team project collection Can delete a collection from the deployment.
Deleting a collection will not delete the collection database from SQL Server.
Edit instance-level information Can edit server level permissions for TFS users and groups, and add or remove server level groups from the collection.

Edit instance-level information includes the ability to perform these tasks for all team projects defined in all collections defined for the instance:

  • Create and modify areas and iterations
  • Edit check-in policies
  • Edit shared work item queries
  • Edit team project level and collection level permission ACLs
  • Create and modify global lists
  • Edit event subscriptions (email or SOAP).

When set through the menus, the Edit instance-level information permission also implicitly allows the user to modify version control permissions. To grant all these permissions at a command prompt, you must use the tf.exe Permission command to grant the AdminConfiguration and AdminConnections permissions in addition to GENERIC_WRITE.

Make requests on behalf of others Can perform operations on behalf of other users or services. Only assign to service accounts.
Trigger events Can trigger TFS alert events. Only assign to service accounts and members of the Team Foundation Administrators group.
Use full Web Access features Can use all TFS WEB PORTAL features.
If the Use full Web Access features permission is set to Deny, the user will only see those features permitted for the Stakeholder group (see Change access levels). A Deny will override any implicit Allow, even for accounts that are members of administrative groups such as Team Foundation Administrators.
View instance-level information Can view server level group membership and the permissions of those users.
The View instance-level information permission is also assigned to the Team Foundation Valid Users group.

   Collection-level

You manage collection-level permissions through the web portal admin context or TFSSecurity command-line tool. Project Collection Administrators are granted all collection-level permissions. Other collection-level groups have select permission assignments.

Permission Description
Administer build resource permissions Can modify permissions for build resources.
Administer process permissions Can modify permissions for processes.
Applies to VSTS only, not TFS.
Administer Project Server integration Can configure the integration of TFS and Project Server to enable data synchronization between the two server products.
Administer shelved changes Can delete shelvesets created by other users.
Administer workspaces Can create workspaces for other users and delete workspaces created by other users.
Alter trace settings Can change the trace settings for gathering more detailed diagnostic information about TFS Web services.
Create a workspace Can create a version control workspace.
The Create a workspace permission is granted to all users as part of their membership within the Project Collection Valid Users group.
Create new team projects Can create team projects in the collection.
Additional permissions may be required depending on your deployment. Create a New Team Project Wizard.
Create process Can create an inherited process.
Applies to VSTS only, not TFS.
Delete process Can delete an inherited process.
Applies to VSTS only, not TFS.
Delete team project Can delete team projects.
Deleting a team project will delete all data that is associated with the team project. You cannot undo the deletion of a team project except by restoring the collection to a point before the team project was deleted.
Edit collection-level information Can add users and groups, and edit collection level permissions for users and groups.

Edit collection level information includes the ability to perform these tasks for all team projects defined in a collection:

  • Add and administer teams and all team-related features
  • Create and modify areas and iterations
  • Edit check-in policies
  • Edit shared work item queries
  • Edit team project level and collection level permission ACLs
  • Manage process templates
  • Customize a team project or process
  • Create and modify global lists
  • Edit event subscriptions (email or SOAP) on team project or collection level events.

When you set Edit collection-level information to Allow, users can add or remove collection level groups and implicitly allows these users to modify version control permissions. To grant all these permissions at a command prompt, you must use the tf.exe Permission command to grant the AdminConfiguration and AdminConnections permissions, in addition to GENERIC_WRITE.

Edit process Can edit a custom inherited process.
Applies to VSTS only, not TFS.
Make requests on behalf of others Can perform operations on behalf of other users or services. Assign only to service accounts.
Manage build resources Can manage build computers, build agents, and build controllers.
Manage process template Can download, create, edit, and upload process templates.
Applies to TFS only, not VSTS.
Manage test controllers Can register and de-register test controllers.
Trigger events Can trigger team project alert events within the collection. Assign only to service accounts.
Users with this permission can't remove built-in collection level groups such as Project Collection Administrators.
Use build resources Can reserve and allocate build agents. Assign only to service accounts for build services.
View build resources Can view, but not use, build controllers and build agents that are configured for the collection.
View instance-level information
or View collection-level information
Can view collection level group membership and permissions.
If you set the View instance-level information permission to Deny or Not set for this group, no users will be able to access the collection.
View system synchronization information Can call the synchronization application programming interfaces. Assign only to service accounts.

   Project-level

You manage project-level permissions from the web portal admin context or using the TFSSecurity command-line tool. Project Administrators are assigned all project-level permissions. Other project-level groups are assigned a subset of these permissions.

Feature availability: The Analytics Service is in private preview and only available to select customers of VSTS at this time.
Permission Description
Create tag definition Can add tags through a work item form.
Create test runs Can add and remove test results and add or modify test runs.
Delete team project Can delete the team project from the collection.
Delete test runs Can delete a scheduled test.

Delete and restore work items

or Delete work items in this project

Can mark work items in this project as deleted.
  • For VSTS and TFS 2015.1 and later versions, the Contributors group has Delete and restore work items at the project-level set to "Allow" by default.
  • For TFS 2015 and earlier versions, the Contributors group has Delete work items in this project at the project-level set to "Not set" by default. This setting causes the Contributors group to inherit the value from the closest parent that has it explicitly set.

Edit team project-level information Can edit team project level permissions for users and groups.

Edit project-level information includes the ability to perform these tasks for the team project:

  • Create and modify areas and iterations
  • Edit check-in policies
  • Edit shared work item queries
  • Edit team project level permission ACLs
  • Manage process templates
  • Customize a team project
  • Create and modify global lists
  • Edit event subscriptions (email or SOAP) on team project level events.
Manage project properties Can provide or edit metadata for a team project. For example, a user can provide high-level information about the contents of a project. Changing metadata is supported through the Set project properties REST API.
Manage test configurations Can create and delete test configurations.
Manage test environments Users who have this permission can create and delete test environments.
Move work items out of this project Can move a work item from one team project to another team project within the collection.
Applies to VSTS only, not TFS.
Permanently delete work items in this project Can permanently delete work items from this project.
Rename team project Can change the name of the team project.
View analytics Can access data available from the Analytics service. For details, see Permissions required to access the Analytics service.
View team project-level information Can view team project level group membership and permissions.
View test runs Can view test plans under the team project area path.

   Build (object-level)

You manage build permissions for each build defined in the web portal or using the TFSSecurity command-line tool. Project Administrators are granted all build permissions and Build Administrators are assigned most of these permissions. You can set build permissions for each build definition.

Permissions in Build follow a hierarchical model. Defaults for all the permissions can be set at the team project level and can be overridden on an individual build definition.

To set the permissions at project level for all build definitions in a project, choose Security from the action bar on the main page of Builds hub.

To set or override the permissions for a specific build definition, choose Security from the context menu of the build definition.

The following permissions are defined in Build. All of these can be set at both the levels.

Permission Description
Administer build permissions Can change any of the other permissions listed here.
Queue builds Can queue new builds.
Delete build definition Can delete build definition(s).
Delete builds Can delete builds for a definition. Builds that are deleted are retained in the Deleted tab for a period of time before they are destroyed.
Destroy builds Can delete builds from the Deleted tab.
Edit build definition Can save any changes to a build definition, including configuration variables, triggers, repositories, and retention policy.
Edit build quality Can add tags to a build.
Override check-in validation by build Applies to TFVC gated check-in builds. This does not apply to PR builds.
Retain indefinitely Can toggle the retain indefinitely flag on a build.
Stop builds Can stop builds queued by other team members or by the system.
View build definition Can view build definition(s).
View builds Can view builds belonging to build definition(s).
Update build information It is recommended to leave this alone. It's intended to enable service accounts, not team members.
Manage build qualities Only applies to XAML builds
Manage build queue Only applies to XAML builds
Permission Description
Administer build permissions Can administer the build permissions for other users.
Delete build definition Can delete build definitions for this team project.
Delete builds Can delete a completed build.
Destroy builds Can permanently delete a completed build.
Edit build definition Can create and modify build definitions for this team project.

You turn Inheritance Off for a build definition when you want to control permissions for specific build definitions.

When inheritance is On, the build definition respects the build permissions defined at the team project level or a group or user. For example, a custom Build Managers group has permissions set to manually queue a build for team project Fabrikam. Any build definition with inheritance On for team project Fabrikam would allow a member of the Build Managers group the ability to manually queue a build.

However, by turning Inheritance Off for team project Fabrikam, you can set permissions that only allow Project Administrators to manually queue a build for a specific build definition. This would then allow me to set permissions for that build definition specifically.

Edit build quality Can add information about the quality of the build through Team Explorer or the web portal.
Manage build qualities Can add or remove build qualities.
Manage build queue Can cancel, re-prioritize, or postpone queued builds.
Override check-in validation by build Can commit a TFVC changeset that affects a gated build definition without triggering the system to shelve and build their changes first.
Assign the Override check-in validation by build permission only to service accounts for build services and to build administrators who are responsible for the quality of the code. For more information, see Check in to a folder that is controlled by a gated check-in build process.
Queue builds Can put a build in the queue through the interface for Team Foundation Build or at a command prompt. They can also stop the builds that they have queued.
Retain indefinitely Can mark a build so that it will not be automatically deleted by any applicable retention policy.
Stop builds Can stop any build that is in progress, including builds queued and started by another user.
Update build information Can add build information nodes to the system, and can also add information about the quality of a build. Assign only to service accounts.
View build definition Can view the build definitions that have been created for the team project.
View builds Can view the queued and completed builds for this team project.

   Git repository (object-level)

Note

These permissions have changed in TFS 2017 Update 1 and VSTS. If you are using an earlier version of TFS, see the previous list of permissions.

You manage the security of each Git repository or branch from the web portal or using the TFSSecurity command-line tool. Project Administrators are granted most of these permissions (which appear only for a team project that's been configured with a Git repository). You can manage these permissions for all Git repositories, or for a specific Git repo.

Set permissions across all Git repositories by making changes to the top-level Git repositories entry.

Individual repositories inherit permissions from the top-level Git Repositories entry. Branches inherit permissions from assignments made at the repository level.

By default, the team project level and collection level Readers groups have only Read permissions.

Permission Description
Contribute

At the repository level, can push their changes to existing branches in the repository. Users who lack this permission but who have create branch may push changes to new branches. Does not override restrictions in place from branch policies.

At the branch level, can push their changes to the branch and lock the branch.

Create Branch Can create and publish branches in the repository. Lack of this permission does not limit users from creating branches in their local repository; it merely prevents them from publishing local branches to the server. When a user creates a new branch on the server, they have Contribute, Edit Policies, Force Push, Manage Permissions, and Remove Others' Locks permissions for that branch by default.
Create Repository Can create new repositories. This permission is only available from the Security dialog for the top-level Git repositories object.
Create Tag Can push tags to the repository.
Delete Repository Can delete the repository. At the top-level Git repositories level, can delete any repository.
Edit Policies Can edit policies for the repository and its branches.
Exempt From Policy Enforcement Can bypass branch policies.
Force Push (Rewrite History and Delete Branches) Can force an update to a branch, delete a branch, and modify the commit history of a branch. Can delete tags and notes.
Manage Notes Can push and edit Git notes. See Note to self (blog post) for more details on notes.
Manage Permissions Can set permissions for the repository.
Read Can clone, fetch, pull, and explore the contents of the repository.
Remove Others' Locks Can remove branch locks set by other users.
Rename Repository Can change the name of the repository. When set at the top-level Git repositories entry, can change the name of any repository.

Note

Set permissions across all Git repositories by making changes to the top-level Git repositories entry. Individual repositories inherit permissions from the top-level Git repositories entry. Branches inherit permissions from assignments made at the repository level. By default, the team project level and collection-level Readers groups only have Read permissions.

To manage Git repo and branch permissions, see Set branch permissions.

   TFVC (object-level)

You manage the security of each TFVC branch from the web portal or using the TFSSecurity command-line tool. Project Administrators are granted most of these permissions which appear only for a team project that's been configured to use Team Foundation Version Control as a source control system. In version control permissions, explicit deny takes precedence over administrator group permissions.

These permissions appear only for a team project set up to use Team Foundation Version Control as the source control system.

In version control permissions, explicit deny takes precedence over administrator group permissions.

Permission Description
Administer labels Can edit or delete labels created by another user.
Check in Can check in items and revise any committed changeset comments. Pending changes are committed at check-in.
Consider adding these permissions to any manually added users or groups that contributes to the development of the team project; any users who should be able to check in and check out changes, make a pending change to items in a folder, or revise any committed changeset comments.
Check in other users' changes
Can check in changes that were made by other users. Pending changes are committed at check-in.
Check out Can check out and make a pending change to items in a folder. Examples of pending changes include adding, editing, renaming, deleting, undeleting, branching, and merging a file. Pending changes must be checked in, so users will also need the Check in permission to share their changes with the team.
Consider adding these permissions to any manually added users or groups that contributes to the development of the team project; any users who should be able to check in and check out changes, make a pending change to items in a folder, or revise any committed changeset comments.
Label Can label items.
Lock
Can lock and unlock folders or files.
Manage branch Can convert any folder under that path into a branch, and also take the following actions on a branch: edit its properties, re-parent it, and convert it to a folder. Users who have this permission can branch this branch only if they also have the Merge permission for the target path. Users cannot create branches from a branch for which they do not have the Manage Branch permission.
Manage permissions Can manage other users' permissions for folders and files in version control.
Consider adding this permission to any manually added users or groups that contributes to the development of the team project and that must be able to create private branches, unless the team project is under more restrictive development practices.
Merge Can merge changes into this path.
Consider adding this permission to any manually added users or groups that contribute to the development of the team project and that must be able to merge source files, unless the team project is under more restrictive development practices.
Read Can read the contents of a file or folder. If a user has Read permissions for a folder, the user can see the contents of the folder and the properties of the files in it, even if the user does not have permission to open the files.
Revise other users' changes Can edit the comments on checked-in files, even if another user checked in the file.
Consider adding this permission to any manually added users or groups that are responsible for supervising or monitoring the team project and that might or must change the comments on checked-in files, even if another user checked in the file.
Undo other users' changes Merge Can undo a pending change made by another user.
Consider adding this permission to any manually added users or groups that are responsible for supervising or monitoring the team project and that might or must change the comments on checked-in files, even if another user checked in the file.
Unlock other users' changes Can unlock files locked by other users.
Consider adding this permission to any manually added users or groups that are responsible for supervising or monitoring the team project and that might or must change the comments on checked-in files, even if another user checked in the file.

   Area path (object-level)

Area path permissions grant or restrict access to branches of the area hierarchy and to the work items in those areas. You manage the security of each area path from the web portal or using the TFSSecurity command-line tool. Area permissions grant or restrict access to create and manage area paths as well as create and modify work items defined under area paths.

Members of the Project Administrators group are automatically granted permissions to manage area paths for a team project. Consider granting team administrators or team leads permissions to create, edit, or delete area nodes.

Note

Multiple teams may contribute to a team project. When that's the case, you can set up teams that are associated with an area. Permissions for the team's work items are assigned by assigning permissions to the area. There are other team settings that configure the team's agile planning tools.

Permission Description
Create child nodes Can create area nodes. Users who have both this permission and the Edit this node permission can move or re-order any child area nodes.
Consider adding this permission to any manually added users or groups that may need to delete, add, or rename area nodes.
Delete this node Users who have both this permission and the Edit this node permission for another node can delete area nodes and reclassify existing work items from the deleted node. If the deleted node has child nodes, those nodes are also deleted.
Consider adding this permission to any manually added users or groups that may need to delete, add, or rename area nodes.
Edit this node Can set permissions for this node and rename area nodes.
Consider adding this permission to any manually added users or groups that may need to delete, add, or rename area nodes.
Edit work items in this node Can edit work items in this area node.
Consider adding this permission to any manually added users or groups that may need to edit work items under the area node.
Manage test plans Can modify test plan properties such as build and test settings.
Consider adding Manage test suites permissions to any manually added users or groups that may need to manage test plans or test suites under this area node.
Manage test suites Can create and delete test suites, add and remove test cases from test suites, change test configurations associated with test suites, and modify suite hierarchy (move a test suite).
Consider adding Manage test suites permissions to any manually added users or groups that may need to manage test plans or test suites under this area node.
View permissions for this node Can view the security settings for this node.
View work items in this node Can view, but not change, work items in this area node.
If you set the View work items in this node to Deny, the user will not be able to see any work items in this area node. A Deny will override any implicit allow, even for accounts that are members of administrative groups such as Team Foundation Administrators.

   Iteration Path (object-level)

Iteration path permissions grant or restrict access to create and manage iteration paths.

Multiple teams may contribute to a team project. When that's the case, you can set up teams that are associated with an area. Permissions for the team's work items are assigned by assigning permissions to the area. There are other team settings that configure the team's agile planning tools. To learn more, see Set permissions to restrict access to work items.

You manage the security of each iteration path from the web portal or using the TFSSecurity command-line tool.

Members of the Project Administrators group are automatically granted these permissions for each iteration defined for a team project. Consider granting team administrators, scrum masters, or team leads permissions to create, edit, or delete iteration nodes.

Consider granting team administrators, scrum masters, or team leads permissions to create, edit, or delete iteration nodes.

Permission Description
Create child nodes Can create iteration nodes. Users who have both this permission and the Edit this node permission can move or re-order any child iteration nodes.
Consider adding this permission to any manually added users or groups that might need to delete, add, or rename iteration nodes.
Delete this node Users who have both this permission and the Edit this node permission for another node can delete iteration nodes and reclassify existing work items from the deleted node. If the deleted node has child nodes, those nodes are also deleted.
Consider adding this permission to any manually added users or groups that might need to delete, add, or rename iteration nodes.
Edit this node Can set permissions for this node and rename iteration nodes.
Consider adding this permission to any manually added users or groups that might need to delete, add, or rename iteration nodes.
View permissions for this node Can view the security settings for this node.
Members of the Project Collection Valid Users, Project Valid Users, or any user or group that has View collection-level information or View project-level information can view permissions of any iteration node.

   Work item query and folder (object-level)

You manage query and query folder permissions through the web portal. Project Administors are granted all of these permissions. Contributors are granted Read permissions only. Consider granting the Contribute permissions to users or groups that require the ability to create and share work item queries for the team project.

Consider granting the Contribute permissions to users or groups that require the abilityto create and share work item queries for the team project. To learn more, see Set permissions on queries.

To create query charts you need Basic access.

Permission Description
Contribute Can view and modify this query or query folder.
Delete Can delete a query or query folder and its contents.
Manage permissions Can manage the permissions for this query or query folder.
Read Can view and use the query or the queries in a folder, but cannot modify the query or query folder contents.

   Delivery Plans (object-level)

You manage plan permissions through the web portal. You manage permissions for each plan through it's Security dialog. Project Administors are granted all permissions to create, edit, and manage plans. Valid users are granted View (read-only) permissions.

Note

Feature availability: Delivery plans are available for all VSTS accounts. For TFS 2017.2 and later versions, you can access plans by installing the Delivery Plans Marketplace extension.

Permission Description
Delete Can delete the selected plan.
Edit Can edit the configuration and settings defined for the selected plan.
Manage Can manage the permissions for the selected plan.
View Can view the lists of plans, open and interact with a plan, but cannot modify the plan configuration or settings.

   Work item tags

You manage tagging permissions mostly from the TFSSecurity command-line tool. Contributors can add tags to work items and use them to quickly filter a backlog, board, or query results view.

Permission Description
Create tag definition Can create new tags and apply them to work items. Users without this permission can only select from the existing set of tags for the team project.

Readers and Contributors inherit the Create tag definition permission as it is set explicitly to Allow for the Project Valid Users group.

Although the Create tag definition permission appears in the security settings at the team project level, tagging permissions are actually collection level permissions that are scoped at the team project level when they appear in the user interface. To scope tagging permissions to a single team project when using the TFSSecurity command, you must provide the GUID for the team project as part of the command syntax. Otherwise, your change will apply to the entire collection. Keep this in mind when changing or setting these permissions.

Delete tag definition Can remove a tag from the list of available tags for that team project.

This permissions does not appear in the UI. It can only be set by using the TFSSecurity command.

There is also no UI to explicitly delete a tag. Instead, when a tag has not been in use for 3 days, TFS automatically deletes it.

Enumerate tag definition Can view a list of tags available for the work item within the team project. Users without this permission will not have a list of available tags from which to choose in the work item form or in the query editor.

This permissions does not appear in the UI. It can only be set by using the TFSSecurity command.

The View project-level information implicitly allows users to view existing tags.

Update tag definition Can rename a tag by using the REST API.
This permissions does not appear in the UI. It can only be set by using the TFSSecurity command.

   Release (object-level) (VSTS, TFS 2017)

Project Administrators and Release Administrators are granted all release management permissions. These permissions can be granted or denied in a hierarchical model at the team project level, for a specific release definition, or for a specific environment in a release definition. Within this hierarchy, permissions can be inherited from the parent or overridden.

In addition, you can assign approvers to specific steps within a release definition to ensure that the applications being deployed meet quality standards.

Note

If you are working with the Release Management client and server supported for TFS 2015, see Automate deployments with Release Management.

The following permissions are defined in Release Management. The scope column explains whether the permission can be set at the team project, release definition, or environment level.

Permission Description Scopes
Administer release permissions Can change any of the other permissions listed here. Project, Release definition, Environment
Create releases Can create new releases. Project, Release definition
Delete release definition Can delete release definition(s). Project, Release definition
Delete release environment Can delete environment(s) in release definition(s). Project, Release definition, Environment
Delete releases Can delete releases for a definition. Project, Release definition
Edit release definition Can save any changes to a release definition, including configuration variables, triggers, artifacts, and retention policy as well as configuration within an environment of the release definition. To make changes to a specific environment in a release definition, the user also needs Edit release environment permission. Project, Release definition
Edit release environment Can edit environment(s) in release definition(s). To save the changes to the release definition, the user also needs Edit release definition permission. This permission also controls whether a user can edit the configuration inside the environment of a specific release instance. The user also needs Manage releases permission to save the modified release. Project, Release definition, Environment
Manage deployments Can initiate a direct deployment of a release to an environment. This permission is only for direct deployments that are manually initiated by selecting the Deploy action in a release. If the condition on an environment is set to any type of automatic deployment, the system automatically initiates deployment without checking the permission of the user that created the release. Project, Release definition, Environment
Manage release approvers Can add or edit approvers for environment(s) in release definition(s). This permissions also controls whether a user can edit the approvers inside the environment of a specific release instance. Project, Release definition, Environment
Manage releases Can edit the configuration in releases. To edit the configuration of a specific environment in a release instance, the user also needs Edit release environment permission. Project, Release definition
View release definition Can view release definition(s). Project, Release definition
View releases Can view releases belonging to release definition(s). Project, Release definition

Default values for all of these permissions are set for team project collections and team project groups. For example, Project Collection Administrators, Project Administrators, and Release Administrators are given all of the above permissions by default. Contributors are given all permissions except Administer release permissions. Readers, by default, are denied all permissions except View release definition and View releases.

   Lab Management (TFS 2015, TFS 2013)

Visual Studio Lab Management permissions are specific to virtual machines, environments, and other resources. In addition, the creator of an object in Lab Management is automatically granted all permissions on that object. You can set these permissions by using the TFSLabConfig permissions command-line tool.

By default, the team project level and collection-level Readers groups have only View lab resources (Read) permissions.

Note

Lab Management is deprecated for TFS 2017. We recommend that you use Build and Release Management instead of Lab Management for automated testing.

Permission Description
Delete Environment and Virtual Machines Can delete environments and templates. The permission is checked for the object that is being deleted.
Delete Environment and Virtual Machines Can delete environments and templates. The permission is checked for the object that is being deleted.
Delete Lab Locations Can delete the locations for Lab Management resources, which include collection host groups, collection library shares, project host groups, and project library shares. To delete a location, you must have the Delete Lab Location permission for that location.
Edit Environment and Virtual Machines Can edit environments and templates. The permission is checked for the object that is being edited.
Environment Operations Can start, stop, pause, and manage snapshots, in addition to performing other operations on an environment.
Import Virtual Machine Can import a virtual machine from a VMM library share.This permission differs from Write because it only creates an object in Lab Management and does not write anything to the Virtual Machine Manager host group or library share.
Manage Child Permissions Can change the permissions of all the child Lab Management objects. For example, if a user has Manage Child Permission for a team project host group, the user can change permissions for all the environments under that team project host group.
Manage Lab Locations Can edit the locations of Lab Management resources, which include collection host groups, collection library shares, project host groups, and project library shares. To edit a specific location, you must have the Manage Lab Location permission for that location. This permission for collection level locations (collection host groups and collection library shares) also allows you to create team project level locations (project host group and project library share).
Manage Permissions Can modify the permissions for a Lab Management object. This permission is checked for the object whose permissions are being modified.
Manage Snapshots Can perform all snapshot management tasks for an environment, which include taking a snapshot, reverting to a snapshot, renaming a snapshot, deleting a snapshot, and reading a snapshot.
Pause Environment Can pause an environment.
Start Can start an environment.
Stop Can stop an environment.
View Lab Resources Can view information for the various Lab Management resources, which include collection host groups, project host groups, and environment. To view information about a specific lab resource, you must have the View Lab Resources permission for that resource.
Write Environment and Virtual Machines Can create environments for a project host group. Users who have this permission for a project library share can store environments and templates.

   Notifications or alerts

There are no UI permissions associated with managing email notifications or alerts. Instead, they can be managed using the TFSSecurity command line tool.

  • By default, members of the team project level Contributors group can subscribe to alerts for themselves.
  • Members of the Project Collection Administrators group, or users who have the Edit collection-level information can set alerts in that collection for others or for a team.
  • Members of the Project Administrators group, or users who have the Edit project-level information can set alerts in that team project for others or for a team.

You can manage alert permissions using TFSSecurity.

TFSSecurity Action TFSSecurity Namespace Description Project Collection Administrators and Project Collection Service Accounts
CREATE_SOAP_SUBSCRIPTION EventSubscription Can create a SOAP-based web service subscription.
GENERIC_READ EventSubscription Can view subscription events defined for a team project.
GENERIC_WRITE EventSubscription Can create alerts for other users or for a team.
UNSUBSCRIBE EventSubscription Can unsubscribe from an event subscription.