Default permissions and access for VSTS and TFS

VSTS | TFS 2018 | TFS 2017 | TFS 2015 | TFS 2013

To connect and use the functions and features that VSTS and TFS provides, users must be added to a group with the appropriate permissions. The most common built-in groups include Readers, Contributors, and Project Administrators. These groups are assigned the default permissions as listed below.

In addition to permissions, access to select features are controlled by the access level assigned to a user. Contributors and administrators should be added to Basic (paid) access. Stakeholder access is available to support free access to a limited set of features by an unlimited set of stakeholders.

For a complete reference of all built-in groups and permissions, see Permissions and groups. For information about assigning access levels and supporting stakeholder access, see Manage users and access for VSTS, and Change access levels for TFS.

Code: Git and TFVC

You can connect to your code from the Code hub or the web portal, and using Xcode, Eclipse, IntelliJ, Android Studio, Visual Studio, Visual Studio Code. For an overview of code features and functions, see Git and Use Team Foundation Version Control (TFVC). Stakeholders have no access to the Code hub or its features.

From the team project admin content for Version Control, you can set permissions on a repository. From the Code>Branches page, you can set permissions for a specific branch and set branch policies.

Git

Task Readers Contributors Build Admins Account Owner/
Project Admins
Clone, fetch, pull, and explore the contents of a repository checkmark checkmark checkmark checkmark
Unlimited private Git repositories checkmark checkmark checkmark
Create branches and tags, manage notes checkmark checkmark checkmark
Create, delete, and rename repositories checkmark
Manage permissions, manage branches and branch policies checkmark
Powerful semantic code search checkmark checkmark checkmark

TFVC

Task Readers Contributors Build Admins Account Owner/
Project Admins
Contribute to a centralized version control, including Code Review (Check in, label, lock, merge, pend a change) Read only checkmark checkmark checkmark
Check in, revise, undo, unlock other users' changes checkmark
Manage branches, manage permissions checkmark
Powerful semantic code search checkmark checkmark checkmark

Build and release

You can define and manage your builds and releases from the web portal, Build and Release hub. For an overview of build and release management features and functions, see Continuous integration on any platform.

From the **Build and Release hub, you can set permissions for all or individual build definitions, release definitions, task groups, or variable groups. See Set build and release permissions.

Task Stakeholders Readers Contributors Build
Admins
Account Owner/
Project Admins
Release Admins
View build and release definitions checkmark checkmark checkmark checkmark checkmark
Define builds with continuous integration checkmark checkmark checkmark
Define releases, manage deployments, manage releases with Release Management checkmark checkmark checkmark
Approve releases checkmark checkmark checkmark checkmark
Package Management (5 users free) checkmark checkmark checkmark
Queue builds, edit build quality checkmark checkmark checkmark
Manage build queues and build qualities checkmark checkmark
Manage build retention policies, delete and destroy builds checkmark checkmark checkmark
Administer build permissions checkmark checkmark
Manage release permissions checkmark checkmark
Create and edit task groups checkmark checkmark checkmark checkmark
Manage task group permissions checkmark checkmark checkmark
Can view library items such as variable groups checkmark checkmark checkmark checkmark checkmark
Use and manage library items such as variable groups checkmark checkmark checkmark

Package Management feeds

Feeds have three levels of access: Owners, Contributors, and Readers. Owners can add any type of identity—individuals, teams, and groups—to any access level. To set permissions, see Secure feeds using permissions.

Permission Reader Contributor Owner
List and restore/install packages checkmark checkmark checkmark
Push packages checkmark checkmark
Unlist/deprecate packages checkmark checkmark
Delete/unpublish package checkmark
Edit feed permissions checkmark
Rename and delete feed checkmark

Test

You can define and manage manual tests from the web portal, Test hub. For an overview of manual test features and functions, see Testing overview.

You set test permissions at the team project level from the admin context Security page.

Task Stakeholders Readers Contributors Account Owner/
Project Admins
Exploratory testing, view test runs checkmark checkmark checkmark
Exploratory testing, create and delete test runs checkmark checkmark
Provide feedback using the Test & Feedback extension checkmark checkmark checkmark checkmark
Request feedback using the Test & Feedback extension checkmark checkmark
Manage test configurations and test environments checkmark checkmark
Manage test plans and test suites checkmark checkmark
Test Manager (purchased separately) checkmark checkmark

Agile tools and work tracking

You can connect to work items from the Work hub of the web portal and using Eclipse, Visual Studio, Excel, Project, and other clients. For an overview of work tracking features and functions, see About Agile tools. Stakeholders have limited access to select work tracking functions as described in Work as a stakeholder.

In addition to the permissions set at the project level via the built-in groups, you can set permissions for the following objects: area and iteration paths, queries and query folders, and delivery plans.

The team administrator role supports configuration of team settings. To be added as a team administrator, see Configure team settings and add team administrators.

Note

There are no UI permissions associated with managing tags. Instead, you can manage them using the TFSSecurity command line tool.

Task Stakeholders Readers Contributors Team Admins Account Owner/
Project Admins
View work items, including bugs, requirements, and tasks checkmark checkmark checkmark checkmark checkmark
Create and edit work items, follow a work item checkmark checkmark checkmark checkmark
Change work item type checkmark checkmark checkmark checkmark
Move or delete work items checkmark checkmark checkmark
Search and query work items, save work item queries checkmark Can't save queries checkmark checkmark checkmark
View backlogs, boards, and plans checkmark checkmark checkmark checkmark checkmark
Provide feedback checkmark checkmark checkmark checkmark checkmark
Request feedback checkmark checkmark checkmark
Agile tools (Kanban boards, backlogs, sprint planning, portfolio management) limited interactions view only checkmark checkmark checkmark
Configure Agile tools, set team defaults checkmark checkmark
Create new work item tags Can assign existing tags check mark check mark check mark
View, add, and configure Delivery Plans view only check mark check mark check mark
Customize project information (area paths, iteration paths, and work tracking processes) checkmark
Powerful semantic work tracking search checkmark checkmark checkmark

Charts, dashboards, and other web portal features

You can define and manage dashboards from the web portal, Dashboard hub. For an overview of dashboard and chart features, see Dashboards.

You set dashboard permissions at the team level from the team dashboard page.

Task Stakeholders Readers Contributors Team admins Account Owner/
Project Admins
View charts and dashboards checkmark checkmark checkmark checkmark checkmark
Create work item and test tracking charts checkmark checkmark checkmark
View the project page checkmark checkmark checkmark checkmark checkmark
Edit the project page checkmark
Navigate using the Account hub pages checkmark checkmark checkmark checkmark checkmark
Add and configure dashboards
With permissions set checkmark checkmark

Analytics

From the Analytics hub, you can create and manage Analytics views. An Analytics view provides a simplified way to specify the filter criteria for a Power BI report based on the Analytics Service data store. The Analytics Service is the reporting platform for VSTS. To learn more, see What is the Analytics Service?.

You set permissions for the service at the project level, and for shared Analytics views at the object level.

Task Stakeholders Readers Contributors Team admins Account Owner/
Project Admins
View Analytics service checkmark checkmark checkmark checkmark
View, edit, and delete a shared Analytics view checkmark checkmark checkmark checkmark

Notifications, alerts, and team collaboration tools

To manage notifications, see Manage personal notifications and Manage team notifications.

Note

There are no UI permissions associated with managing notifications. Instead, you can manage them using the TFSSecurity command line tool.

Task Stakeholders Readers Contributors Team Admins Account Owner/
Project Admins
Set personal notifications or alerts (see Note 1) checkmark checkmark checkmark checkmark
Set team notifications or alerts checkmark checkmark
Set project-level notifications or alerts checkmark
Participate in Team (chat) rooms check mark check mark check mark
READMEs See Note 2 check mark check mark check mark check mark
View Wikis check mark check mark check mark check mark check mark
Provision or create a Wiki check mark
View the project page checkmark checkmark checkmark checkmark checkmark
Edit the project page checkmark
Navigate using the Account hub pages checkmark checkmark checkmark checkmark checkmark
Request feedback check mark check mark check mark check mark
Provide feedback check mark check mark check mark check mark check mark
Powerful semantic code search checkmark checkmark checkmark
Powerful semantic work tracking search checkmark checkmark checkmark

Notes

  1. Team (chat) rooms have been deprecated for VSTS and TFS 2018 and later versions.
  2. Can view team project READMEs, but not READMEs defined for a repository.