Add administrators, set permissions at the project-level or project collection-level
VSTS | TFS 2018 | TFS 2017 | TFS 2015 | TFS 2013
Several permissions are set at the team project or at the account/team project collection level. You can grant these permissions by adding a user or group to one of the default security groups listed here. Or, you can create a custom security group within a level and add members to that group. You can then change the default permission settings.
|Project level||Account/Collection level|
|- Build Administrators
- Project Administrators
- Project Valid Users
- Release Administrators
- Team Admins
|- Project Collection Administrators
- Project Collection Build Administrators
- Project Collection Build Service Accounts
- Project Collection Proxy Service Accounts
- Project Collection Service Accounts
- Project Collection Test Service Accounts
- Project Collection Valid Users
- Readers group
- Security Service Group
The above list indicates the latest groups defined for VSTS and TFS 2017. For earlier versions of TFS, the list may differ. Only add service accounts to TFS service account groups. To understand valid user groups, see About permissions and groups, Valid user groups.
For a description of each group and each permission, see Permissions and groups reference, Groups.
For users who will manage features provided at the project-level admin
context—such as, teams, area and iteration paths, repositories,
service hooks, and service end points—add them to the Project
Administrators group. For users who will manage features provided at the collection-level admin context —such as, team projects, processes, retention policies and resource limits, agent pools, and extensions—add them to the Project
- You must have a team project. If you don't have a team project yet, create one in VSTS or set one up in an on-premises TFS.
- To manage permissions or groups at the project level, you must be a member of the Project Administrators Group or have your Edit project-level information set to Allow. If you created the team project, you are automatically added as a member of this group.
- To manage permissions or groups at the collection or instance level, you must be a member of the Project Collection Administrators Group or have your Edit instance-level information set to Allow. If you created the account or collection, you are automatically added as a member of this group.
Add a user or group to a security group
As roles and responsibilities change, you might need to change the permission levels for individual members of a team project. The easiest way to do that is to add the user or a group of users to a pre-defined security group.
Here we show how to add a user to the built-in Project Administrators group. The method is similar to adding an Azure Active Directory or Active Directory group.
Open the admin context from the user/team project context, click the gear settings icon, and click the Security tab.
Click the security group, Project Administrators, and then click Members, and then click Add.
Type the name of the user account into the text box. You can type several identities into the text box, separated by commas. The system will automatically search for matches. Click the match(es) that meets your choice.
Users that have limited access, such as Stakeholders, won't be able to access select features even if granted permissions to those features. To learn more, see Permissions and access.
Click Save changes and you'll notice the user Project Administrators, and then click Members, and then click Add.
Change the permission level for a project-level group
To open the admin context from the user/team project context, click the gear settings icon, and click the Security tab.
Click the group whose permissions you want to change.
For example, here we grant permission to the Contributors group to delete and restore work items.
In general, if you add a user to the Contributors group, they will be able to add and modify work items. You can restrict permissions of users or user groups to add and modify work items based on the area path. For details, see Set permissions and access for work tracking, Modify work items under an area path.
For a description of each permission, see Permissions and groups reference, project-level permissions.
You can't change the permission settings for the Project Administrators group. This is by design.
Click Save changes.
Add a group and change its permissions at the account or collection-level group
Open the admin context for the account or collection. Click the gear Settings icon and choose Account Settings (VSTS) or Collection Settings (TFS), and then click the Security tab.
Click Create group to open the dialog for adding a group.
Enter a name for the group, and optionally a description.
For example, here we define a Work Tracking Administrators group.
For a description of each permission, see Permissions and groups reference, collection-level permissions.
Click the group name you just created and change the permission levels.
Here we grant this group permissions to manage customizations for the Inheritance process model.
Click Save changes.
You can't change the permission settings for the Project Collection Administrators group. This is by design.
For on-premises TFS, see these additional topics:
If your TFS deployment is integrated with a SharePoint product or SQL Server Reports, you'll need to manage membership for those products separately from their websites.