Change permissions at the organization or collection-level
TFS 2017 | TFS 2015 | TFS 2013
Several permissions are set at the organization or collection level. You can grant these permissions by adding a user or group to the Project Collection Administrators group. Or, you can grant select collection-level permissions to a custom security group or to a user.
See the following articles for related information:
- Request an increase in permission levels
- Change project-level permissions
- Add or remove users or groups, manage security groups
- Set object-level permissions
- Look up a project collection administrator
- Look up the organization owner
Collection-level permissions
The following table lists the permissions assigned at the organization or collection-level. All of these permissions, except for the Make requests on behalf of others permission, are granted to members of the Project Collection Administrators group. For a description of each permission, see Permissions and groups reference, Groups.
General
- Alter trace settings
- Create new projects
- Delete team project
- Edit instance-level information
- View instance-level information
Service Account
- Make requests on behalf of others
- Trigger events
- View system synchronization information
Boards
Repos (TFVC)
- Administer shelved changes
- Administer workspaces
- Create a workspace
Pipelines
Test Plans
- Manage test controllers
Prerequisites
- To manage permissions or groups at the organization or collection level, you must be a member of the Project Collection Administrators security group. If you created the organization or collection, you are automatically added as a member of this group. To get added to this group, you need to request permissions from a member of the Project Collection Administrators group. See Look up a project collection administrator.
- If want to add security groups defined in Azure Active Directory or Active Directory, make sure those are first defined. To learn more, see Add AD/Azure AD users or groups to a built-in security group.
Add members to the Project Collection Administrators group
You can add users who've been added to a project, organization, or collection to the Project Collection Administrators group, or any other group at the organization or collection level. To add a custom security group, first create the group as described in Add or remove users or groups, manage security groups.
Here we show how to add a user to the built-in Project Collection Administrators group. The method is similar to adding an Azure Active Directory or Active Directory group.
Change permissions for a group
You can change the project-level permissions for any project-level group. Each team added to a project is automatically added as a project-level group. To add security groups to a project, see Add or remove users or groups, manage security groups. To understand permission assignments and inheritance, see About permissions, Permission states.
Change permissions for a user
You can change the collection-level permissions for a specific user. To understand permission assignments and inheritance, see About permissions, Permission states.
If your on-premises deployment is integrated with a SharePoint product or SQL Server Reports, you'll need to manage membership for those products separately from their websites.