How to hide projects in TFS source control from an Active Directory group

active-directoryteam-foundation-server

We have a group of contractors that need to have limited access to source control under TFS. I added the contractors to an Active Directory group and explicitly denied all permissions to Source Control for that group on the root folder $/ and can see that the permissions are being inherited by the project folders, but when logged in as one of the contractors the folder/file structure of source control is still visible.

The contractor accounts can't actually download files from source control, but I need to completely hide the folder structure as well. I've verified with Attrice TFS sidekicks that the effective permissions for one of the contractors is as desired but no luck. What would cause the folder structure to be viewable when the Read permission is explicitly denied for a user?

Best Answer

Which TFS group are you adding the AD group to? It sounds like you're adding users at the server or Team Project Collection level (If you're using TFS 2010). I would say that it's better to add users at the Team Project level.

When you create a new Team Project TFS will create 4 groups. I.e. If you create a Team Project called "Luke" then there will be groups called "Luke Project Administrators", "Luke Contributors", "Luke Readers" and "Luke Build Services"

If you add the contractors to "Luke Contributors" then they will only be able to see the "Luke" Team Project in Source Control. $/Luke/

Related Solutions

Delegate permissions to subfolder in TFS project

There is no way to do this out of the box. If you're only going to be doing it rarely, the manual process of denying on the parent folders is going to be most efficient.

If, however, this is a task you think you'll find yourself repeating fairly often, you can create a utility using the TFS API to do it for you.

(Something along these lines. Warning, this is not tested)

vcs = //...VersionControlServer reference...

string checkinPath = @"$/MyProject/Sources/Whatever";
string identityName = @"[MyProject]\Contributors";
string[] removesNone = new string[]{ };    
string[] allowsNone = new string[]{ };
string[] deniesNone = new string[]{ };
string[] allowsCheckin = new string[]{ PermissionChange.ItemCheckin };
string[] deniesCheckin = new string[]{ PermissionChange.ItemCheckin };


PermissionChange pc = new PermissionChange(
    checkinPath, identityName, allowsCheckin, deniesNone, removesNone);

vcs.SetPermissions(new SecurityChange[]{ pc } );

// walk up the path denying on parent folders
checkinPath = checkinPath.Substring(0, checkinPath.LastIndexOf('/'));
while (checkinPath.Length > 2)
{
        PermissionChange pc = new PermissionChange(
            checkinPath, identityName, allowsNone, deniesCheckin, removesNone);

        vcs.SetPermissions(new SecurityChange[]{ pc } );

        checkinPath = checkinPath.Substring(0, checkinPath.LastIndexOf('/'));
}

TFS and Active Directory – Group Membership not populating to TFS in a timely manner

Group memberships are enumerated for the user at logon. When you make changes to a users memberships in AD, the user needs to log out/in of their machine for the changes to take effect for the user. I'm guessing the "under 24 hours" you mention is due to the fact they're coming back to work the next day and logging into the machine.

Best Answer

Related Solutions

Delegate permissions to subfolder in TFS project

TFS and Active Directory – Group Membership not populating to TFS in a timely manner

Related Topic